Why the US was so sure North Korea hacked Sony: it had a front-row seat by Lisa Vaas.
From the post:
We may finally know why the US was so confident about identifying North Korea’s hand in the Sony attack: it turns out the NSA had front-row seats to the cyber carnage, having infiltrated computers and networks of the country’s hackers years ago.
According to the New York Times, a recently released top-secret document traces the NSA’s infiltration back to 2010, when it piggybacked on South Korean “implants” on North Korea’s networks and “sucked back the data”.
The NSA didn’t find North Korea all that interesting, but that attitude changed as time went on, in part because the agency managed to intercept and repurpose a 0-day exploit – a “big win,” according to the document.
Stories like this one make me wonder if anyone follows hyperlinks embedded in posts?
The document, http://www.spiegel.de/media/media-35679.pdf is composed of war stories, one of which was to answer the question:
Is there “fifth party” collection?
“Fourth party collection” refers to passively or actively obtaining data from some other actor’s CNE activity against a target. Has there ever been an instance of NSA obtaining information from Actor One exploiting Actor Two’s CNE activity against a target that NSA, Actor One, and Actor Two all care about?
The response:
Yes. There was a project that I was working last year with regard to the South Korean CNE program. While we weren’t super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them. At that point, our access to NK was next to nothing but we were able to make some inroads into the SK CNE program. We found a few instances where there were NK officials with SK implants in their boxes, so we got on the exfil points, and sucked back the data. Thats forth party. (TS//SI//REL) However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about. But once that started happening, we ramped up efforts to target NK ourselves (as you don’t want to rely on an untrusted actor to do your work for you.) But some of the work that was done there was to help us gain access. (TS//SI//REL) I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF) where there was an actor we were going against. We realized another actor was also going against them and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win. (TS//SI//REL) But they were all still referred to as a fourth party.
Origin: The document appears on the Free Snowden site under the title: ‘4th Party Collection’: Taking Advantage of Non-Parter Computer Network Exploitation Activity
Analysis:
There are a couple of claims in Lisa’s account that are easy to dismiss on the basis of the document itself:
Lisa says:
The NSA didn’t find North Korea all that interesting, but that attitude changed as time went on, in part because the agency managed to intercept and repurpose a 0-day exploit – a “big win,” according to the document.
Assuming that SK = South Korea and NK = North Korea, the document reports:
While we weren’t super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them. (Emphasis added)
I read that to say we weren’t “super interested” in South Korea until South Korea started targeting us more. Does anyone have an English reading of that to a different conclusion?
Lisa also says that:
The NSA didn’t find North Korea all that interesting, but that attitude changed as time went on, in part because the agency managed to intercept and repurpose a 0-day exploit – a “big win,” according to the document.
The war story in question has concluded the South Korea and North Korea account and then says:
I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF) where there was an actor we were going against. We realized another actor was also going against them and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win. (TS//SI//REL) But they were all still referred to as a fourth party. (emphasis added)
The “I know of another instance” signals to most readers a change in the narrative to start a different account from the one just concluded. In the second instance, only “actor” is used and there is no intimation that North Korea is one of those actors. Could certainly be but there is no apparent connection between the two accounts.
Moreover there is nothing in the war story to indicate that a permanent monitoring presence was established in any network, capable of the sort of monitoring that Lisa characterizes as having “a front seat.”
Summary:
The leaking of this document is an attempt to exploit uncertainty about government claims concerning the Sony hack.
The document does not establish recovery of data from the North Korean network but only “…NK officials with SK implants in their boxes, so we got on the exfil points, and sucked back the data.”
Moreover, the document establishes that South Korea attempts to conduct CNE operations against the United States and is considered “…an untrusted actor….”
The zero day exploit may have been against North Korea, anything is possible but this document gives no basis for concluding it was against North Korea.
Finally, this document does not establish any basis for concluding that the United States had achieved a network monitoring capability on North Korean CNE networks or operations.
It is bad enough the United States government keeps inventing specious claims about the Sony hack. Let’s not assist it by manufacturing even less likely accounts.