Sony Hack: More Theories Emerge

Additional Evidence Suggests Insiders, Hacktivists
Sony Hack: More Theories Emerge

New evidence suggests that the hacking campaign against Sony Pictures - including a Nov. 24 wiper malware attack - may have been the work of a small group that included at least one former studio employee, according to threat-intelligence firm Norse. Other evidence, meanwhile, suggests that the attackers were not native Korean speakers, despite the FBI having attributed the hack to the government of North Korea.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

Norse, which isn't officially involved in the Sony Pictures investigation, claims that it has found evidence that six people were behind the hack attack against Sony, and that none of them are based in North Korea. "We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history," Kurt Stammberger, a senior vice president at Norse, tells CBS News.

In particular, Norse says it suspects that one of the attack planners was a woman who calls herself "Lena" and who worked for Sony Pictures for 10 years, until May 2014. "This woman was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised," Stammberger says. In an interview with news site Security Ledger, he adds that of the six individuals that Norse believes were directly involved in the Sony hack, one member each is located in Canada, Singapore and Thailand, and two are based in the United States. He adds that some of the members have ties to sites such as Pirate Bay, through which users can freely download Hollywood films.

Norse says it presented a Dec. 29 briefing to the FBI on its findings. If an insider was involved in the hack attack, it would explain how attackers gained what security experts say appears to be detailed knowledge of the Sony network's topology.

But the FBI is standing by its attribution. "The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment," an FBI spokeswoman tells Information Security Media Group. "There is no credible information to indicate that any other individual is responsible for this cyber incident." The bureau says it reached that conclusion based on intelligence it collected, as well as information from U.S. intelligence agencies, the Department of Homeland Security, as well as "foreign partners and the private sector."

Quoting an unnamed source with knowledge of the investigation, however, Reuters reports that U.S. investigators are now exploring whether the Pyongyang-based government of what's officially known as the Democratic Peoples Republic of Korea, or DPRK, "contracted out" part of the hack attack.

North Korea Denies Attacking Sony

Officials in Pyongyang have denied having anything to do with the Sony Pictures hack, and warned of "grave consequences" unless the U.S. apologies.

But a group that calls itself Guardians of Peace, or G.O.P., has claimed credit for hacking Sony, stealing and leaking corporate data, as well as unleashing the Nov. 24 "wiper" malware attack that erased and "bricked" an unknown number of Sony systems. Before the wiper malware was deployed, the group e-mailed an extortion demand to Sony executives, which appears to have gone unanswered.

It was only after "detonating" the malware and leaking Sony data that G.O.P. claimed that it would cease the attacks if Sony canceled the release of "The Interview," a comedy film that centered on an assassination plot against North Korean leader Kim Jong-un.

After G.O.P. then warned of Sept. 11-style reprisals against cinemas that showed "The Interview," the biggest U.S. theater chains announced they would not show the film, and Sony said it would shelve the film indefinitely. Facing criticism from President Obama, however, Sony Pictures backtracked, and booked the film for a Christmas Day opening at some 330 independent and art-house cinemas, preceded by a Dec. 24 video-on-demand release. Within days, on-demand revenues reached $15 million, setting a new record for the studio. But it's unclear if Sony will ever recoup the estimated $75 million it spent to make and market the film.

Attribution Questioned

On Dec. 19, the FBI issued a statement attributing the Sony Pictures hack attack to "North Korea actors" based on the malware and infrastructure employed by attackers, as well as tools used in previous wiper malware attacks attributed to North Korea. But the bureau declined to detail those findings, saying that "the need to protect sensitive sources and methods precludes us from sharing all of this information."

Many experts, however, continue to question the FBI's attribution, with information security expert Bruce Schneier saying he remains "deeply skeptical," based on the scant evidence produced to date.

Robert Graham, who heads research firm Errata Security, is more blunt, calling the FBI's attribution "complete nonsense," and noting that most malware and attack infrastructure gets reused regularly. "The hacker underground shares ... everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure," he says. "Different groups even share members. It is implausible that North Korea would develop its own malware from scratch."

Likewise, the security researcher known as "Krypt3ia" reports that seven of the IP addresses referenced in the FBI's attribution are open proxies used regularly by many different attackers to launch spam and malware campaigns.

Suspected: Russian Language Speakers

Owing to the scant evidence published by the FBI, researchers at information security consulting firm Taia Global have conducted a linguistic analysis of written evidence - in the form of 20 messages that have been attributed to G.O.P. - to try and identify the writer or writers' native language. "These messages variously threaten Sony, promise and announce availability of stolen data, and taunt Sony and the FBI," according to preliminary results published by Taia Global. "As the English in the messages is not uniformly fluent, it has been widely assumed that the messages were written by a non-native speaker or speakers."

Working on the assumption that the attackers were non-native English speakers, Taia Global's found that the attackers were most likely native Russian speakers. "We tested for Korean, Mandarin Chinese, Russian, and German," Taia Global's report says. "Our preliminary results show that Sony's attackers were most likely Russian, possibly but not likely Korean and definitely not Mandarin Chinese or German."

Politicians Demand North Korean Sanctions

Based on the FBI's attribution of the Sony attack to North Korea, U.S. politicians have been calling on President Obama to impose sanctions against Pyongyang, with Sen. Lindsey Graham, R-S.C., telling CNN that the government of North Korea should "feel the pain that is due."

Graham also suspects China was involved in the hack attack, saying: "I can't imagine anything this massive happening in North Korea without China being involved or at least knowing about it." But Graham cited no evidence to support that claim.

Meanwhile, security experts continue to caution against rushing to attribute the Sony Pictures attacks. "I hope that despite the early conclusion of North Korean guilt, we keep investigating this cybercrime," says Marc Rogers, principal security researcher at distributed denial-of-service defense firm CloudFlare. "Hopefully with time, more evidence will be brought to light that enables an accurate attribution of whoever carried it out."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network