The evidence linking agents of the Democratic People's Republic of Korea to the recent digital implosion of Sony remains vague. And even though the feds are squarely blaming North Korea, many security experts aren't buying it.
Long before the FBI made it official, North Korean blame for the attack against Sony was taken as a given. Even if the best reason to credit Kim Jong-Un's goons was because it just sort of feels right and Hey, that movie is about North Korea, most people following the story—both in and out of the media—ran with the story. It happens to be a very politically convenient story, featuring the world's favorite cartoon henchman at the lead.
But independent, skeptical security experts have been poking holes in this theory for days now. Evidence provided by the FBI last week in an official accusation against the North Korean government was really more of a reference to evidence—all we got were bullet points, most of them rehashing earlier clues. It still doesn't seem like enough to definitively pin the attacks to North Korea.
But the weightiest rebuttal of the case against North Korea has come from renowned hacker, DEFCON organizer, and CloudFlare researcher Marc Rogers, who makes a compelling case of his own. Highlights below:
The broken English looks deliberately bad and doesn't exhibit any of the classic comprehension mistakes you actually expect to see in "Konglish". i.e it reads to me like an English speaker pretending to be bad at writing English.
It's clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony's internal architecture and access to key passwords. While it's plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam's razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.
Furthermore, "The attackers only latched onto "The Interview" after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK "might be linked" that suddenly it became linked."
What the FBI is essentially saying here is that some of the IP addresses found while analyzing the malware samples and the logs of the attack have been used in the past by North Korea. To me, this piece of evidence is perhaps the least convincing of all. IP addresses are often quite nebulous things. They are addresses of machines connected to the Internet. They are neither good, nor bad.
The IP address is never what is interesting. It's what's running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate.
So where does that leave us? Well essentially it leaves us exactly where we were when we started. We don't have any solid evidence that implicates North Korea, while at the same time we don't have enough evidence to rule North Korea out. However, when you take into consideration the fact that the attackers, GOP, have now released a message saying that Sony can show "the Interview" after all, I find myself returning to my earlier instincts – this is the work of someone or someones with a grudge against Sony and the whole "Interview" angle was just a mixture of opportunity and "lulz".
But in their initial public statement, whoever hacked Sony made no mention of North Korea or the film. And in an email sent to Sony by the hackers, found in documents they leaked, there is also no mention of North Korea or the film. The email was sent to Sony executives on Nov. 21, a few days before the hack went public. Addressed to Sony Pictures CEO Michael Lynton, Chairwoman Amy Pascal and other executives, it appears to be an attempt at extortion, not an expression of political outrage or a threat of war.
"[M]onetary compensation we want," the email read. "Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You'd better behave wisely."
First, the "evidence" is of the most conclusory nature – it is really just unconfirmed statements by the USG. Second, on its face the evidence shows only that this attack has characteristics of prior attacks attributed to North Korea. We know nothing about the attribution veracity of those prior attacks. Much more importantly, it is at least possible that some other nation is spoofing a North Korean attack. For if the United States knows the characteristics or signatures of prior North Korean attacks, then so too might some third country that could use these characteristics or signatures – "specific lines of code, encryption algorithms, data deletion methods, and compromised networks," and similarities in the "infrastructure" and "tools" of prior attacks – to spoof the North Koreans in the Sony hack.
Third, the most significant line in the FBI statement is this: "While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following." Let us assume that the United States has a lot of other evidence, including human or electronic intelligence from inside Korea, that corroborates its attribution conclusion. This might give the USG confidence in the attribution and might support the legality of a proportionate response. But if protection of "sources and methods" prevents the United States from publicly revealing a lot more evidence, including intelligence beyond mere similar characteristics to past attacks, then there is no reason the rest of the world will or, frankly, should believe that a response on North Korea is justified. (Compare Adlai Stevenson and Colin Powell before the United Nations.)
Reporter Thomas Fox-Brewster tells me he was contacted by firstname.lastname@example.org, one of the hacker email addresses listed in the original leak of Sony files. When he tweeted part of an email says he received from this account, his followers were dubious:
@iblametom looks like a poor machine translation. Looks like google translate of "all hail glorious kim jong-un"
— sung ho choi (@choisungho) December 9, 2014
— Jeremy Bae (@opt9) December 4, 2014
Also, "North Korean Hacking Team"? C'mon.
To handle this sophisticated media / Internet campaign so well would require a handler with strong English skills, deep knowledge of the Internet and western culture. This would be someone quite senior and skilled. That is, I can't see DPRK putting this sort of valuable resource onto what is essentially a petty attack against a company that has no strategic value for DPRK.
At the website of Virginia-based security consultancy Risk Based Security, there's an impressively thorough rundown of the whole Sony saga, from day one. The most recent conclusions are unimpressed by the North Korean attribution, too:
One point that can't be said enough is that "attribution is hard" given the nature of computer intrusions and how hard it is to ultimately trace an attack back to a given individual or group. Past attacks on Sony have not been solved, even years later. The idea that a mere two weeks into the investigation and there is positive attribution, enough to call this an act of war, seems dangerous and questionable.
At this point, it certainly could be North Korea. Or China. Or a group of people with no political affiliation, laughing at their tricks that have thrown the rest of society for a loop. As we have said before, it would be best if we reserve judgement until there is a documented forensic trail that truly establishes some level of attribution with certainty.
So far, the information that's come out has pointed the finger at North Korean proxy groups, but it's been context based. It wouldn't meet the level needed in a court of law. The context combines the fact that they're pissed about this movie, and certain techniques in it are similar to what has been used in other attacks linked not definitively to North Korea. It's enough for most people to talk about [it being from North Korea], at least.
We want to keep talking about a perpetrator, because unlike the film that's been sucked into the center of this, Sony's mess is a deeply interesting story. Stories need endings, and this one is fascinating, mammoth, and unprecedented. But if we're going to also insist on employing turkey jargon ("CYBER TERROR!") and saber rattling, let's at least make sure we're rattling in the right direction first.