Evidence North Korea Hacked Sony Flimsy
A poster for the movie “The Interview” is taken down by a worker after being pulled from a display case at a Carmike Cinemas movie theater, Wednesday, Dec. 17, 2014, in Atlanta. Georgia-based Carmike Cinemas has decided to cancel its planned showings of “The Interview” in the wake of threats against theatergoers by the Sony hackers. David Goldman/AP
Today Sony canceled the premiere of “The Interview” and its entire Christmas-Day release of the movie because of fears that terrorists might attack theaters showing the film. The actions show just how much power the attackers behind the Sony hack have amassed in a short time.
But who exactly are they? The New York Times reported this evening that North Korea is “centrally involved” in the hack, citing unnamed U.S. intelligence officials.1
It’s unclear from the Times report what “centrally involved” means and whether the intelligence officials are saying the hackers were state-sponsored or actually agents of the state. The Times also notes that “It is not clear how the United States came to its determination that the North Korean regime played a central role in the Sony attacks.” The public evidence pointing at the Hermit Kingdom is flimsy.
Other theories of attribution focus on hacktivists—motivated by ideology, politics or something else—or disgruntled insiders who stole the data on their own or assisted outsiders in gaining access to it. Recently, the finger has pointed at China.
In the service of unraveling the attribution mess, we examined the known evidence for and against North Korea.
Attribution Is Difficult If Not Impossible
First off, we have to say that attribution in breaches is difficult. Assertions about who is behind any attack should be treated with a hefty dose of skepticism. Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.
Nation-state attacks often can be distinguished by their level of sophistication and modus operandi, but attribution is no less difficult. It’s easy for attackers to plant false flags that point to North Korea or another nation as the culprit.
And even when an attack appears to be nation-state, it can be difficult to know if the hackers are mercenaries acting alone or with state sponsorship—some hackers work freelance and get paid by a state only when they get access to an important system or useful intelligence; others work directly for a state or military. Then there are hacktivists, who can be confused with state actors because their geopolitical interests and motives jibe with a state’s interests.
Distinguishing between all of these can be impossible unless you’re an intelligence agency like the NSA, with vast reach into computers around the world, and can uncover evidence about attribution in ways that law enforcement agents legally cannot.
So let’s look at what’s known.
Sony and FBI Deny Connection to North Korea
First of all, Sony and the FBI have announced that they’ve found no evidence so far to tie North Korea to the attack. New reports, however, indicate that intelligence officials who are not permitted to speak on the record have concluded that the North Koreans are behind the hack. But they have provided no evidence to support this and without knowing even what agency the officials belong to, it’s difficult to know what to make of the claim.2
And we should point out that intelligence agencies and government officials have jumped to hasty conclusions or misled the public in the past because it was politically expedient.
Nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack.
Nor do they use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of GOP have done in media interviews.
Nor do such attacks involve posts of stolen data to Pastebin—the unofficial cloud repository of hackers—where sensitive company files belonging to Sony have been leaked. These are all hallmarks of hacktivists—groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.
Despite all of this, media outlets won’t let the North Korea narrative go and don’t seem to want to consider other options. If there’s anything years of Law and Order reruns should tell us, it’s that focusing on a single suspect can lead to exclusionary bias where clues that contradict the favored theory get ignored.
The Interview a Red Herring?
Initial and hasty media reports about the attackers pointed to cyberwarriors from North Korea, bent on seeking revenge for the Sony movie The Interview. This was based on a complaint North Korea made to the United Nations last July about the Seth Rogen and James Franco flick, which was originally slated to be released in October before being changed to Christmas Day.
North Korea’s UN ambassador said the comedy, about a TV host and his producer who get embroiled in an ill-conceived CIA plot to assassinate North Korean President Kim Jong-un, was an act of war that promoted terrorism against North Korea.
“To allow the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war,” UN ambassador Ja Song Nam wrote the UN secretary general in a letter. “The United States authorities should take immediate and appropriate actions to ban the production and distribution of the aforementioned film; otherwise, it will be fully responsible for encouraging and sponsoring terrorism.”
In other statements, North Korea threatened a “resolute and merciless” response if the U.S. didn’t ban the film. But in their initial public statement, whoever hacked Sony made no mention of North Korea or the film.
And in an email sent to Sony by the hackers, found in documents they leaked, there is also no mention of North Korea or the film. The email was sent to Sony executives on Nov. 21, a few days before the hack went public. Addressed to Sony Pictures CEO Michael Lynton, Chairwoman Amy Pascal and other executives, it appears to be an attempt at extortion, not an expression of political outrage or a threat of war.
“[M]onetary compensation we want,” the email read. “Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.”
