What If It Wasn’t North Korea that Hacked into Sony?
Published in Nouvelle Obs
(France) on 24 December 2014
by Paul Laubacher (link to original)
(France) on 24 December 2014
by Paul Laubacher (link to original)
Translated from
by Tabitha Middleton.
Edited by Nicholas Eckart.
The guilty party was perhaps a little too ideal. Was North Korea really behind the massive hacking of Sony Pictures, claimed by a hacker group called “Guardians of the Peace”? Last Friday, the FBI formally accused the Pyongyang regime. This is the first time that the United States has accused another country of a cyberattack. But many cybersecurity experts are skeptical.
What Evidence Does the FBI Have?
“The FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the federal police wrote in a report. What evidence is the FBI referring to?
• A technical analysis of the malware, which caused the deletion of data used during the attack, “revealed links” to other malware that “the FBI knows North Korean actors previously developed.” The FBI mentions “similarities in specific lines of code, encryption algorithms, [and] data deletion methods ...”
• According to the federal agency, there is “significant overlap” between the infrastructure — the servers and computers — used in the attack and the one used in other attacks that the American government has directly attributed to Pyongyang. For example, the FBI discovered that several IP addresses (the identification numbers of a computer connected to the internet) are associated with known North Korean infrastructures and were hardcoded into the software used to infiltrate Sony.
The tools used in the Sony attack have “similarities” with a cyberattack launched in March 2013 against South Korean banks and media outlets that was attributed to North Korea.
The FBI is nevertheless holding back on revealing all of the evidence in its possession, given that some of it is “classified” and cannot be disclosed.
Why This Evidence is Insufficient
As the American site Vox states, “But neither of these is conclusive proof of North Korea's involvement.” And Vox points out a stubborn fact: Everything is shared among hackers. Which may mean that:
• In previous attacks, North Korea could have used malware that had already been used elsewhere. This casts doubt on the theory about the North Korean origins of the software which infiltrated Sony.
• Same thing for the IP addresses associated with North Korean infrastructure. These servers and computers could have comprised a “shared infrastructure used by many different hackers,” Vox suggests. North Korea therefore could have been in communication with this infrastructure “for reasons that have nothing to do with the Sony attacks.”
Chairman and President of Errata Security Robert Graham thinks the same thing:
“The reason it's nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop its own malware from scratch.”
Since Dec. 17, the American magazine Wired has been among the skeptics. “Assertions about who is behind any attack should be treated with a hefty dose of skepticism,” Kim Zetter writes:
“Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.”
The “Guardians of the Peace” and the “Lena” Lead
Kurt Stammberger, a senior vice president of Norse, a company that follows cyberattacks in real time, goes even further. He confirmed on CBS that he conducted his own investigation, reported on 20 Minutes. The result?
"Sony was not just hacked, this is a company that was essentially nuked from the inside.”
Kurt Stammberger bases this assertion on the fact that the “Guardians of the Peace,” the group of hackers that claimed responsibility for the Sony cyberattack, did not initially demand the withdrawal of the film “The Interview,” but demanded money, promising to reveal stolen, embarrassing secrets.
According to information gathered by his organization, Kurt Stammberger confirmed that he followed up on the lead of “Lena,” a mysterious person who claimed affiliation with the group “Guardians of the Peace” and contacted several American media outlets after the Sony attacks. She then demanded “equality” and accused the studio CEO, Michael Lynton, of being a criminal.
According to Kurt Stammberger, “Lena” is a former employee of Sony that worked for the company for 10 years before quitting in May. "This woman was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised.”
What Evidence Does the FBI Have?
“The FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the federal police wrote in a report. What evidence is the FBI referring to?
• A technical analysis of the malware, which caused the deletion of data used during the attack, “revealed links” to other malware that “the FBI knows North Korean actors previously developed.” The FBI mentions “similarities in specific lines of code, encryption algorithms, [and] data deletion methods ...”
• According to the federal agency, there is “significant overlap” between the infrastructure — the servers and computers — used in the attack and the one used in other attacks that the American government has directly attributed to Pyongyang. For example, the FBI discovered that several IP addresses (the identification numbers of a computer connected to the internet) are associated with known North Korean infrastructures and were hardcoded into the software used to infiltrate Sony.
The tools used in the Sony attack have “similarities” with a cyberattack launched in March 2013 against South Korean banks and media outlets that was attributed to North Korea.
The FBI is nevertheless holding back on revealing all of the evidence in its possession, given that some of it is “classified” and cannot be disclosed.
Why This Evidence is Insufficient
As the American site Vox states, “But neither of these is conclusive proof of North Korea's involvement.” And Vox points out a stubborn fact: Everything is shared among hackers. Which may mean that:
• In previous attacks, North Korea could have used malware that had already been used elsewhere. This casts doubt on the theory about the North Korean origins of the software which infiltrated Sony.
• Same thing for the IP addresses associated with North Korean infrastructure. These servers and computers could have comprised a “shared infrastructure used by many different hackers,” Vox suggests. North Korea therefore could have been in communication with this infrastructure “for reasons that have nothing to do with the Sony attacks.”
Chairman and President of Errata Security Robert Graham thinks the same thing:
“The reason it's nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop its own malware from scratch.”
Since Dec. 17, the American magazine Wired has been among the skeptics. “Assertions about who is behind any attack should be treated with a hefty dose of skepticism,” Kim Zetter writes:
“Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.”
The “Guardians of the Peace” and the “Lena” Lead
Kurt Stammberger, a senior vice president of Norse, a company that follows cyberattacks in real time, goes even further. He confirmed on CBS that he conducted his own investigation, reported on 20 Minutes. The result?
"Sony was not just hacked, this is a company that was essentially nuked from the inside.”
Kurt Stammberger bases this assertion on the fact that the “Guardians of the Peace,” the group of hackers that claimed responsibility for the Sony cyberattack, did not initially demand the withdrawal of the film “The Interview,” but demanded money, promising to reveal stolen, embarrassing secrets.
According to information gathered by his organization, Kurt Stammberger confirmed that he followed up on the lead of “Lena,” a mysterious person who claimed affiliation with the group “Guardians of the Peace” and contacted several American media outlets after the Sony attacks. She then demanded “equality” and accused the studio CEO, Michael Lynton, of being a criminal.
According to Kurt Stammberger, “Lena” is a former employee of Sony that worked for the company for 10 years before quitting in May. "This woman was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised.”