WASHINGTON--The F.B.I. on Friday said it had extensive evidence that the North Korean government organized the cyberattack that debilitated Sony Pictures computers, marking the first time the United States has explicitly accused the leaders of a foreign nation of deliberately damaging American targets.

The bureau said that there were significant “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” to previous attacks by the North Koreans. It also said that there were classified elements of the evidence against the North that it could not reveal.

“The F.B.I. also observed significant overlap between the infrastructure used in this attack and other malicious cyberactivity the U.S. government has previously linked directly to North Korea,” the bureau said. “For example, the F.B.I. discovered that several Internet protocol addresses associated with known North Korean infrastructure communicated with I.P. addresses that were hardcoded into the data deletion malware used in this attack.”

The F.B.I. said that some of the methods employed in the Sony attack were similar to ones that were used by the North Koreans against South Korean banks and news media outlets in 2013.

“We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there,” the F.B.I. said.

It added: “Though the F.B.I. has seen a wide variety and increasing number of cyberintrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior.”

Sony this week dropped its plans for the release of “The Interview,” a movie that depicts the assassination of the North Korean leader, Kim Jong-un, after threats were made against the theater companies that intended to show it.

The F.B.I.'s announcement was carefully coordinated with the White House and reflected the intensity of the investigation; just a week ago a senior F.B.I. official said he could not say whether North Korea was responsible. But it also puts new pressure on President Obama on how to respond. Administration officials note that the White House has now described the action against Sony as an “attack,” as opposed to mere theft of intellectual property, and that suggests that Mr. Obama is now looking for a government response, rather than a corporate one.

The F.B.I.'s statements “are based on intelligence sources and other conclusive evidence,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “Now the U.S. has to figure out the best way to respond and how much risk they want to take. It’s important that whatever they say publicly signals to anyone considering something similar that they will be handled much more roughly. The North Koreans are crazy, and they have nuclear weapons, and the U.S. response needs to be sensitive. That is not true for others in the world.”

North Korea has been under extraordinary economic sanctions for decades, and it has done nothing to curb either its nuclear program or these cyberattacks. A military response seems unlikely, the White House said on Thursday that it was examining options for a “proportional response,” and that would seem to rule out conventional military options.

Some of the evidence has been developed from “implants” that the National Security Agency has placed in networks around the world. But North Korea has proved to be a particularly hard target, because it has relatively low Internet connectivity to the rest of the world, and its best computer minds do not move out of the country often, where their machines and USB drives could be accessible targets.

“Suffice it to say,” one senior intelligence official said this week, “that we almost never name a suspect country. So when we do, it’s got to be based on something fairly strong.”

Private security researchers who specialize in attributing attacks said that the government’s conclusions matched their own findings. George Kurtz, a founder of CrowdStrike, a California-based security firm, said that his company had been studying public samples of the Sony malware and had linked them to hackers inside North Korea, the firm internally refers to them as Silent Chollima, who have been conducting attacks since 2006.

As the F.B.I. pointed out, the attacks at Sony share similarities with a similar series of destructive attacks last year on South Korean banks and broadcasters, and they used the same data-wiping tool that Iranian hackers used to destroy data on 30,000 computers at Saudi Aramco in 2012, according to forensics researchers.

In 2009, a similar campaign of coordinated cyberattacks over the Fourth of July holiday hit 27 American and South Korean websites, including those of South Korea’s presidential palace, called the Blue House, and its Defense Ministry, and sites belonging to the United States Treasury Department, the Secret Service and the Federal Trade Commission. North Korea was suspected, but a clear link was never established.

But those were all “distributed denial of service” attacks, in which attackers flood the sites with traffic until they fall offline. The Sony attack was far more sophisticated: It wiped data off Sony’s computer systems, rendering them inoperable.

“The cyberattack against Sony Pictures Entertainment was not just an attack against a company and its employees,” Jeh C. Johnson, the secretary of the Department of Homeland Security, said in a statement. “It was also an attack on our freedom of expression and way of life.”

Mr. Johnson said the attacks underscored the importance of taking measures “to rapidly detect cyberintrusions and promote resilience throughout all of our networks.”

“Every C.E.O. should take this opportunity to assess their company’s cybersecurity,” he added. (Source: The New York Times)

Story Date: December 20, 2014