To make matters confusing, however, the email wasn’t signed by GOP or Guardians of Peace, who have taken credit for the hack, but by “God’s Apstls,” a reference that also appeared in one of the malicious files used in the Sony hack.
A person purporting to be a Guardians of Peace spokesperson then emphasized again, in an interview with CSO Online published Dec. 1, that they are “an international organization … not under direction of any state.” The GOP’s members include, they wrote, “famous figures in the politics and society from several nations such as United States, United Kingdom and France.”
The person also said the Seth Rogen film was not the motive for the hack, but that the film was problematic nonetheless in that it exemplified Sony’s greed and fed political turmoil in the region:
“Our aim is not at the film The Interview as Sony Pictures suggests,” the person told CSO Online. “But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack.
Sony Pictures produced the film harming the regional peace and security and violating human rights for money. The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures.”
It was only on December 8, after a week of media stories connecting North Korea and the Sony film to the hack, that the attackers made their first reference to the film in one of their public announcements. But they continued to trounce the theory that North Korea was behind their actions, and they denied ownership of an email sent to Sony staffers after the hack, threatening them and their families with harm if they didn’t denounce their employer.
At this point, it’s quite possible the media are guilty of inspiring the hacker’s narrative, since it was only after news reports tying the attack to the Sony film that GOP began condemning the movie in public statements. This week the hackers have pounced on that narrative, using it to escalate the stakes by making oblique terrorist threats against the film’s New York premiere and theaters scheduled to screen it Christmas day.
Even if members of GOP lack the means or intent to pull off a terrorist attack on their own, they’ve now created an open invitation for opportunistic attackers to do so in their name—in essence, escalating their crimes and influence to a level no other hackers have achieved to date.
So why do some people continue to claim that North Korea is the culprit? There are two forensic discoveries that fuel this assertion, but they are flimsy.
Evidence: Malicious Files Point to Possible Korean Speakers
Four files that researchers have examined, which appear to be connected to the hack, seem to have been compiled on a machine that was using the Korean language. This refers to the encoding language on a computer; computer users can configure the encoding language so that content on their machine renders in a language they speak. But an attacker can set the language on a compilation machine to any language they want and, researchers note, can even manipulate information about the encoded language after a file is compiled to throw investigators off.
Evidence: Files Show Up In Other Hacks
The Sony attackers didn’t just siphon data from the studio’s networks, they also used a wiper component to destroy data. To do the wiping, they used a driver from a commercially-available product that had been used by other attackers before. The product, called RawDisk, uses drivers that allow administrators to securely delete data from hard drives or for forensic purposes to access memory.
The same product was used in similarly destructive attacks that hit Saudi Arabia and South Korea. Since some people have claimed those were both nation-state attacks—U.S. officials blamed Iran for the Saudi Arabia attack; South Korea blamed China and North Korea for its attack—people assume the Sony hack is also a nation-state attack. But the evidence pointing to those other attacks as nation-state attacks is also flimsy.
The 2012 attack in Saudi Arabia, dubbed Shamoon, wiped data from about 30,000 computers belonging to Saudi Aramco, the state-owned oil conglomerate. Although U.S. officials blamed Iran for it, researchers found that malware used in the attack contained sloppy code riddled with errors and attributed it to hacktivists with political motives rather than a nation-state.
The malware displayed part of an image of a burning U.S. flag on infected machines before they were wiped. What’s more, a group calling itself the Cutting Sword of Justice took credit for the hack. “This is a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression,” they wrote in a Pastebin post. “We invite all anti-tyranny hacker groups all over the world to join this movement. We want them to support this movement by designing and performing such operations, if they are against tyranny and oppression.”
That sounds like a call to recruit other like-minded activists who might also be opposed to, say, a “criminal” company like Sony.
Last year, a similarly destructive attack, dubbed Dark Seoul by researchers, struck computers at banks and media companies in South Korea. The attack used a logic bomb, set to go off at a specific time, that wiped computers in a coordinated fashion. The attack wiped the hard drives and master boot records of computers at three banks and two media companies simultaneously, reportedly putting some ATMs out of operation and preventing South Koreans from withdrawing cash from them.
As with the Sony and Saudi Aramco hacks, the attackers used a RawDisk driver for their attack. They also left an image of a skull on the web site of the South Korean president’s office. And an IP address used for one of the attackers’ command-and-control servers matches an IP address the Sony hackers used for one of their command servers.
South Korea alternately blamed North Korea for the attack as well as China—since an IP address in China appeared to be part of the campaign. Officials later retracted the allegations.
The same group behind this attack are said to be behind other attacks in South Korea that occurred on the anniversary of the Korean War.
OK, So Who Hacked Sony?
Regardless of whether the Sony, Saudi Aramco and South Korea attacks are related, the evidence indicating they’re nation-state attacks is circumstantial. And all of the same evidence could easily point to hacktivists. Our money is on the latter.
