Sony Hack: Is North Korea Really to Blame?
Experts Advocate Skepticism Pending Release of Any ProofDon't take at face value the report that the U.S. government believes that North Korea hacked Sony Pictures Entertainment, numerous information security experts say.
See Also: Gartner Guide for Digital Forensics and Incident Response
Those cautions are being sounded in the wake of the New York Times reporting that unnamed U.S. intelligence officials now believe that the government of the Democratic People's Republic of Korea was "centrally involved" in the Sony attack, and that the White House is still weighing how it wants to publicly respond.
But the report doesn't define what "centrally involved" might mean, quote any officials by name, reveal which agency they might work for, or share the evidence that has been used to reach that conclusion. Accordingly, multiple information security experts have questioned the supposed connection between the attack against Sony and a cyber-squad being run by the Pyongyang-based government of communist dictator Kim Jong-Un.
Pending the release of any real evidence to back up the North Korea attribution claims, Jeffrey Carr, CEO of threat-intelligence sharing firm Gaia International, recommends skepticism. "My advice to journalists, business executives, policymakers and the general public is to challenge everything that you hear or read about the attribution of cyber-attacks," Carr says in a blog post. "Demand to see the evidence [and] ... be aware that the FBI, Secret Service, NSA [National Security Agency], CIA, and DHS [Department of Homeland Security] rarely agree with each other, that commercial cybersecurity companies are in the business of competing with each other, and that 'cyber-intelligence' is frequently the world's biggest oxymoron."
Attributing the Sony attack to North Korea would be expedient for hawkish politicians, not to mention Sony Pictures executives who have been embarrassed by their company's poor security posture, and the contents of their leaked e-mails, says Marc Rogers, principal security researcher at distributed denial-of-service defense firm CloudFlare. "Blaming North Korea is the easy way out for a number of folks, including the security vendors and Sony management who are under the microscope for this," he says.
Blaming North Korea also appears to square with the demand from the Guardians of Peace - Sony's claimed attackers - that the movie studio not release The Interview. The comedy, which was due for a Dec. 25 release, centers on a tabloid TV reporting team that gets approached by the CIA to kill Kim Jong-Un. That follows Pyongyang in June denouncing the comedy, which it labeled as an "act of war that we will never tolerate," and promising "merciless" retribution.
Sophisticated Attack
But the anti-forensic researcher - and zero-day exploit broker - known as the "Grugq" notes that the Sony attack is more sophisticated than anything that's ever been traced to North Korea. That includes not just stealing large amounts of Sony data and infecting Sony systems with wiper malware, but also dribbling the stolen data out in batches via BitTorrent, as well as coordinating a media relations campaign that's kept the Sony breach and related leaks at the top of the news for weeks.
"To handle this sophisticated media/Internet campaign so well would require a handler with strong English skills, deep knowledge of the Internet and western culture," the Grugq says in a post to text-sharing site Zeropaste. "This would be someone quite senior and skilled. That is, I can't see DPRK [North Korea] putting this sort of valuable resource onto what is essentially a petty attack against a company that has no strategic value for DPRK."
Who Else Might Be Responsible?
Other security experts also question why North Korea would demonstrate - or squander - its cyberwarfare capabilities on a Hollywood film. "I can't imagine a more unlikely scenario than that one," Carr says.
Much of the North Korean connection appears to have been built on attackers' having set their code-development tools to use the Korean language. But CloudFlare's Rogers notes that it's "trivial" to change the language settings in development tools right before compiling code, and notes that the dialect used by North Koreans differs from traditional Korean so much that it's more likely would-be attackers would use tools programmed for Chinese.
As noted, the attackers' focus on The Interview has been cited as another piece of evidence of North Korean involvement. But leaked Sony e-mails show that the Sony attack appeared to begin as an extortion attempt, launched by a group calling itself "God'sApstls." It was only after news reports began mentioning that Pyongyang had denounced Sony Pictures earlier in 2014 for the forthcoming release of The Interview - following Sony suffering its wiper malware attack, and attackers leaking stolen Sony data - that the attackers even mentioned the film.
If North Korea didn't sponsor the Sony attack, that still leaves plenty of potential culprits, many of which numerous security experts also find more plausible. One theory is that the hack was the work of chaos-seeking hacktivists. Or China could have launched the attack after potentially hacking Sony last year during business negotiations, Dateline suggests.
Alternately, as Wired posits, Sony may have been infiltrated by multiple groups, including nation-state-backed hackers, as well as hacktivists.
Rogers, meanwhile, says the technical aspects of the attack - and obvious penchant for revenge - suggest the work of an insider. "It's clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony's internal architecture and access to key passwords," he says. "While it's plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam's razor [the concept that the simplest theory is often correct] suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as."
Sony Criticized for Canceling Film
The Sony attack rhetoric has escalated in recent days, with the Guardians of Peace - which has claimed credit for stealing and leaking Sony data, as well as a wiper malware attack that deleted an unknown number of Sony hard drives - issuing a vague "terror" threat against theater operators who opted to show The Interview. The comedy was scheduled to debut December 25.
The Department of Homeland Security reported that it saw "no credible intelligence" of an actual Sony-related "terror" plot, as did President Obama. "Well, the cyber-attack is very serious. We're investigating, we're taking it seriously," Obama said in an interview with ABC News. "We'll be vigilant, if we see something that we think is serious and credible, then we'll alert the public. But for now, my recommendation would be that people go to the movies."
Nevertheless, Sony on Dec. 17 said that it would indefinitely postpone the release of The Interview. A company spokesman said that the company is "deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company," and added that Sony backed its filmmakers' "right to free expression and are extremely disappointed by this outcome."
Some industry watchers think the move to yank the film's release was a damage-control exercise on the part of Sony Pictures' beleaguered executives. "I think they just want to wash their hands of it," Matthew Belloni, executive editor of The Hollywood Reporter, tells USA Today.
Numerous entertainment industry figures also slammed Sony's move, not least for the precedent that it now sets. "I think it is disgraceful that these theaters are not showing The Interview," tweeted well-known producer Judd Apatow, who's worked with The Interview star Seth Rogan before. "Will they pull any movie that gets an anonymous threat now?"
In the wake of Sony cancelling the release of The Interview, New Regency reportedly canceled work on Pyongyang, a "paranoid thriller" set in North Korea that was due to begin filming in March. In response, former "Daily Show" actor Steve Carell, who was signed to star in the film, tweeted: "Sad day for creative expression."
Some experts say it's a sad day for information security as well. "If Sony is honestly going to cancel this movie in reaction to the demands of the G.O.P., it is both naïve and sets an incredibly dangerous precedent," Al Pascual, director of fraud and security at Javelin Strategy and Research, tells Information Security Media Group.