Yesterday I noted that it’s still not clear to a lot of observers that North Korea is actually behind the Sony Pictures hack. Around the time I was writing that post, the FBI was releasing a statement definitively laying responsibility for the hack at Pyongyang’s door. Here’s their case:
As a result of our investigation, and in close collaboration with other U.S. Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
– Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
– The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. Government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
– Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea
All I’m saying is that the stuff the FBI didn’t share must be airtight, because what they did share is pretty weak sauce for criminal work. But don’t take my word for it:
As security researcher Brian Honan put it to me earlier: “I still don’t see anything that in a court would convict North Korea beyond reasonable doubt.”
…
First, the FBI says its analysis spotted distinct similarities between the type of malware used in the Sony Pictures hack and code used in an attack on South Korea last year.
Suspicious, yes, but well short of being a smoking gun. When any malware is discovered, it is shared around many experts for analysis – any attacker could simply reversion the code for their own use, like a cover version of a song.
This has happened in the past – most notably with Stuxnet, a cyber-attack malware believed to have been developed by the US, which was later repurposed by (it is believed) the Russians.
…
So we turn to another, better clue: IP addresses – known to be part of “North Korean infrastructure” – formed part of the malware too.
This suggests the attack may have been controlled by people who have acted for North Korea in the past.
But what the FBI is very careful not to say is whether it thinks the attack was controlled from within North Korea itself – although in a press conference President Barack Obama did say there was no indication of another nation state being part of the hacking.
The FBI’s case, at least what they’re willing to reveal publicly, boils down to similarities between the code used in this hack and in previous hacks known to have originated from North Korea, and the use of North Korean infrastructure. But the code could easily have been copied by another actor and the infrastructure could be accessed remotely, so neither of these things is real proof. The thread that ties it up is motive; we know the DPRK was mad about “The Interview,” and the hackers made that film the centerpiece of their demands, ergo it was North Korea. Except the hackers didn’t say a word about “The Interview” for two weeks, and only latched on to it as their cause after the media brought it up:
Mr Rogers is one of several security experts to questions the use of The Interview as the obvious motive for the hack. It was not until the media made the link, Mr Rogers notes, that the hackers started mentioning the film.
Up until that point, it was all about taking on the company, with language that hinted more at a grudge than a political statement.
“When you look at the malware it includes bits and pieces from Sony’s internal network and the whole thing feels more like someone who had an issue with Sony,” Mr Rogers said.
“They were dumping some of the most valuable information right at the start almost as if they wanted to hurt Sony.”
There better be some real smoking cyber-gun in whatever the FBI isn’t telling us, because this stuff is all circumstantial and run through with holes. It also doesn’t rise to the standard of cyberterrorism or cyberwarfare, at least not according to the most commonly used definitions (although there might be an argument to be made that those definitions are antiquated).
The Foreign Exchanges Companion 