This is likely a group of various actors who coalesce and disperse, as the Anonymous hackers did, based on their common interests. But even with that said, there is another possibility with regard to the Sony hack: that the studio’s networks weren’t invaded by a single group but by many, some with political interests at heart and others bent on extortion.
Therefore, we can’t rule out the possibility that nation-state attackers were also in Sony’s network or that a nation like North Korea was supportive of some of these hackers, since they shared similar anger over Sony.
Another interesting scenario was recently posited by Deadline, suggesting that China may have initiated a breach at Sony during business negotiations with the studio last year, before handing off control to freelance hackers.
1, 2: Update at 8p.m. 12/18/14: Minutes after we published this story examining the known evidence for and against North Korea as the source of the hack, The New York Times and other media outlets announced that the U.S. administration was ready to conclude North Korea was involved in the Sony hack. We have updated the story with this new information.
http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/
BBC: What is FBI Evidence for North Korea Hack Attack? Evidence Not Fully Laid Out: Iraq’s “Weapons of Mass Destruction”?
The FBI’s evidence has not been fully laid out
The FBI’s analysis has concluded North Korea is to blame for the attack on Sony Pictures – but how can it be sure?
As well as Pyongyang having a motive for taking serious issue with The Interview, there’s a couple of pieces of key evidence the US is now using to pin the blame.
However, they’re not without flaws.
As security researcher Brian Honan put it to me earlier: “I still don’t see anything that in a court would convict North Korea beyond reasonable doubt.”
So let’s take a look.
First, the FBI says its analysis spotted distinct similarities between the type of malware used in the Sony Pictures hack and code used in an attack on South Korea last year.
Suspicious, yes, but well short of being a smoking gun. When any malware is discovered, it is shared around many experts for analysis – any attacker could simply reversion the code for their own use, like a cover version of a song.
This has happened in the past – most notably with Stuxnet, a cyber-attack malware believed to have been developed by the US, which was later repurposed by (it is believed) the Russians.
The Chongryon
So we turn to another, better clue: IP addresses – known to be part of “North Korean infrastructure” – formed part of the malware too.
Sony may argue that no amount of security would have prevented what happenedThis suggests the attack may have been controlled by people who have acted for North Korea in the past.
But what the FBI is very careful not to say is whether it thinks the attack was controlled from within North Korea itself – although in a press conference President Barack Obama did say there was no indication of another nation state being part of the hacking.
This is an important detail to pick apart.
Experts think it’s unlikely, if indeed it was North Korea, that the country could have acted alone. Unnamed US officials quoted by Reuters said the US was considering that people operating out of China, with its considerable cyber-attack capability, may have been involved.
Security researcher and former journalist Brian Krebs has quoted his own sources as saying Japan may also be in the picture. A piece of research by computer maker HP released this year noted the presence of North Koreans operating in Japan.
“Known as the Chongryon, [they] are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime,” Mr Krebs wrote in a blog post.
‘Off the hook’
Moving on into next year, the attack being attributed to a nation state rather than an independent hacking group is the one glimmer of good news for Sony.
There had been serious and mounting rumblings from both former employees and security analysts saying Sony did not take corporate security seriously enough – but words like “unprecedented” will bolster Sony’s defence that no amount of security would have prevented what happened.
“We have to wait and see what evidence they present later on but often nation states are the easier to blame,” said Marc Rogers, a security researcher for Cloudflare, who is sceptical about the extent of North Korea’s involvement.
“If it is a nation state people shrug their shoulders and say that they couldn’t have stopped it. It lets a lot of people off the hook.”
When the lawsuits come – and at least one has already been filed – Sony’s defence will almost certainly be that it did everything it reasonably could.
Mr Rogers is one of several security experts to question the use of The Interview as the obvious motive for the hack. It was not until the media made the link, Mr Rogers notes, that the hackers started mentioning the film.
Up until that point, it was all about taking on the company, with language that hinted more at a grudge than a political statement.
“When you look at the malware it includes bits and pieces from Sony’s internal network and the whole thing feels more like someone who had an issue with Sony,” Mr Rogers said.
“They were dumping some of the most valuable information right at the start almost as if they wanted to hurt Sony.”
The response
Truth be told, it’s extremely difficult to know for sure who is behind any cyber attack. Equally, it’s hard to prove who isn’t. As well as the evidence cited here, the FBI said “undisclosed intelligence” was the clincher in pinning it to North Korea. We may never know what that information was.
Some suggest that billing North Korea as a cyber villain is a convenient foe for the US. Respected technology magazine Wired went as far drawing a comparison between North Korea’s cyber “capability”, and Saddam Hussein’s “weapons of mass destruction”.
