If IPs Are So Solid, Why Won’t FBI Tell Us How Many Americans Get Sucked Up in Section 702?

By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits —  Clapper should be sanctioned along with all the others President Obama has targeted.

That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.

But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.

Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).

You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”

(See Errata for some nuance about that claim.)

Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.

We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.

Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.

Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.

The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.

And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.

That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]

Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.

IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.

Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.

But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.

This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:

“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”

The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.

He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.

However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture – Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).

I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.

Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby. 

Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.

But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?

8 replies
  1. Saul Tannenbaum says:

    The “as you know from watching Silence of the Lambs” was a nice touch. I mean, if Hollywood portrays it, it has to be true, right? Me, I’d invoke The Following, the unbelievably atrocious TV show that portrays the FBI as being utterly bamboozled by an imprisoned literature professor who has somehow managed to build a national network of fanatical supporters under the noses of the FBI.

    More seriously, given what we’ve learned from Edward Snowden, I’d be deeply disappointed if we somehow hadn’t compromised all the key hardware that compromises the North Korean internet backbone. Packet traces from inside North Korea would be a good start in convincing me that this was, in fact, a North Korean hack.

    • emptywheel says:

      You liked the Silence of the Lambs reference? Me too. Nice touch, not at all heavy handed.

      I assume we have something LIKE packet traces.

  2. Rayne says:

    Debated whether to post something since I first read Comey’s claim about the North Korean IP addresses — the point about IP addresses probably needs simplification for non-technical readers.

    IP addresses can be “spoofed,” meaning faked. They are assigned, like phone numbers, and can be changed just like phone numbers. The possibility of IP spoofing affecting network mapping has been discussed before here, as has MAC address spoofing.

    “Sloppy work,” meaning exposed IP addresses, can just as likely be deliberate tradecraft pointing to a whipping boy instead of the actual hacker.

    What’s interesting is the avoidance of these possibilities, as if the infosec community can’t see the same flaws in FBI statements to date. This leads me to believe different scenarios are likely:

    — The PHYSICAL address, associated with a MAC address, has been determined using a tool like NSA’s TREASURE MAP, and the FBI is not going to disclose this capability. MAC addresses can be spoofed, too, but they are less likely to be spoofed than IP addresses.

    … -OR- …

    — North Korea is a sin-eater, designated to take the drubbing for another player more likely to act out if blamed directly for the Sony hacking. If North Korea’s leadership and military are in truth unable to respond adequately, they can be used as a whipping boy while allowing the actual attacking nation-state to remain concealed.

    In either case, we’re unlikely to get a straight answer from FBI or other US agency as to what they really know.

    But just as it’s difficult to place validated blame on a nation-state thanks to the continuing fuzzy explanations offered to date, it’s difficult to see how the public should continue to believe anything the FBI and other US intelligence agencies have to say about surveillance using IP addresses and other data given their inability to be square with the public as demanded.

    • jerryy says:

      I vote for your ‘sin eater’ idea.
      NK only recently got onto the internet (back around 2008 – 2010 or so) as I recall. The entire country actually got completely knocked offline by some folks here a few weeks back showing you how stable their IT state is — not at all. So while Sony had a defense set up that would lose to a wounded gerbil, it seems odd that NK would be able to field this stellar crew that could swipe that much data into that unstable a connection and only ‘get sloppy’.
      It seems Mr. Comey likes to use movie metaphors, but real life hacking and cracking are nothing like what you see in the movies. Someone just does not sit down in front of a terminal, twiddle their fingers and automagically open the way into a network. A lot of this type of work is actually scripted (they call ’em script-kiddies for a reason) — automated — sloppy does not enter into it.

  3. Phlipn says:

    keep in mind this is the same FBI that is so hard up to convince the US public of immanent terror threats it manipulated an illiterate and borderline mentally retarded Iranian into a plot to assassinate a Saudi Ambassador, claiming the plot was directed by the Al Quds in Iran – Mansour Arbabsiar and Ali Gholam Shakuri. And this is not the only contrived terrorist incident they have been responsible for… Not only are they discredited by the nonsense from their mouths and reckless, unscrupulous deeds, they have proven themselves to be deceivers of the American public time and again. Their greatness in fighting terror threats makes the FBI number one suspect on the concocted bullshit list. How do we know when the FBI is lying? Their lips move. FBI – Federal Bullshit Institute.

  4. scribe says:

    Analyzing diction?
    So these North Korean hackers are speaking English? Or are they speaking Korean? And, pray tell, just how likely is it really that North Korea would be educating potential future hackers in English? Somewhere between “not at all” and “nonexistent”.
    But assume the hackers are/were speaking Korean. Given that it’s been >60 years since the two Koreas split and the size of the “wall” (figurative and literal) between them, one has to start thinking about the difference in dialects between the two Koreas. Languages, slang, dialects all change with time and especially when isolated. We’re being asked to swallow, whole, the supposition that the government has somehow managed to rustle up enough high-level speakers of the North Korean dialect to wade through the mess (if not mountain) of internet traffic and tell us conclusively that they can identify the hackers through their slang. Without anyone noticing all the hiring.
    I mean, it’s possible. But not likely at all.
    I do legal work involving a foreign language. In the US there are something less than 100 attorneys I’m aware of who work in that niche. I know a lot of them. Even among us, many of whom are native speakers, sussing out what’s slang, what’s not and what it means is quite difficult. And we have free and open access to that language and its regular, almost daily, change.
    Or they farmed out the work to the South Koreans or contractors, who told the USG what they wanted to hear.
    Sounds like we’re being told another whopper.

    • earlofhuntingdon says:

      Well, there are 100 American attorneys who work in Chinese languages, plus those who work in Spanish, French, German and Japanese, so your number sounds low. And I agree that English wouldn’t be taught to the intelligentsia in North Korea as commonly as it is in the South, but it would be common enough among, say, elite military and computer professionals, for whom the language would be a necessary part of knowing one’s enemy. But I agree that the US Govt seems to share the common American aversion to hiring and promoting fluent foreign language speakers. Its disregard for those who speak Arabic (and not during just the Bush-Cheney era) is a case in point, which suggests that your cynicism about how many American analysts speak fluent North Korean is exactly right.

    • Rayne says:

      I meant to come back here earlier, sorry, but better late than never…there had been a linguistic analysis of the self-named Guardians of Peace by what appears to be an independent firm specializing in this kind of work. They believe that the hack was likely work of Russians.

      What concerns me * now * is that I know I’ve seen more analysis online somewhere by the same firm, but 1) they now only offer it in exchange for an email address (nope, sorry, not gonna’ do it), and 2) the analysis I saw seemed thorough, but still quite subjective (not a data-based analysis).

      I’m still not convinced that Sony was hacked by DPRK at this point, but I’m not exactly consigned to the idea Russia did it, either. There are still other likely suspects.

Comments are closed.