No, North Korea Didn’t Hack Sony
|Illustration provided by Riley Porter.|
The FBI and the President may claim that the Hermit Kingdom is to blame for the most high-profile network breach in forever. But almost all signs point in another direction.
By Marc Rogers
So, “The Interview” is to be released after all.
The news that the satirical movie—which revolves around a plot to murder Kim Jong-Un—will have a Christmas Day release as planned, will prompt renewed scrutiny of whether, as the US authorities have officially claimed, the cyber attack on Sony really was the work of an elite group of North Korean government hackers.
All the evidence leads me to believe that the great Sony Pictures hack of 2014 is far more likely to be the work of one disgruntled employee facing a pink slip.
I may be biased, but, as the director of security operations for DEF CON, the world’s largest hacker conference, and the principal security researcher for the world's leading mobile security company, Cloudflare, I think I am worth hearing out.
The FBI was very clear in its press release about who it believed was responsible for the attack: “The FBI now has enough information to conclude that the North Korean government is responsible for these actions,” they said in their December 19 statement, before adding, “the need to protect sensitive sources and methods precludes us from sharing all of this information”.
With that disclaimer in mind, let’s look at the evidence that the FBI are able to tell us about.
The first piece of evidence described in the FBI bulletin refers to the malware found while examining the Sony Picture’s network after the hack.
“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”
So, malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other attacks attributed to North Korea.
This may be the case—but it is not remotely plausible evidence that this attack was therefore orchestrated by North Korea.
The FBI is likely referring to two pieces of malware in particular, Shamoon, which targeted companies in the oil and energy sectors and was discovered in August 2012, and DarkSeoul, which on June 25, 2013, hit South Korea (it was the 63rd anniversary of the start of the Korean War).
Even if these prior attacks were co-ordinated by North Korea—and plenty of security experts including me doubt that—the fact that the same piece of malware appeared in the Sony hack is far from being convincing evidence that the same hackers were responsible. The source code for the original “Shamoon” malware is widely known to have leaked. Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator. Increasingly, criminals actually lease their malware from a group that guarantees their malware against detection. Banking malware and certain “crimeware” kits have been using this model for years.
So the first bit of evidence is weak.
But the second bit of evidence given by the FBI is even more flimsy: