FBI Attributes Sony Hack to North Korea
President Obama Promises 'Proportionate' Response(Note: This story has been updated.)
See Also: Gartner Market Guide for DFIR Retainer Services
The FBI says it has traced the hack attack against Sony Pictures Entertainment to North Korea, and President Obama says that the administration will respond proportionately to the cyber-attack.
"They caused a lot of damage, and we will respond," Obama said at a Dec. 19 White House press conference, referring to the North Koreans. "We will respond proportionately, and we will respond in a place and time and manner we choose."
Ending weeks of speculation as to who the U.S. government thinks was responsible for the attack against Sony, the FBI issued a statement saying its investigation, conducted with other federal government agencies, gathered "enough information to conclude that the North Korean government is responsible for these actions."
Obama: Sony Made 'Mistake'
Obama also said that Sony made a mistake in canceling the Christmas Day release of the comedy movie "The Interview" after hackers made threats tied to the release of the film. The movie centers on a tabloid TV reporting team that gets approached by the CIA to assassinate Kim Jong-un, the dictator who rules North Korea.
"Sony is a corporation; it suffered significant damage," Obama said. "There were threats against its employees. I am sympathetic to the concerns that they faced. Having said all of that, yes, I think they made a mistake." Later, the president added, "I wish they had spoken to me first. I would have told them, 'Do not get into a pattern in which you're intimidated by these kinds of criminal attacks.'"
Obama suggested that canceling the movie's release could lead to self-censorship among American companies.
"We cannot have society in which some dictator someplace can start imposing censorship here in the United States because if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they'll start doing when they see a documentary they don't like or a news report that they don't like," Obama said. "Even worse, imagine if producers and distributors and others start engaging in self-censorship because they do not want to offend the sensibilities of somebody whose sensibility priorities need to be offended."
The president also used the Sony breach to call on Congress to enact a law that would facilitate voluntary cyberthreat sharing between the government and business - legislation that has stalled in Congress over a disagreement between the White House and Republicans over liability and privacy protections (see Cybersecurity Info Sharing Bill Draws Criticism).
FBI's Findings
Information security experts will be examining the technical details of the FBI's statement to see if they agree with the assessment that North Korea was involved, although the FBI warned that "the need to protect sensitive sources and methods precludes us from sharing all of this information." The FBI says it was able to attribute the attack based on three findings:
- Technical analysis: The wiper malware used by attackers "revealed links to other malware that the FBI knows North Korean actors previously developed."
- Infrastructure: The FBI says that it found a "significant overlap" between the infrastructure used by Sony's attackers, and malicious infrastructure used in previous attacks that tie to North Korea. "For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack."
- Tools: "The tools used in the SPE attack have similarities to a cyber-attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea," the FBI says. That represents the first time that the U.S. government has attributed the Dark Seoul campaign to Pyongyang.
The FBI confirmed that in addition to confidential communications and employees' private information having been stolen and leaked, the wiper malware deployed by attackers "also rendered thousands of SPE's computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company's business operations." The FBI also lauded Sony for having reported the hack attack to the bureau "within hours," saying that "Sony's quick reporting facilitated the investigators' ability to do their jobs, and ultimately to identify the source of these attacks."
Guardians Of Peace Claimed Credit
A group that calls itself the Guardians of Peace claimed credit for the attack against Sony Pictures, including the leaks of stolen data, which has included top Sony Pictures executives' Outlook e-mail spools. After "G.O.P." launched its attacks and began leaking data, however, the group then claimed it would stop leaking data if Sony canceled the release of the film "The Interview."
G.O.P. then upped the ante by making a "terror" threat against movie theaters. In response, U.S. theater chains announced that they would not show the film, and Sony said that it would permanently shelve "The Interview." Sony's move sparked a free-speech backlash, including a "We The People" petition filed Dec. 18 with the White House that requests the Obama administration "encourage Sony to distribute "The Interview" to those Americans who wish to see the film."
G.O.P. has reportedly since thanked Sony for canceling the film's release, saying it was "very wise," but added new demands. "Now we want you never let the movie released, distributed or leaked in any form of, for instance, DVD or piracy," reads G.O.P.'s latest message to Sony, CNN reports. "And we want everything related to the movie, including its trailers, as well as its full version down from any website hosting them immediately," it adds, warning that "we still have your private and sensitive data" and saying that it will "ensure the security of your data unless you make additional trouble."
Doubts Already Raised
Some information security professionals are already saying they believe the FBI may have rushed to judgment in its attribution of the Sony attack to North Korea. Security adviser Sean Sullivan at Finnish anti-virus vendor F-Secure, for example, says that unless the FBI discloses its sources - and especially if they're North Korean defectors with an ax to grind - then he regards its findings as "BS."
The US security-intelligence complex is running amok once again. Washington D.C. is incapable of saying "we don't know." #ConfirmationBias
� Sean Sullivan (@5ean5ullivan) December 19, 2014
Likewise, Dave Kennedy, CEO of information security firm TrustedSec, warns that only "using words" to attribute the attack to North Korea - and offering "no firm evidence" - won't pass muster with information security experts.
FBI release is not unexpected. My stance is the same - where is the supporting evidence and how do we prove it? We need to be careful here.
� Dave Kennedy (ReL1K) (@HackingDave) December 19, 2014