US officials blame North Korea, but absolute attribution in Sony hack may be elusive

Investigators can take weeks and even months to piece together an attack, especially a major one of the kind that hit Sony. Even then, it's often impossible to assign blame with 100 percent accuracy.

A screen shot from "The Interview" shows actors James Franco, Lizzy Caplan, and Seth Rogen. Sony canceled the release of the film after hackers threatened violence at theaters where it was playing.

Columbia Pictures/AP

December 19, 2014

The speed at which US officials identified North Korean involvement in the Sony Pictures Entertainment hack surprised many experts familiar with the enormous challenges of pinpointing the origins of cyberattacks.

The FBI on Friday said that its investigation in collaboration with other US government agencies led it to conclude that the North Korean government is responsible. Technical analysis of the data deletion malware used in the attack is similar to other malware previously linked to North Korea, the FBI said in a statement.

“There were similarities in specific lines of code, encryption algorithms, data deletion methods and compromised networks,” the bureau said. What's more, according to the FBI, portions of the network infrastructure used in the Sony attacks has also been previously linked directly to North Korea.

The agency says it has more information that it is not willing to disclose. But the statement itself offers no new evidence beyond what is already publicly known and is sure to leave many within the computer security community wondering how and why it came to that conclusion so quickly.

Security experts who spoke with Passcode before the FBI statement had noted how these kinds of investigations can typically take months to piece together, especially one following a major hack such as the Sony attack.

For instance, US indictments against five members of the People’s Liberation Army of China on various hacking-related charges earlier this year, came only after years of painstaking effort following digital breadcrumbs.

Similarly, it wasn’t until the Obama administration’s tacit admission that it had ordered the Stuxnet attacks on Iran’s nuclear facilities that security experts were able to say for sure what they had suspected, but could never prove.

 “It’s not against the law of physics,” to attribute an attack with certainty on somebody, says Bruce Schneier, a noted security expert and author. “But it is highly unlikely,” in the case of the Sony attack given the time frame, he says.

Can Syria heal? For many, Step 1 is learning the difficult truth.

A group calling itself Guardians of Peace has claimed credit for an intrusion at Sony that has so far resulted in five unreleased movies being leaked online, personal data on thousands of employees being publicly posted on web forums, embarrassing and sensitive e-mails among top executives being released, and critical data being destroyed.

Sony also decided to cancel the release of "The Interview" after hackers threatened violence at theaters showing the comedy starring Seth Rogen and James Franco, who play characters involved in a plot to kill the North Korean leader.

Even though some signs point to North Korea, tracking attacks back to the source with any degree of certainty is a huge challenge.

Hackers often use proxy servers and other techniques to hide their tracks and throw investigators off their track. Attacks that appear to emanate from one source are often launched from an entirely different location. It is common for attackers to use previously compromised systems and networks to host malicious software and to launch and manage attacks from them. Sometimes, different hackers might use the same malware tools or minor variants to carry out attacks.

With some so-called "false-flag" attacks, hackers deliberately inject red herrings in their software code or in their choice of systems or locations to make it appear like someone else launched the attacks.

For example, an international criminal group called Inception by some and Red October by others has been carrying out a sustained and sophisticated cyber-espionage campaign against companies in Russia. Security firms tracking the group have noted how it has employed several tactics, such as using multiple languages including Hindi, Arabic, Spanish, and English in its code and malware capable of dropping decoy clues to suggest a Chinese connection, in order to confuse those tracking it.

And even when most signs point to a group or an individual, it is almost impossible to assign blame with 100 percent accuracy, says Alex Cox, a senior manager at the security firm RSA. 

“Unless the Navy Seals kicked in the door and caught the guy with his fingers on the keyboard,” it is very hard to say who did it, says Mr. Cox, who works for RSA's FirstWatch threat intelligence unit.

The fundamental problem is the difficulty involved in identifying individual pieces of hardware and software when a malicious adversary wants to avoid detection, says Mr. Schneier in his upcoming book, “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World."

“We can’t attach identifying information to data packets zipping around the Internet. We can’t verify the identity of a person sitting in front of a random keyboard somewhere on the planet,” he notes. “Solving this problem isn’t a matter of figuring out some engineering challenges; this inability is inherent in how the Internet works.”

Of course, it is quite possible that the government has more information that what is known publicly about the Sony attack. It is likely, for instance, that the National Security Agency or some other agency has wiretaps and other listening mechanisms to monitor what’s going on in North Korea.

But the publicly known facts about the attacks suggest a tenuous link at best. 

In addition to the Guardians of Peace warning about "The Interview," security researchers have found a link between the code used in the attack on Sony and code used by DarkSeoul, a group that is believed responsible for a series of attacks against banks and other companies in South Korea last year.

One of the command and control servers used to communicate with the malware used in the Sony attack is also believed to have links to the same group.

But such details alone are insufficient, says Cox. It’s difficult to tie an attack back to the source based on the evidence from one attack. So far, publicly available information suggests that the Sony attacks were launched from outside North Korea.

Cybercrime investigators often need to look at the tactics, techniques, and procedures employed by a hacker group over a period of time before they are able to build a reliable profile of that group, he says. 

“There’s always a certain amount of ego in the hacking world where guys will use certain phrases or certain names or certain web addresses that have some meaning to them.” Such groups tend to reuse the same things repeatedly and over time can help researchers tie specific attacks to specific groups.

For instance, the malware used in the Sony attacks, dubbed Trojan Destova, has a design and functionality that is similar to another malware tool called Shamoon that was used in a devastating attack against Saudi oil company Saudi Aramaco two years ago. The similarities have prompted some to speculate there might be a link between the two attacks but more evidence is needed to prove a conclusive link.

The Guardians of Peace has been a largely unknown entity to researchers until now. In fact, despite all the noise that has been made about North Korean involvement after the Sony breach, hackers from the reclusive nation have rarely been as visibly active on the Internet as others, at least going by recent rankings of the top hacker nations in the world.

While countries such as the US, China, Russia, India, and Hungary are frequently listed as top hacker nations, North Korea itself has not appeared on a single list. In fact, the country does not appear even in this real-time list of Top 15 sources of attack worldwide.

“From my investigations there are some connection points that say North Korea,” says Cox. “But it is really hard to say with certainty if it was actually them, or whether it was people they hired, or whether it was people supporting their cause.”