Stop Saying North Korea Didn't Hack Sony

Advertisement

kim jong unAt this point, anyone who doubts that North Korea helped hack Sony is disagreeing with several top cybersecurity firms and the US intelligence community.

Advertisement

Nevertheless, many smart people are highly skeptical that a tinpot dictatorship with almost no internet connectivity could compromise an American-based subsidiary of a multinational corporation.

The prevailing alternative theories - detailed by oft-cited security researcher Bruce Schneier - include that independent North Korean nationals hacked Sony, that a Sony insider ("Sony's Snowden") did it on their own, or that hacktivist pranksters did it for the lulz (ie, for a good bit of sadistic fun).

While all are possibilities, there is no conclusive evidence corroborating any of these theories.

On the other hand, there is a lot of evidence suggesting North Korean involvement.

Advertisement

What We Know

On Nov. 24, computer screens of Sony employees flashed a warning indicating the company's computer systems had been compromised and data had been stolen.

Sony's systems were subsequently crippled. A unknown group calling itself GOP claimed credit for the hack.

GOP sony hack Over the next few weeks, all hell broke loose in the entertainment world. Hackers dumped information online and news organizations scrambled to cover every possible angle. Threats of violence against movie theaters led to Sony canceling the Dec. 25 theatrical release of "The Interview," a film in which Seth Rogen and James Franco play talk show hosts enlisted by the CIA to assassinate North Korean leader Kim Jong Un.

(Sony backpedaled by offering the film to independent theaters, and the movie will now be distributed via YouTube.)

American officials concluded that North Korea was "centrally involved," and intelligence officials told The New York Times that the US intelligence community "concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil."

Advertisement

The FBI's public assessment, undertaken with assistance from other intelligence services such as the NSA, cited technical analysis of the code and overlap of techniques used in previous attacks of this kind.

Immediately after the attack, cybersecurity experts began looking at the code and techniques involved in the breach. Kaspersky Lab and other cyber security firms found that the malware involved in the Sony incident is capable of wiping disk drives and other data. Kaspersky dubbed the malware "Destover," noting that similar malware had been used in previous attacks.

Computer researcher Kurt Baumgartner, drawing on Kaspersky's initial investigation, detailed how the Destover malware used in the Sony hack looks a lot like two previous "wiper" attacks: One called "Shamoon," which targeted 30,000 Saudi Aramco workstations in 2012, and another called "Dark Seoul," which targeted South Korean banks and two of the country's top broadcasters the following year.

Mystery_3Furthermore, Kaspersky notes that the defacement placed on Sony employee computers is similar to the warning message in the "Dark Seoul" attack, even down to the skull icons.

An assessment by HP published on Dec. 19 detailed how "several factors support that North Korea played a role in the attacks."

Advertisement

HP noted that "it is difficult to discern whether the regime acted alone. It is plausible that the actors responsible for this attack relied on the assistance of an insider."

Jason Lancaster, senior threat intelligence analyst at HP, noted to Business Insider that "the system that was used by the author of the malware use in the Sony case was compiled on a windows system with a Korean language set, specifying its keyboard. ... So the keyboard for the system that was used to compile this malware ... was done in the same way as other malware associated to it."

Investigative journalists at Krebs on Security noted that like DarkSeoul, "the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack."

And CrowdStrike, a security firm that focuses heavily on identifying attribution and actors behind major cybercrime attacks, had independently concluded that North Korea orchestrated the hack before the FBI officially blamed Pyongyang.

"We have a high-confidence that this is a North Korean operator based on the profiles seen dating back to 2006, including prior espionage against the South Korean and US government and military institutions," said Dmitri Alperovitch, chief technology officer and co-founder at CrowdStrike.

Advertisement

"These events are all connected, through both the infrastructure overlap and the malware analysis, and they are connected to the Sony attack," Alperovitch added. "We haven't seen the skeptics produce any evidence that it wasn't North Korea, because there is pretty good technical attribution here."

Despite these assertions from experts and officials in the know, the frank skepticism persists:

"I worry that this case echoes the 'we have evidence - trust us' story that the Bush administration told in the run-up to the Iraq invasion," Schneier writes.

As skeptics come to terms with the evidence pointing to North Korea, which may have had help from other groups, statements like these will not age well.

Armin Rosen contributed to this report.

Advertisement