As we head into 2015, at least one senior US politician is calling for North Korea to be re-designated as a state sponsor of terrorism.
And with the government declaring it a matter of national security, the next thing for the US is to consider its response.
President Obama said: “We will respond proportionally, and we will respond in a place and time and manner that we choose.”
Follow Dave Lee on Twitter @DaveLeeBBC
DPRK (aka, “North Korea”) Proposes Joint Sony Hack Inquiry with US
North Korea has offered to hold a joint inquiry with the United States into a cyber-attack on Sony Pictures, strongly denying US claims that it is behind it.
Its foreign ministry accused the US of “spreading groundless allegations”, which a joint inquiry would refute.
Without addressing Pyongyang’s idea, a US spokesman insisted North Korea must admit “culpability” .
Sony has cancelled the release of The Interview, which includes plans to kill the fictional Kim Jong-un.
The Interview had been due to open on Christmas Day. However, after anonymous threats against cinemas, Sony said it was considering releasing it “on a different platform”.
The FBI said on Friday that North Korea had carried out last month’s cyber-attack, in which script details and private emails were leaked.
The US defended its findings on Saturday, saying it was confident the North Korean government was “responsible for this destructive attack”.
“If the North Korean government wants to help, they can admit their culpability and compensate Sony for the damages this attack caused,” US National Security spokesman Mark Stroh said.
Dire warning
On Saturday, the North Korean foreign ministry said: “As the United States is spreading groundless allegations and slandering us, we propose a joint investigation with it into this incident.”
“Without resorting to such tortures as were used by the US CIA, we have means to prove that this incident has nothing to do with us.”
The statement said there would be “grave consequences” if the Americans rejected their inquiry proposal.
….
On Friday US President Barack Obama criticised the cancellation, saying he wished Sony executives had spoken to him before cancelling the release.
“We cannot have a society in which some dictator someplace can start imposing censorship,” he said, vowing to “respond” to the cyber-attack in a “manner that we choose”.
Responding to the US president’s comments, Sony Pictures chief executive and chairman Michael Lynton said the studio had not made an error in cancelling the release.
“We have not given in, we have persevered,” he told CNN.
The Interview saga
- 22 November: Sony computer systems hacked, exposing embarrassing emails and personal details about stars
- 7 December: North Korea denies accusations that it is behind the cyber-attack, but praises it as a “righteous deed”
- 16 December: “Guardians of Peace” hacker group threatens 9/11-type attack on cinemas showing film; New York premiere cancelled
- 17 December: Leading US cinema groups say they will not screen film; Sony cancels Christmas-day release
- 19 December: FBI concludes North Korea orchestrated hack; President Obama calls Sony cancellation “a mistake”.
A Sony statement said the decision had been based on “the majority of the nation’s theatre owners choosing not to screen the film”.
“Without theatres, we could not release it in the theatres on Christmas Day. We had no choice,” the statement added.
“It is still our hope that anyone who wants to see this movie will get the opportunity to do so.”
The movie features James Franco and Seth Rogen as two journalists who are granted an audience with Mr Kim.
The CIA then enlists the pair to assassinate him.
The film’s cancelled release drew criticism in Hollywood, with some calling it an attack on the freedom of expression.
….
BBC
Sony Hack: NYT Editors Find New Iraq WMD
One of the items copied was a film produced in Canada that depicts as comedy the terror act of killing of a current head of state.
The U.S. State Department applauded that movie scene. But there were tons of other data like social security numbers, payroll data, and internal emails stolen all of which that might have been the real target of the hackers.
The tools to hack the company are well known and in the public domain. The company, Sony, had lousy internal network security and had been hacked before.
The hackers probably had some inside knowledge. They used servers in Bolivia, China and South Korea to infiltrate.
There is zero public evidence in the known that the hack was state sponsored.
But the U.S. is claiming that the event is a “national security matter”.
Who’s national security? Japan’s? Canada’s?
Why?
A private Japanese entertainment(!) company left the doors open and had some equipment vandalized and some of its private property stolen.
Why, again, is that of U.S. “national interest”? Why would the U.S. even consider some “proportional response“?
The White House is anonymously accusing the state of North Korea of having done the hack. It provides no evidence to support that claim and the government of North Korea denied any involvement.
The FBI and Sony say they have no evidence for such a claim.
Still the New York Times editors eat it all up:
North Korean hackers, seeking revenge for the movie, stole millions of documents, including emails, health records and financial information that they dished out to the world.
How do the editors know that these were “North Korean hackers”? The same way the knew about Iraq’s weapons of mass destruction?
Make believe and anonymous claims by U.S. government officials? Yeah – those folks never lie. Right?
Moon of Alabama
http://www.moonofalabama.org/2014/12/sony-hack-nyt-editors-find-new-iraq-wmd-.html