Advice from a Real Hacker: Why I'm Skeptical That North Korea Hacked Sony
Seldom in recent history has a cyber security event caused so much media stir (maybe because it happened to a media company?) and international relations upheaval. Cyber security breaches seem to take place daily of major corporations, but the Sony hack seems to have captured the American imagination and, for that matter, the whole world's attention.
Maybe it was the salacious details in the released emails of the interaction between the studio and its stars. Or, maybe it was the American public's feelings of being wronged by a petty dictator. Whatever the reason, the Sony hack has captured the fancy and attention of the public like none other.
Soon after the hack, the FBI "conclusively" determined that the attack came from North Koreans and reported to the President and the American public as such. For my part, I have many reservations about that conclusion.
Last week, I wrote about my observations on the Sony hack, and in that article, I simply recounted the thoughts that had bounced around my head. Now that I have had more time to examine the evidence and congeal my assessment, I feel compelled to tell you that I have serious doubts that this hack was committed by North Korea. Probably, more accurately, I have serious doubts that the evidence the FBI has cited points to North Korea.
Let me tell you why.
The hacker group, "Guardians of Peace," made no reference to the movie The Interview or North Korea, initially. Only after the media began to speculate that the motive of the attacker was regarding the movie did the hackers mention it. It appears that the attackers were happy to deflect the investigation away from themselves.
If you were the hacker and everyone wanted to blame North Korea instead of you, wouldn't you be smart to run with that scenario?
As I mentioned in my earlier article, in most of these types of cases, the fingerprint of the hacker is found through examining the malware. This "fingerprint" is only circumstantial evidence, meaning that it is far from conclusive, but it can infer the identity of the attacker. It examines the pieces and modules of the malware and attempts to trace it backward to the perpetrator. In essence, it looks for re-used code and who may have used it in the past to infer who last used it. Imperfect at best, inconclusive at worst.
According to the FBI report:
"Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
"Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea."
The modules that the FBI cites in their report could have been used by anyone. They cite the use of the Shamoon attack that was used against Saudi Arabia in 2012 and South Korea in 2013 and has been available on the malware black market to any hacker for the last two years. Just because a piece of malware was used in similar hacks, it in no way means that the attackers were the same. Any hacker could have acquired this malware in the last two years and used it in this security breach at Sony.
The FBI cites cites numerous IP addresses that the attackers used in their attacks on Sony. They note that other attacks that have been traced back to North Korea also have used these same IP addresses. When one examines these IP addresses, you find that they are the IP addresses of well-used proxies that many attackers use.
From the FBI report:
"The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack."
They cite several IP addresses that the attackers used. These include:
- 126.96.36.199 in Thailand
- 188.8.131.52 in Poland
- 184.108.40.206 in Italy
- 220.127.116.11 in Bolivia
- 18.104.22.168 in Singapore
- 22.214.171.124 in Cyprus
These IP addresses belong to well-known proxies (as discussed in this article) that any attacker could and will use to attack a target. Far from conclusive evidence that North Korea was involved.
In my earlier article, I puzzled over the speed by which the attackers were able to transfer 100TB of data. Given the poor Internet architecture of North Korea, such a download would have taken weeks. One has to conclude that the attack took place from a location outside of North Korea.
Even if the attack originated from outside of North Korea, moving 100TB is no trivial task. If you've ever downloaded a large file, say a 2GB movie or 4GB operating system, you know that it can take hours. Now, imagine moving files 5,000 times larger! Either the hacker had a very high-speed connection to Sony, the Sony security apparatus was asleep at the wheel, or the hack was an inside job.
The cyber security firm, Taia Global based in Israel, conducted a linguistic analysis of the attackers language and syntax. Often, when one language is translated to another, the translator will use syntax and constructs that are part of their native language, but not in the target language. That is why poor translations can sound so stilted. This can provide clues as to the language of the original document or the translator or both.
Taia reportedly tested the translations for clues from the following languages:
They concluded that translation was not from an original written in Korean, but most probably, Russian.
Another cyber security firm, Norse, has done an investigation based upon Sony's employee records that were released by the hackers. Norse used some good old detective work to scan the leaked documents and search for employees who might have had motive to hack Sony, access to the system, and technical expertise to pull it off.
After reviewing these records, they claim that they have identified six individuals whom they think might have been involved in the hack. The individuals identified were based in the U.S., Canada, Thailand, and Singapore. One of these employees, code named Leena, was laid off in May and was involved a technical role with Sony before being let go.
Several of these employees expressed resentment on social media toward Sony for their dismissal. The Daily Caller reported:
"After examining intercepted communications of other individuals engaged in contact with hacker and hacktivist groups in Europe and Asia (where the Sony hack was routed through), Norse connected one of those individuals with the Sony employee on a server that featured the earliest-known version of the malware used against Sony."
For all of the reasons above, I am very skeptical of the conclusion that North Korea hacked Sony. All of the evidence cited by the FBI is inconclusive and cannot be used to point the finger to any one nation or individual. Some of the evidence cited by the FBI is sophomoric—even laughably so—as a grounds for pointing a finger at North Korea. I do, however, withhold judgement as they or the NSA may have evidence that they are not sharing, but what they are sharing is inconclusive, at best.