A report based on documents from Edward Snowden’s NSA trove and published by Der Spiegel on Saturday described the extensive cyber spying and sabotaging capabilities of the US National Security Agency, and gave an indication of how they knew who’s to blame for the massive attack sustained by Sony Pictures Entertainment late last year.

The US pointed the finger at North Korea back in December. US president Barack Obama officially stated that that nation’s leadership is behind the hack, and announced new sanctions against the country and its citizens.

As many security experts expressed their doubts about the attack attribution being correct, and US agencies declined to share more evidence, FBI director James Comey attempted to add the weight of his word to their claims, by saying that he had “very high confidence in this attribution” and that the North Korean hackers occasionally got sloppy and that allowed the US to tie the attack to them.

But one of the documents released by Der Spiegel along with the report shows that the NSA got their hands on the information coming from the spying malware set up by the South Korean computer network exploitation (CNE) program on a number of computers used by North Korean officials, including some that were part of the North Korean CNE program.

The NYT reports that later the NSA managed to insert their own implants into the North Koreans’ boxes, and used them to monitor the country’s plans and cyber efforts. The intelligence agency also compromised Chinese networks that connect North Korea to the outside world, and made their way inside also via that path.

It is believed that this access to the North Korean networks and systems allowed the NSA to confirm North Korea was behind the Sony hack. But the foothold that they have inside these network didn’t help to discover the beginning of the attack in time.

The spear phishing emails that were used to steal a Sony sysadmin’s credentials and started it all were not spotted in time, and the attackers “roamed” Sony’s networks for over two months, exfiltrating and deleting data, preparing for the last strike.

For more details about the extensive NSA cyber offensive capabilities, check out Der Spiegel’s extensive report.