Breach Response , Cybersecurity , Data Breach

Expert: Sony Hackers Sound Russian Message Analysis Adds to Attribution Puzzle
Expert: Sony Hackers Sound Russian
Shlomo Engelson Argamon

Although FBI Director James Comey says that the hack attack against Sony Pictures Entertainment was "perpetrated by the North Koreans," linguistics expert Shlomo Engelson Argamon says his preliminary analysis shows the hackers' messages appear to have been written by native Russian speakers.

In a Jan. 7 speech, Comey attempted to address continuing criticism of the bureau attributing the hack attack to North Korea, saying that the attribution was, in part, reached thanks to the bureau's behavioral analysis unit. "We put them to work studying the statements, the writings, the diction of the people who claim to be the so-called 'Guardians of Peace' [who took credit for] this attack. We compared it to other attacks that we know the North Koreans have done, and they say, 'Easy for us. It's the same actors.'"

But Argamon's linguistic analysis of the 20 messages left by the "G.O.P." attackers found that the hackers' messages were most likely written by native Russian speakers, he says in an interview with Information Security Media Group. It's unlikely - although not impossible - that the messages were written by native Korean speakers, he says.

"Now, it's important to keep in mind that this kind of linguistic analysis of the messages doesn't say anything directly about who was behind the hack," says Argamon, who's chief scientist with information security consulting firm Taia Global. "That doesn't prove anything about who was in charge of the operation, who the actual technical hackers were - because they may have been different people. ... But it does give some useful information about what may have been going on."

To be clear, Shlomo's findings are preliminary, and he only looked at whether the messages may have been written by native German, Korean, Mandarin Chinese or Russian speakers. Shlomo says he's hoping to recruit additional linguists to conduct a more in-depth analysis of the G.O.P. messages, including comparing them against an expanded list of native-language samples.

In this interview, Argamon also discusses:

  • The need to find as many different sources of information relating to an attack as possible, ranging from linguistic analysis of messages, to malware analysis, to network information flow analysis;
  • What a linguistic analysis of attackers' messages can tell forensic investigators - and what it won't reveal;
  • How linguistically analyzing hackers' messages might become more widespread, and the extent to which that process can be automated;
  • The "arms race" that may result from attackers attempting to evade linguistic analysis of their messaging.

In addition to his role at Taia Global, Argamon is a professor of computer science at the Illinois Institute of Technology, where he heads the Linguistic Cognition Laboratory; and a senior fellow at the Center for Advanced Defense Studies, a not-for-profit research institution based in Washington, D.C.

Around the Network