No, FBI. North Korea May Not Have Hacked Sony Pictures After All
Cyber security experts are coming out from left and right challenging the veracity of the allegations made by the Federal Bureau of Investigation (FBI) that North Korea was behind the huge cyber attack that brought down Sony Pictures Entertainment to its knees.
Last week, the FBI officially announced that it was pointing to hackers backed by the Pyongyang administration as being responsible for the hack that led to the leak of massive amounts of private, sensitive and sometimes embarrassing information from Sony's servers.
Marc Rogers, principal security researcher at Cloudflare and director of security operations for DEFCON, however, said it's not that quick and easy to attribute a hack to anyone, much less a massive cyber intrusion as what happened to Sony Pictures.
"Digital forensics is nothing like what you see on TV -- on so-called cyber-CSI shows, the investigator types in a few magical keystrokes and evidence comes flooding out of the completely unlocked computer," Rogers said. "In the real world, attribution involves sifting through gigabytes of assorted data through hundreds, even thousands, of machines. Each one, a scene of crime in its own right."
The FBI's announcement said "technical analysis of the deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed." However, Rogers said the FBI is relying on flimsy evidence.
Rogers speculates that the malware the FBI is referring to are Shamoon, which hit Middle East oil targets in 2012, and DarkSeoul, which brought down banking networks in South Korea in 2013. Both attacks are widely believed to have been perpetrated by North Korea, although Rogers made it a point to say he doesn't believe it. He said the evidence is far from convincing because the code used for the malware is widely used in other attacks elsewhere.
"Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator," he said. "Increasingly, criminals actually lease their malware from a group that guarantees their malware against detection. Banking malware and certain 'crimeware' kits have been using this model for years."
Rogers also criticized the FBI's "naivety" in using the Internet protocol addresses of the attacks, which point to North Korea. He said the more useful thing to do is to look at the command and control center that the hackers used to carry out the attack. Rogers said these addresses are found in the malware code itself, and they point to Thailand, Poland, Italy, Bolivia, Singapore, Cyprus and the United States.
"Checking online IP reputation services reveals that they have been used by malware operators in the past," he said. "This isn't the least bit surprising; in order to avoid attribution cyber criminals routinely use things like proxies to conceal their connection. No sign of North Korea, just lots of common, or garden, Internet cyber criminals."
Kurt Stammburger, senior vice president of cyber security firm Norse, agrees. Both he and Rogers believe the evidence that has been made available to the public point to a disgruntled Sony Pictures employee looking to bring her former employee down.
Data gleaned by Norse points to a woman named "Lena," who has been interviewed by The Verge in the attack's early days, as being linked to Guardians of Peace, which is taking the credit for the attack. Lena says that the group is fighting for "equality" and points to Sony Pictures staff "with similar interests" to penetrate the company's systems.
"Sony was not just hacked, this is a company that was essentially nuked from the inside," Stammburger said. "We are very confident that this was not an attack masterminded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history."
Stammburger also believes Lena held a strategic position in Sony Pictures and a deep technical background, which allowed her access to the servers that were compromised.
TrustedSec CEO David Kennedy also points out that the hackers made no mention of The Interview, the controversial Seth Rogen movie featuring North Korean leader Kim Jong Un's head exploding, during the group's initial communications with Sony Pictures. In emails unearthed from the trove of files released by the group, the hackers were asking for "monetary compensation" in exchange for a promise to keep silent.
"It was more of an extortion case beforehand," Kennedy said. "I think we definitely jumped the gun. A lot of [the evidence is] very circumstantial."
The FBI remains mum on its assertion, but it has been steadfast in its announcement last Friday that "the North Korean government is responsible for these actions."