A program implemented by the National Security Agency to help the U.S. and its allies track the computers and networks used by North Korean hackers was critical in gathering information that led Washington to conclude Pyongyang was behind last year's cyberattack on Sony Pictures.
The New York Times reported late Sunday that the NSA began placing malware in North Korean systems in 2010. Originally, the purpose of the surveillance was to gain insight into North Korea's nuclear program, but the focus shifted after a large cyberattack on South Korean banks and media companies in 2013.
In the case of the Sony Pictures hack, which knocked nearly the entire company's system offline, investigators believe that the North had stolen the "credentials" of a Sony systems administrator, which enabled them to spend two months familiarizing themselves with Sony's network and plotting how to destroy files, computers, and systems. The attacks themselves, which Sony first reported to the FBI Nov. 24, are widely considered to be in retaliation for the release of "The Interview," a comedy that features an assassination attempt against Kim Jong Un. Pyongyang has repeatedly denied any involvement in the Sony hack.
Skeptics have cast doubt on the official story that North Korea was behind the Sony hack, with many suggesting a disgruntled current or former Sony employee was responsible. Earlier this month, FBI director James Comey said U.S. investigators were able to trace emails and Internet posts sent by the Guardians of Peace, the group behind the attack, and link them to North Korea.
Comey said most of the time, the group sent emails threatening Sony employees and made various other statements online using proxy servers to disguise where the messages were coming from. But on occasion, he said, they connected "directly," enabling investigators to "see that the IP addresses that were being used to post and to send the emails were coming from IPs that were exclusively used by the North Koreans."
A senior military official told The Times that the evidence against North Korea that was presented to President Barack Obama was so compelling that he "had no doubt" the Communist regime was responsible. The White House has imposed new economic sanctions against North Korea as a response to the cyberattack.
The Times report quotes a North Korean defector as saying that country's military first displayed interest in hacking in 1994, when it sent 15 people to a Chinese military academy to learn the practice. Two years later, the Reconnaissance General Bureau, Pyongyang's primary intelligence service, created Bureau 121, a hacking unit that has a substantial representation in the northeast Chinese city of Shenyang.
South Korea's military claims that the North has a staff of 6,000 hackers dedicated to disrupting the South's military and government. That estimate is more than double an earlier projection made by that country's Defense Ministry.