Modern field guide to security and privacy

Security experts: FBI report light on evidence linking North Korea to Sony hack

The FBI statement that linked the Sony hack to North Korea relied on previously released and inconclusive evidence, said many cybersecurity insiders.

|
Columbia Pictures/AP
"The Interview," a comedy starring (from left) Diana Bang, Seth Rogen, and James Franco, was canceled by Sony Pictures after hackers linked to North Korea threatened violence if the studio released the film.

Even after the Federal Bureau of Investigation's official statement that North Korea was behind the Sony attack, many cybersecurity experts are still skeptical the hermit nation is truly the culprit, citing a lack of new and more convincing evidence. 

“It’s mostly a repeat of information that has been in the public before,” Rob Graham, chief executive officer of research firm Errata Security, said of the FBI's statement issued Friday. 

Many prominent names in the field, Graham and others, took to Twitter to express their concern. "I'm completely underwhelmed by the FBI's 'proof' attributing Sony attack to North Korea," Graham tweeted from his @ErrataRob account.  

The FBI points to three key factors that "in part" lead to its conclusion — and all three had already been disclosed to the public by Simon Choi, a virus researcher from Seoul's Hauri Inc.

The statement mentions the similarities between deletion malware used in the Sony hack to deletion malware previously by North Korean hackers; it refers to tools used in the Sony attack that were similar to ones deployed in a North Korean attack on South Korean media and banks; and the agency pointed out that infrastructure hardcoded into the malware (including IP addresses) matched infrastructure identified as North Korean in the past.

Even with this information, many in the cybersecurity industry see these links as tenuous at best. All of the technical watermarks can and frequently be falsified or mimicked by hackers. 

“We know that hackers share malware on forums. Every hacker in the world has all the source code available,” says Mr. Graham.

“I think you have to go back to the original ransom note,” says Graham Cluley, a former antivirus software programmer and security consultant who currently writes about the industry for grahamcluley.com, a security blog.

“It didn’t ask for 'The Interview' to not be released, it asked for money," he says. "In Dark Seoul, there were no demands. They just wiped everything. We’re not even entirely sure that North Korea did that attack. We think they did, but it hasn’t been proven.”

Mr. Cluley told Passcode on Thursday that he was skeptical of then-anonymous reports of government agencies identifying North Korea as culprit. The FBI report has done nothing to change his mind.

Cluley says that investigations into data breaches are nearly impossible to conduct from a digital perspective without (at minimum) investigating the computer used to perpetrate the crime, and are rarely done in the type of timeframe that the FBI has blamed North Korea for Sony. 

The lack of convincing detail in the report would imply the accusation must be based on “human or signals” intelligence, says Rick Holland, principal analyst serving security and risk professionals at Forrester Research. Basing the accusations on the detail released to the public would be rash, he says.

The NSA has a long history of monitoring hackers to copy their tactics, says Mr. Holland, "There’s no reason to assume anyone considering an attack wouldn’t do the same thing." 

Ideally, says Holland, the government would release more information to back up its claims. But he isn’t holding his breath for more detailed technical information coming out of the government.

“The United States has a long history of declassifying imaging data to justify an accusation — we did that, for example, to show Russian tanks had crossed into the Russian border. But for this, there’s no equivalent of a photo of Russian tanks. With digital investigations, there’s nothing quite as definitive.”

Graham, of Errata Security, who would like to the code used by the hackers released, takes a more cynical view. “They’re worried we’ll prove them wrong," he says.

The FBI report is not without believers. Thomas Rid of Kings College London and Richard Bejtlich of FireEye immediately tweeted each other the evidence was "as good as it gets" -- when Rid's recent research partner and co-author of the well-read "OMGCyber" paper, Robert M. Lee, interrupted.

Lee, an Air Force cyber operations tweeted, "[A] lot of what is attributed is based on their previous knowledge of infrastructure. How do we know its good?"

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Security experts: FBI report light on evidence linking North Korea to Sony hack
Read this article in
https://www.csmonitor.com/World/Passcode/2014/1219/Security-experts-FBI-report-light-on-evidence-linking-North-Korea-to-Sony-hack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe