FBI director: Sony hackers ‘got sloppy’

January 7, 2015, 9:10 PM UTC
Johnson,Comey Address Overseas Security Advisory Council's Annual Briefing
FBI director James Comey speaking at the Overseas Security Advisory Council's 29th Annual Briefing in Washington, D.C. in November 2014.
Photograph by Alex Wong — Getty Images

NEW YORK—FBI director James Comey on Wednesday reasserted that North Koreans are behind the recent cyber attack on Sony Pictures. The FBI and the U.S. intelligence community still has “very high confidence about the attribution,” he told an audience at Fordham University’s International Conference on Cyber Security.

Despite an undercurrent of skepticism brewing in the security community, Comey doubled down on the North Korea allegation and offered new information about the federal investigation.

In summary, Comey said:

1.) The FBI and the U.S. intelligence community still has “very high confidence about the attribution” despite outside skepticism.

2.) The hackers slipped up and failed to cover their tracks with proxy servers when sending threatening e-mails to Sony employees. The IP addresses of the alleged members of the Guardians of Peace, which claimed responsibility for the hack, traced directly back to ones “exclusively used by North Koreans.”

3.) The FBI believes the hackers gained entry to Sony’s system through a so-called spear phishing attack, a type of fraud that involves spoofing an e-mail message.

What follows are Comey’s remarks about Sony in full:

As you know, we at the FBI and the entire intelligence community have attributed these attacks to North Korea. And we continue to believe that is the case. There is not much in this life that I have high confidence about—I have very high confidence about this attribution as does the entire intelligence community. So how do we know that? Or why do I have such high confidence in this attribution to North Korea?

Here’s the tricky part: I want to show you as much as I can the American people about the why and I want to show the bad guys as little as possible about the how—how we see what we see—because it will happen again and we have to preserve our methods and our sources.

There’s a couple of ways we’ve already said. You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”

We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.

Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.

The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.

And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.

As I said, we have a range of other sources and methods that I’m going to continue to protect because we think that they’re critical to our ability—the entire intelligence community’s ability—to see future attacks and to understand this attack better. We have brought them all to bear in this situation and I remain where I started not just with high confidence, but with very high confidence that the north Koreans perpetrated this attack.

We’re still looking to identify the vector—so how did they get into Sony? We see so far spear phishing coming at Sony as late as September of this year. We’re still working that and when we figure that out we’ll do our best to give you the details on that. But that seems the likely vector for the entry to Sony.

Learn more about Sony from Fortune’s video team: