On December 19, less than one month after Sony Pictures Entertainment suffered one of the worst computer hacks in history, the U.S. Federal Bureau of Investigation announced it had found the culprit: North Korea.
While a group calling itself Guardians of Peace claimed responsibility, Pyongyang had long been suspected of having a hand in the attacks, given its vocal dislike for the Sony-released picture "The Interview" depicting the assassination of Kim Jong Un.
The FBI announcement seemed to make it official, and President Barack Obama promised a “proportional” response against North Korea, terming the attack an act of "cyber-vandalism."
But just days after the FBI’s accusation, computer security analysts began questioning the FBI’s conclusions, saying the real culprit may be much harder to identify. And that’s raising worries about what may come next.
"Attribution is hard," write analysts at the cybersecurity firm RiskBased Security. "The idea that a mere two weeks into the investigation and there is positive attribution, enough to call this an act of war, seems dangerous and questionable."
Claims and doubts
What’s uncontested is that the Sony hack was accomplished by means of destructive malware that had somehow been inserted into its computer systems, with the resulting theft of terabytes of data (the GOP claims it stole 100 terabytes; Sony has not divulged the exact size of its data loss).
It’s also known that North Korea trains elite units to engage in cyberattacks and that Pyongyang has managed to carry out several successful hacks, mostly targeting South Korea, although on a much smaller scale than the Sony attack.
Beyond that, everything gets considerably murkier.
In its announcement, the FBI lists three bullet points connecting the North Korean regime to the attacks. First, it says:
- Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods and compromised networks.
This means, in part, that the malware’s design has elements similar to those seen in previous hacks tied to North Korea. One of those elements, known as a "wiper," was included to not just steal but to destroy data on Sony’s computers.
In this case, as security analyst Kurt Baumgartner writes at SecureList, the Sony wiper is something called Trojan Destover. Without getting too much into the cyber weeds, Baumgartner says Destover is built using commercially available RawDisk malware drivers, and bears similarities to the DarkSeoul and Shamoon bugs employed in a wide variety of cyberattacks unconnected to North Korea for years.
Further, while not specifically referenced by the FBI, some elements of the malware files appear to have been compiled on computers set for the Korean time zones and language. Again, that may indicate a link back to North Korea. But in her story in Wired calling the connections to North Korea "flimsy," reporter Kim Zetter writes "an attacker can set the language on a compilation machine to any language they want and, researchers note, can even manipulate information about the encoded language after a file is compiled to throw investigators off."
The second FBI bullet point reads:
- The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
Given the near nonexistence of the Internet or ISPs in North Korea, it’s a relatively easy matter to tie data traffic back to specific locations and entities there. Here, the FBI is saying that traces of IP addresses tied to North Korea were found coded into the malware.
But security analyst Marc Rogers, writing on his blog, called this evidence "perhaps the least convincing of all." The FBI statement, he noted, only mentions IP addresses "associated with known North Korean infrastructure." That, he said, could suggest anything at all and is practically meaningless.
"The IP address is never what is interesting," he wrote. "It’s what’s running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate."
Lastly, the third FBI bullet point says:
- Separately, the tools used in the SPE [Sony Pictures Entertainment] attack have similarities to a cyberattack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
This refers to a 2013 hack that targeted a South Korean bank and several broadcasters, resulting in frozen ATMs and other problems. South Korea immediately blamed the North, saying it bore similarities to previous Pyongyang-linked hacks over the last four years – claims the North denied.
Interestingly, it was later revealed that the hacks appeared to come not from North Korea, but from an IP address in China. Whether that proves or disproves the North’s connection to the 2013 hack is still an open question.
If not the North, then who?
To be certain, there are plenty of analysts and journalists who find the FBI’s claims more than enough proof. "The Sony hack was perpetrated by either the North Korean government itself or by its third-party proxies," writes Brandon Valeriano at Slate. "There is really no doubt about this."
But doubters remain, among them Hector Monsegur, now a security analyst but infamous as the former Anonymous member “Sabu” who was caught in an FBI raid. "It would have taken months if not years to exfiltrate 100 terabytes of data – without anyone noticing," Monsegur told CBS News.
"Look at the bandwidth going into North Korea – the pipes going in, they only have one major ISP across the entire nation," he said. "That kind of information flowing at one time would have shut down North Korean Internet completely."
Reporters Jacob Kastrenakes and Russell Brandom over at The Verge also doubt a North Korean connection. Writing just days after the Sony hack was announced, they say emails from one of the hackers suggests the attack may have been an inside job.
"A person identifying as one of the hackers writes, ‘We Want equality [sic]. Sony doesn't. It's an upward battle," they wrote. "The hackers' goals remain unclear, but they used the attack yesterday to specifically call out Sony Entertainment CEO [and former BBG governor] Michael Lynton, referring to him as a 'criminal' in a tweet."
That claim appears to be backed up by elements in the malware that contain specific servers and passwords unique to Sony’s computer system. Jaime Blasco with the cybersecurity firm AlienVault Labs told USA Today: "From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hard-coded names of servers inside Sony's network and even credentials /usernames and passwords."
Wired’s Kim Zetter also points out that in the first emails to Sony from the hackers, there were no references either to "The Interview" or to North Korea. Rather, their motives appeared to be limited to financial extortion. Sony, in their first statements about the hack, also did not mention Pyongyang or the movie.
"To make matters confusing," Zetter wrote, "the email wasn’t signed by GOP or Guardians of Peace, who have taken credit for the hack, but by 'God’sApstls,' a reference that also appeared in one of the malicious files used in the Sony hack."
Author and cryptographer Bruce Schneier, at his blog "Schneier on Security," offers a different possibility. "The initial attack was not a North Korean government operation, but was co-opted by the government," he wrote.
"There's no reason to believe that the hackers who initially stole the information from Sony are the same ones who threatened the company over the movie. Maybe there are several attackers working independently. Maybe the independent North Korean hackers turned their work over to the government when the job got too big to handle. Maybe the North Koreans hacked the hackers."
Whether the FBI will be able to prove its North Korea claims of involvement in the future and convince skeptics may depend on information that it has obtained, but for security reasons has not yet shared publicly.
But noted analyst Jeffrey Carr, author of the book "Inside Cyber Warfare," says more proof is needed. "My advice to journalists, business executives, policymakers and the general public is to challenge everything that you hear or read about the attribution of cyber attacks," he wrote this week at his blog Digital Dao.
"Be aware that the FBI, Secret Service, NSA, CIA and DHS rarely agree with each other, that commercial cyber security companies are in the business of competing with each other, and that 'cyber intelligence' is frequently the world's biggest oxymoron."
In the days following President Barack Obama’s promise of a "proportional response" to the Sony hack, the Internet began flickering on and off in North Korea.
When asked if this was the result of U.S. actions, State Department spokeswoman Marie Harf issued a nondenial, saying, "We aren’t going to discuss, you know, publicly operational details about the possible response options."
Was the U.S. responding to North Korea? Was it a DDoS attack, was China cutting off the North’s Web access, or was it merely a power failure in Pyongyang? Answering those questions will likely prove as tricky as answering who was responsible for the Sony hack in the first place.