Sony: Attribution Debate RagesThe FBI Blames North Korea, But Many Experts Urge Skepticism
While the FBI has attributed the hack attack against Sony Pictures Entertainment to North Korea, many information security experts remain unconvinced.
"Maybe the NSA has some secret information pinning this attack on the North Korean government, but unless the agency comes forward with the evidence, we should remain skeptical," says Bruce Schneier, chief technology officer of incident response management firm Co3 Systems, in a blog post, noting that the attack may instead have been launched by insiders or even random hackers. "We don't know who did this, and we may never find out."
Such skepticism is being voiced in the face of President Obama's promising that the United States "will respond proportionally" to the attacks, although it's not clear exactly what that response might entail.
Given what's at stake, Marc Rogers, principal security researcher at distributed denial-of-service defense firm CloudFlare, has called on the U.S. government to publish ironclad technical evidence. "Calling out a foreign nation over a cybercrime of this magnitude - something serious enough to go to war over - should not be taken lightly," Rogers says in a blog post. "The evidence used to attribute a nation state in such a case should be solid enough that it would be both admissible and effective in a court of law. As it stands, I do not believe we are anywhere close to meeting that standard."
For the record, the Pyongyang-based government of North Korea, led by Kim Jong-un, has dismissed the FBI's attribution, demanded a joint investigation into the hack with the United States, and threatened reprisals if that doesn't happen.
Some security experts have also noted that the Sony hack differs significantly from previous attacks that have been attributed to a nation state. "You don't normally get a criminal motive like this from a nation state, not in a public way," Carl Herberger, vice president of security solutions at app delivery vendor Radware, tells Information Security Media Group.
Schneier also notes that the FBI didn't attribute the attacks to Pyongyang, per se. "We don't know these attacks were sanctioned by the North Korean government. The U.S. government has made statements linking the attacks to North Korea, but hasn't officially blamed the government, nor have officials provided any evidence of the linkage," he says. That leaves open the possibility that the attack could have been launched by fans of the regime that calls itself the Democratic People's Republic of Korea. "This wouldn't be the first time a nationalistic cyber-attack was launched without government sanction," he says. "We have lots of examples of these sorts of attacks being conducted by regular hackers with nationalistic pride. Kids playing politics, I call them."
FBI Attribution: Light on Details
CloudFlare's Rogers notes that the FBI's attribution states that it's seen technical similarities between the Sony hack and previous attacks that used wiper malware - which erases hard drives and master boot records, thus "bricking" PCs - which is a reference to the Shamoon and Dark Seoul attacks.
But Rogers says attack code is easy to come by, and far harder to attribute to any given party. "Many of these pieces of malware use publicly available tools and libraries," he says. "Many of these pieces of malware are based on malware source code that has been sold/released/leaked and is therefore accessible and easy to use. Finally many of these pieces of malware are available for purchase."
Sony investigators have said that at least part of the attack appeared to have come from a North Korean IP address. But Jeffrey Carr, CEO of threat-intelligence firm Taia Global, notes that the Thai telecom company Loxley Pacific handles a large part of North Korea's telecommunications infrastructure, as part of a joint venture with Pyongyang called Star JV. What if Sony's attackers first hacked into Loxley's systems, and used those systems to make it appear as if the Sony attack stemmed from North Korea?
"If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific's network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK's network against any target that they wish," Carr says. "Every attack would, of course, point back to the hated Pyongyang government."
The security researcher known as "Dr Krypt3ia" has also published a detailed analysis of the IP addresses cited by the FBI as tying to previous attacks attributed to North Korea. But the IP addresses - located in Bolivia, Cyprus, Italy, Poland, Singapore, Thailand, and the United States - largely appear to be anonymous proxies that are regularly used by all manner of spammers, as well as for malware command-and-control operations by multiple cybercrime gangs.
Furthermore, Dr Krypt3ia questions the Sony information being referenced by investigators, given that the entertainment company's network was completely infiltrated. "If indeed the FBI has logs from Sony - which mind you, was pwn3d sideways to Sunday - can they even be trusted?" he says.
Accordingly, Robert Graham, head of information security firm Errata Security, wonders if many of the supposed North Korean attributions that have been voiced to date - including similarities between the messages left by attackers - may not be displaying evidence of the logical fallacy known as confirmation bias. "Once you've decided on the conclusion - 'North Korea hackers' - your perception of the evidence changes," he says in a blog post. "Everything you see starts to confirm your conclusion. This is especially true when you are ignorant of the larger perspective. To those of us with perspective, we don't see the evidence that you believe in."
'Intel' Isn't Always Fact
The FBI's attribution also belies what intelligence experts say is the fact that intelligence is rarely fully reliable. Indeed, Carr at Taia Global cautions that the intelligence community "is rarely unified when it comes to intelligence analysis; especially cyber intelligence."
There are numerous examples, furthermore, of early attributions later being proven wrong. One example is the spring 2014 breach of JPMorgan Chase, discovered in August, after which Bloomberg News quoted anonymous sources - with knowledge of the investigation - who said they believed that the Russian government ordered the hack as a reprisal the West's Ukraine sanctions against it. But by October, the FBI said it had ruled out the Russian government as a suspect.
Early in the investigation into the 2010 NASDAQ hack, meanwhile, the NSA concluded that "elite Russian hackers" had launched the attack, possibly to cause chaos in the U.S. financial services sector, Bloomberg News reported. But later in the investigation, the NSA's conclusions - which were apparently based largely on the malware that had been used - came under fire, Carr says, not least because of the ease with which malware components can be bought, sold and reused. Some commentators also questioned the NSA officials' political motivations in trying to advance their program for public/private information sharing.
Mistakes Are Costly
Beyond the information security realm, numerous experts have cited the Iraq war - and the United States claiming to have discovered weapons of mass destruction - to illustrate that while it's easy to make an attribution, the repercussions from making an incorrect attribution are much harder to undo.
"The White House must responsibly evaluate [all potential attack explanations] ... before taking action against another nation state," Carr says. "If it takes such action, and is proved wrong later, which it almost certainly will be, the reputation of the U.S. government and the intelligence agencies which serve it will be harmed."
For many information security experts, when it comes to answering the question of "who hacked Sony?" the jury is still out. "We don't have any solid evidence that implicates North Korea, while at the same time we don't have enough evidence to rule North Korea out," CloudFlare's Rogers says.