Did North Korea Hack Sony? The Jury’s Still Out

by SUEVON LEE | @suevlee
editor@charactermedia.com

Long after The Interview opened in some 300 independent theaters on Christmas Day and was made available to stream online following an unprecedented chain of events that saw the comedy nearly canceled, a question still dogs those following the Sony hack that started it all: who or what was responsible?

We thought we had an answer when the FBI on Dec. 19 said North Korea’s government was to blame for a massive cyber attack on Sony Entertainment Pictures that exposed a trove of sensitive data and embarrassing emails between studio executives before escalating into threats that terrorized major theater chains into pulling the film.

In the days and weeks following that announcement, however, some cybersecurity analysts and North Korea experts have expressed doubts about the FBI’s assertion, citing the circumstantial evidence against North Korea offered thus far by the U.S. government. (North Korea, meanwhile, vehemently denies involvement in the hack. Its excoriation of the film’s premise—a fictional assassination attempt on North Korean leader Kim Jong-un—fueled speculation it was behind the cyberhack and provides a swift revenge motive.)

“It’s hard to take at face value when the U.S. government says, ‘Trust us,’ because we’ve done it before…WMD in Iraq, right,” University of Southern California international relations and business professor David Kang told Southern California Public Radio KPCC’s Take Two on Monday. “If it turns out it was North Korea, then the government will be vindicated. If it’s not, I think it will just be further evidence of how difficult it is to attribute something as murky as espionage—cyberespionage—where it’s really, as I understand it, more of an art than a science to be able to pinpoint who actually caused the hack.”

So, in efforts to better understand why the U.S. government believes North Korea is the group behind the Sony hack that calls itself “Guardians of Peace,” while cybersecurity experts say, ‘Not so fast,’ let’s take a closer look at the arguments for and against in this, yes, murky debate.

Why the U.S. is Blaming North Korea

 

The FBI Says They’re Responsible

In its Dec. 19 statement, the FBI mentioned three distinct reasons for pinning the hack on the North Korean regime:

* The “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” to other malware the FBI says “North Korean actors previously developed.”

* The discovery of an overlap of several Internet protocol (IP) addresses the FBI says are associated with “known North Korean infrastructure” with those IP addresses found in the malware used in the Sony hack.

* Similarities of the tools used in the hack to a cyberattack in March 2013 against South Korean banks and media outlets by a group known as “DarkSeoul.”

In this detailed behind-the-scenes synopsis of the Sony hack, moreover, the New York Times cites anonymous Sony senior executives familiar with the course of the FBI investigation. These executives claim that even initially, federal investigators “did not strongly suspect an inside job” but found that the hackers “used digital techniques to steal the credentials and passwords from a systems administrator who had maximum access to Sony’s computer systems” in a style similar to that waged in the 2013 South Korean cyberattack by Dark Seoul.

Government Access to Classified Evidence

On Dec. 30, in the face of growing insistence among some experts the administration was too quick to point a finger at North Korea, the FBI issued a follow-up statement, saying its findings are “based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector.”

The NYT noted that senior administration officials say it is rare for President Obama to “blame a specific country so directly,” as the news outlet put it—in other words, the president wouldn’t pointedly assign blame in a cybersecurity matter unless he was certain. “But they [the officials] continue to insist that they cannot explain the basis of the president’s declaration without revealing some of the most sensitive sources and technologies at their disposal.”

U.S. officials are not backing down from rhetoric condemning the North Koreans. On Wednesday morning, Director of National Intelligence James R. Clapper told an audience at Fordham Law School, “Cyber is a powerful new realm for them, where they believe they can exert maximum influence at minimum cost, and this recent episode with Sony has shown they can get recognition for their cybercapabilities, and that is why we have to push back.”

At Least One Major Security Firm Believes the FBI is Correct

Computer security and cybercrime blog KrebsonSecurity.com reports that the co- founder of CrowdStrike, described as “a security firm that focuses heavily on identifying attribution and actors behind major cybercrime attacks,” stands behind the FBI on this one.

