Breach, Data Security, Incident Response, Network Security, TDR

FBI shares info on Sony hack, but doubt in N. Korea theory lingers

This week, FBI director James Comey offered new information on the Sony Pictures hack in hopes of easing public doubts about the bureau's claim that North Korea was behind the attack. But many security pros remain wary, saying available intel leaves too fuzzy a picture for attribution.

On Wednesday, Comey spoke at the International Conference on Cyber Security in New York, which was held at Fordham University. His remarks (published in full here) were essentially that, naysayers who “suggested that we [the FBI] have it wrong,” are the mistaken party.

“They don't have the facts that I have, don't see what I see, but there are a couple of things that I have urged the intelligence community to declassify…” Comey said in his speech, before offering up the findings.

According to the agency, the attackers who targeted Sony, called the Guardians of Peace (GOP), failed “several times” to use proxy servers that would have disguised their IP addresses (which were “exclusively used by the North Koreans”) when sending threatening emails to Sony employees and posting online messages.

“It was a mistake by them that we haven't told you about before that was a very clear indication [of] who was doing this,” Comey said. “They would shut if off very quickly once they realized the mistake, but not before we saw them and knew where it was coming from.”

He later added that spear phishing emails sent to Sony employees as late as September of 2014 appeared to be the “likely vector for the entry into Sony.”

After Comey's remarks went viral, security experts immediately took to social media to weigh in on the details. Errata Security CEO Robert Graham, for instance, called attention to the “fallibility of IP addresses,” when using them as proof for attack attribution.

While Comey said the FBI also used a “range of other sources and methods,” (which it will continue to protect) to make its case that North Korea was the perpetrator in the Sony attack – many security practitioners believe that evidence isn't yet strong enough to definitively name a culprit.

In an interview with SCMagazine.com, Christopher Budd, Trend Micro's global threat communications manager, emphasized that “good attribution never rests on a single piece of evidence, but on a number of factors that come together to make a complete picture.”

Back in December, Trend Micro analyzed wiper malware that it believed was used in the Sony attack. To date, the firm has confirmed “similarities in the Sony and the Dark Seoul attacks” which hit South Korea in 2013, based on the wiper capabilities of the malware, Budd said. But the company never firmly attributed the attacks to North Korea, though there was speculation at the time that the country was a suspect.

It's worth noting too that some researchers have determined Sony hackers used Korean language settings on systems used to compile their malware – a finding that could just as easily point to the purposeful acts of crafty attackers actually operating elsewhere.

On the FBI's recent argument that IP addresses link the Sony attack to North Korean hackers, Budd said that it is unusual for skilled attackers to not use proxy servers to cover their tracks, but that the “evidence” immediately begs the question: “Was that a mistake or intentional?” 

Despite skepticism within the security community over the North Korea theory, there remains some division on the subject, with a cohort of experts saying the major hack likely emanated from the country.

In a SCMagazine.com poll, which readers voted in since Monday, around 36 percent of participants believed (as of Friday) that North Korea was, in fact, behind the Sony Pictures hack.

Last month, Avivah Litan, vice president and distinguished analyst at research firm Gartner, told SCMagazine.com that data-wiping code hitting a U.S. company demonstrated an ongoing collaboration between North Korean hackers and attackers in Eastern Europe. In a follow up interview this week, Litan said that the Sony attackers are either directly or indirectly working for the North Korean government.

“Remember, North Korea pretty much owns its citizens…so it's hard to distinguish between the government and an average citizen of North Korea,” she said, adding that even the country's internet service provider, Star Joint Ventures, is state-run.

What's interesting about the Sony incident, if one follows the path of the North Korea theory, is that certain indicators typically associated with nation-state attacks, like saboteurs' motivations, don't match up here.

Litan said that the motivation of nation-state actors is usually to disable vital operations, whether critical infrastructure, financial services, or otherwise.

“To me, [the Sony hack] was a political statement [and] it was for pure revenge,” Litan said, offering that the current outcome of the attack seemed to fall in line with hacktivist or cyber espionage attacker motivations.

Trend Micro's Budd offered that Sony attackers' exploits, so far, equated to “cyber vandalism.”

“Sony networks have come down, a ton of information has been released that ends up being really embarrassing, but what they've done has not been targeted in terms of damage,” Budd said.

“What makes this case interesting, is potentially a place where the two things we tend to conflate, don't conflate,” he later said of the government's North Korea claims. “If it was a nation-state, they may not be doing the attack for the typical motivations. Hacktivists, in what they accomplish and do, tend to [engage] more along the lines of vandalism. Or [this is] just a new approach,” Budd offered. 

Bruce Schneier, an industry vet and CTO of Co3 Systems, told SCMagazine.com that the attribution game occurring in the aftermath of the Sony Pictures attack is illustrative of issues the industry will continue to face.

“I think the [takeaway] is, that this type of world is here to stay,” Schneier said. “We are not used to living in a world where you can't tell the difference between a couple of guys and the government of North Korea. When you can't tell the difference, stuff is really, really weird.”

Stating that the FBI's recently declassified information ” of North Korea's involvement was “very, very squirrely,” Schneier also said that “all of that [FBI] evidence will never see the light of day because it reveals source and methods,” of the attackers.

He also said that, currently, the Sony Pictures evidence “points in the direction of whatever narrative you have.”

“If you have the insider narrative, the North Korea narrative, the hacktivist narrative – there's all this pseudo-evidence and none of it is conclusive,” Schneier said.

In an essay published in Time this week, Schneier called for the government to show evidence that North Korea hacked Sony, noting that “in cyberspace, it is much easier to attack than to defend,” and that counterattack (and the threat of it) is the “primary defense we have against military attacks in cyberspace…”

After the FBI announced in December that North Korea was responsible for the Sony Pictures attack, President Obama acted quickly, imposing additional sanctions against the country last Friday, to place financial pressure on the government, including entities and individuals who were to no longer have “access to the U.S. financial system."

The current climate in cyberspace where actions increasingly result in real-world consequences, is a perfect example of why, as the Sony debate continues, “attribution is vital," as Schneier put it.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.