scorecard
  1. Home
  2. Home
  3. Stop Saying North Korea Didn't Hack Sony

Stop Saying North Korea Didn't Hack Sony

Michael B Kelley   

Stop Saying North Korea Didn't Hack Sony
Home4 min read

kim jong unREUTERS/KCNAKim Jong Un gives field guidance during a visit to the Pyongyang Catfish Farm in this undated photo released by North Korea's Korean Central News Agency (KCNA) in Pyongyang December 23, 2014.

At this point, anyone who doubts that North Korea helped hack Sony is disagreeing with top cybersecurity experts in the world and the US intelligence community.

Nevertheless, many smart people are highly skeptical that a tinpot dictatorship with almost no internet connectivity could compromise an American-based subsidiary of a multinational corporation.

The prevailing alternative theories - detailed by oft-cited security researcher Bruce Schneier - include that independent North Korean nationals hacked Sony, that a Sony insider ("Sony's Snowden") did it on their own, or that hacktivist pranksters did it for the lulz (ie, for a good bit of sadistic fun).

While all of these are possibilities, there is no conclusive evidence corroborating any of these theories.

On the other hand, there is plenty of evidence suggesting North Korean involvement.

What We Know

On Nov. 22, computer screens of Sony employees flashed a warning indicating the company's computer systems had been compromised and data had been stolen.

Sony's systems were subsequently crippled. A unknown group calling itself GOP claimed credit for the hack.

GOP sony hackGOPThe initial warning left on Sony computers by hackers.

Over the next few weeks, all hell broke loose in the entertainment world. Hackers dumped information online and news organizations scrambled to cover every possible angle. Threats of violence against movie theaters led to Sony canceling the Dec. 25 theatrical release of "The Interview," a film in which Seth Rogen and James Franco play talk show hosts enlisted by the CIA to assassinate North Korean leader Kim Jong Un.

(Sony backpeddled by offering the film to independent theaters, and the movie will now be distributed via YouTube.)

American officials concluded that North Korea was "centrally involved," and intelligence officials told The New York Times that the US intelligence community "concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil."

The FBI's public assessment, undertaken with assistance from other intelligence services, cited technical analysis of the code and overlap of techniques used in previous attacks of this kind.

Immediately after the attack, cybersecurity experts began looking at the code and techniques involved in the breach. Kaspersky Lab and other cyber security firms found that the malware involved in the Sony incident is capable of wiping disk drives and other data. Kaspersky dubbed the malware "Destover," noting that similar malware had been used in previous attacks.

Computer researcher Kurt Baumgartner, drawing on Kaspersky's initial investigation, detailed how the Destover malware used in the Sony hack looks a lot like two previous "wiper" attacks: One called "Shamoon," which targeted 30,000 Saudi Aramco workstations in 2012, and another called "Dark Seoul," which targeted South Korean banks and two of the country's top broadcasters the following year.

Mystery_3InternetThe warning left on South Korean computers during the "Dark Seoul" attack.

Furthermore, Kaspersky notes that the defacement placed on Sony employee computers is similar to the warning message in the "Dark Seoul" attack, even down to the skull icons.

An assessment by HP published on Dec. 19 detailed how "several factors support that North Korea played a role in the attacks."

HP noted that "it is difficult to discern whether the regime acted alone. It is plausible that the actors responsible for this attack relied on the assistance of an insider."

Jason Lancaster, senior threat intelligence analyst at HP, noted to Business Insider that "the system that was used by the author of the malware use in the Sony case was compiled on a windows system with a Korean language set, specifying its keyboard. ... So the keyboard for the system that was used to compile this malware ... was done in the same way as other malware associated to it."

Investigative journalists at Krebs on Security noted on Dec. 14 that CrowdStrike, a security firm that focuses heavily on identifying attribution and actors behind major cybercrime attacks, had independently concluded that North Korea orchestrated the hack before the FBI officially blamed Pyongyang.

"We have a high-confidence that this is a North Korean operator based on the profiles seen dating back to 2006, including prior espionage against the South Korean and US government and military institutions," said Dmitri Alperovitch, chief technology officer and co-founder at CrowdStrike.

"These events are all connected, through both the infrastructure overlap and the malware analysis, and they are connected to the Sony attack," Alperovitch added. "We haven't seen the skeptics produce any evidence that it wasn't North Korea, because there is pretty good technical attribution here."

Despite these assertions from experts and officials in the know, the frank skepticism persists:

"I worry that this case echoes the 'we have evidence - trust us' story that the Bush administration told in the run-up to the Iraq invasion," Schneier writes.

As skeptics come to terms with the evidence pointing to North Korea, which may have had help from other groups, statements like these will not age well.

Armin Rosen contributed to this report.

UPDATE: CBS reports that cybersecurity firm Norse "was essentially nuked from the inside" and it wasn't North Korea.

"We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history," said Kurt Stammberger, a senior vice president with cybersecurity firm Norse, told CBS.

READ MORE ARTICLES ON


Advertisement

Advertisement