“We have a high-confidence that this is a North Korean operator based on the profiles seen dating back to 2006, including prior espionage against the South Korean and U.S. government and military institutions,” CrowdStrike co-founder Dmitri Alperovitch told KrebsonSecurity.com. Alperovitch added, “We haven’t seen the skeptics produce any evidence that it wasn’t North Korea, because there is pretty good technical attribution here.”

Deterrence and Vested Interests

At the Atlantic, contributor Bruce Schneier cites an argument from the diplomatic perspective: be that it may the U.S. appears “overconfident” in blaming the Sony hack on North Korea, “the long-term U.S. interest is to discourage other nations from engaging in similar behavior.”

“If the North Korean government continues denying its involvement no matter what the truth is,” Schneier writes in summarizing this view, “and the real attackers have gone underground, then the U.S. decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.”

The article also raises the point that Sony has a vested interest in the hack being characterized as a state-sponsored act to help mitigate damage from the number of lawsuits brought against the corporation by employees who claim Sony failed to adequately prepare itself against theft of vulnerable, sensitive employee data.

Why Some Feel North Korea Is Not Necessarily Behind the Sony Hack (or Acted Alone)

 

The Timeline Doesn’t Compute with a Film Revenge Motive

Wired was one of the first news outlets to point out that the hackers’ first public statement on Nov. 21 made no mention of North Korea or The Interview—and that it was only after the media began drawing a connection between the film and North Korea around Dec. 8 that the hackers began denouncing the movie in statements and issuing threats against theater chains. The first public statement, Wired’s Kim Zetter noted, “appears to be an attempt at extortion, not an expression of public outrage or a threat of war.”

The Hacking Style is Not Demonstrative of a Nation-State Attack

In that same piece, Wired pointed out that certain stylistic elements used by the hackers, including the image of a glowing skeleton posted to computers, and the “catchy nom-de-hack like Guardians of Peace to identify themselves” don’t typically characterize a “nation-state attack.” Instead, the tech magazine argued, “these are all hallmarks of hacktivists—groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.”

Linguistic Analysis

The Sony hackers apparently used computers programmed to a Korean language setting, but as plenty of analysts have pointed out, any computer can be configured to another language. Cybersecurity consultants at Taia Global, upon analyzing the hackers’ online messages, “concluded that based on translation errors and phrasing, the attackers are more likely to be Russian speakers than Korean speakers,” reported the NYT. The Taia analysts identified 20 non-standard phrases from the hackers’ messages and concluded that 15 were literal Russian translations, while nine were Korean.

An Inside Job?

Last week, the cyberthreat intelligence firm Norse Corporation expressed its own conclusion that the Sony hack was perpetrated by a small group of individuals, including a Sony ex-employee who had the “technical background and system knowledge to carry out the attack.”

The Verge also reported in late November, when news of the Sony hack was first publicized, that it received an email from a purported hacker, stating, “We want equality. Sony doesn’t. It’s an upward battle.”

The FBI Has Been Wrong Before—Or Had Inconclusive Findings

According to Vice Media, in early 1998, the FBI blamed Iraq for network interference on U.S. government computer networks when further investigation revealed it was actually the work of Israeli and California teens.

In addition, although the U.S. blamed Iran for the 2012 cyberattack on computers in Saudi Arabia known as Shamoon, it was attributed to a group known as “Cutting Sword of Justice.”

Furthermore, experts point out that while the FBI has stated there is common malware between the Sony hack and that used by the group “DarkSeoul” from the 2013 South Korean cyberhack, no definitive connection was ever made between “DarkSeoul” and North Korea. “The major problem with the evidence offered by the FBI is that it is self-referential, all of it pointing back to the 2013 attack on South Korean banks and media that was carried out by the DarkSeoul gang,” writes Gregory Elich at Global Research. “At that time, without supplying any supporting evidence, the United States accused North Korea of being behind DarkSeoul.”

So what are we to conclude from all this?

 

As the Atlantic’s Bruce Schneier argues in a piece posted to the magazine’s website Monday, there are the FBI’s assertions on one hand, and then there is all the countervailing evidence—or at least arguments rebutting or challenging the FBI’s conclusion—on the other. As his headline succinctly states, “We still don’t know who hacked Sony.”