Experts Are Still Divided On Whether North Korea Is Behind Sony Attack

• 
  
  Security cameras stand across the street on Culver Boulevard from the Sony Pictures Studios’ water tank in Culver City, Calif., Thursday, Dec. 18, 2014. Damian Dovarganes/AP
  
  The FBI announcement last week that it had uncovered evidence in the Sony hack pointing to North Korea appears to have settled the issue for a lot of people—in Washington, DC.
  
  “As a result of our investigation,” the FBI announced, “and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions.”
  
  But many on the West Coast, and beyond, are still skeptical of the evidence and the FBI’s claims. The announcement, after all, comes a mere three weeks into the investigation, and reverses a statement FBI Director James Comey had made just the week before that investigators had found nothing so far to tie the hack to the North Korean government. “Before we attribute a particular action to a particular actor,” he said, “we like to sort the evidence in a very careful way to arrive at a level of confidence that we think justifies saying ‘Joe did it’ or ‘Sally did it,’ and we’re not at that point yet.”
  
  The FBI attributed the Sony hack to North Korea in part because it shares some code and components with hacks that were conducted in South Korea in 2013, which some have attributed to North Korea. They also cite as evidence the fact that IP addresses associated with North Korea contacted some of the command-and-control servers the Sony hackers used to communicate with malware on the Sony machines. Skeptics criticized the evidence saying it was inconclusive and failed to make the FBI’s case. The agency, however, maintains that it has other evidence it can’t disclose, raising questions about whether signals intelligence collected by NSA surveillance might have been used. Separately, a private security firm with ties to the FBI says it has additional clues that point to North Korea.
  
  Let’s unpack these details.
  
  The U.S. Government’s Unprecedented Statement
  The government’s statement pointing to North Korea is unprecedented, marking the first time a government agency has formally blamed another nation for a cyber attack. When Google was hacked in 2010 by a sophisticated adversary, it wasn’t the government that accused China, but Google. The most Secretary of State Hilary Clinton did publicly at the time was to ask China to explain the claims. When the government has pointed a finger directly at other nations for hacks, it has generally come from individual officials speaking to the press, not from a formal press statement—let alone the president.
  
  This seems to suggest that the government must have other evidence—beyond the FBI’s disclosed circumstantial evidence—that North Korea was responsible for the hack. Otherwise, why would the president agree to announce on TV that North Korea was the culprit?
  
  The Skeptics’ Point of View
  Robert Graham, CEO of Errata Security, who has been a vocal skeptic of the government’s attribution, says he thinks the government is divided on the issue, but that certain parties forced a public statement.
  
  “I don’t think the NSA is on board and I don’t think the entire FBI is on board, either,” he speculates. Rather, he thinks someone in a political position inside the FBI, not actual investigators, got hold of a report from Mandiant, the security firm hired to investigate Sony’s breach, which said that there were similarities to other attacks attributed to North Korea. These FBI insiders read this and “wanted it to be North Korea so much that they just threw away caution,” he suggests. The degree of attention focused on the Sony hack combined with “leaks” from anonymous government officials pointing the finger at North Korea made it a fait accompli that the administration would have to officially attribute the attack to North Korea. “There’s this whole group-think that happens, and once it becomes the message, it’s really hard to say no it’s not this,” Graham says.
  
  He expects the Justice Department will eventually announce the arrest of hackers who acted independently of North Korea. Because President Obama’s statements about the hack have been mild—calling it cyber vandalism instead of cyber warfare, for instance—it won’t be hard for the administration to walk back from its initial claims. Graham goes further; he surmises that Obama’s tepid statements indicate there is no other NSA evidence. “If the NSA has evidence, he would be much more forceful in his response.”
  
  The Believers’ POV
  Steve Bellovin, however, believes the government does have classified intelligence, either through the NSA, U.S. Cyber Command or the CIA, and that such information more directly links the attack to North Korea. A well-respected professor of computer science at Columbia University, Bellovin also thinks much of the criticism by security researchers picking apart individual pieces of FBI evidence is off-base. He points to a Mandiant report last year about a hack from China that targeted the New York Times. In that investigation, Mandiant exposed a prolific group in China, believed to be state-backed, that was responsible for multiple attacks over a number of years, including the hack of the Times. “They built a profile over the years of what Chinese attacks look like,” he notes based on that experience. So when they see an attack that matches that profile, it’s easy to attribute it to the same group. Similarly, he thinks years of observing hacks believed to be connected to North Korea have helped Mandiant and others build a profile of North Korean hacks based not on one piece of evidence, but multiple.
  
  Bellovin notes that reuse of code, infrastructure, and techniques—evidence the FBI cites in its attribution of North Korea—can indeed be used to link to attacks. That’s how malware researchers have always linked families of malware to one another as well as seemingly disparate attacks.
  
  But he acknowledges that linking families of attacks to an identifiable actor or source is trickier. He points to a National Academies report from 2009, quoting a former Justice Department official on attribution in cyber attacks: “I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of an attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.”
  
  Indeed, in 2011 a leaked government memo claimed Russian hackers had remotely destroyed a water pump at an Illinois utility. The report spawned dozens of sensational news stories calling it the first reported destruction of U.S. infrastructure by a hacker. But within a week, DHS said it could find no evidence that a hack occurred. In truth, the water pump simply burned out, and a government-funded fusion center had hastily and incorrectly linked the failure to an internet connection from a Russian IP address months earlier.
  
  The NSA’s Unseen Evidence
  If the FBI does have unseen evidence collected by the NSA, it may have been collected in a manner laid out by Nicholas Weaver, a computer scientist at the International Computer Science Institute. Weaver has detailed how the NSA could track the Sony hackers, using various surveillance tools it has at its disposal.
  
  Dmitri Alperovitch, co-founder and CTO of the security firm CrowdStrike, says there’s no question that North Korea is behind the Sony hack and asserts that the U.S. does have more evidence pointing to North Korea that it can’t release right now. Alperovitch may be in a position to know. CrowdStrike’s president and CSO, Shawn Henry, is former executive assistant director of the FBI. His company has been tracking the group behind attacks on South Korea for a number of years that they say were also done by North Korea.
  
  The South Korea hacks go back to 2006 and were conducted by a group CrowdStrike calls Silent Chollima, named after a mythical flying horse and a political movement in North Korea. The group is also known alternatively by other researchers as WhoIs Team, IsOne and Hastati. The group is responsible for attacks known as DarkSeoul that in 2013 on the anniversary of the Korean War wiped data from a number of banks and media companies in South Korea. The same group has also been linked to DDoS attacks against targets in South Korea and espionage operations against U.S. and South Korean military targets.
  
  “We believe Silent Chollima are North Korean actors, but we’re not specific whether it’s a military or intelligence unit,” Alperovitch says, noting that in the South Korea hacks the group specifically sought data that would be of strategic interest to the North Korean military.
  
  The evidence again is largely circumstantial. Some of it involves keywords the attackers used to search for data on infected machines—keywords related to specific U.S. and South Korean military plans and exercises in the region. They include, he says: “Key Resolve Drill,” “OPLAN,” and “Artillery.” Key Resolve refers to an annual exercise conducted by U.S. and South Korean military. OPLAN refers to operational plans for the military.
  
  “Who else would it be [but North Korea] that would hit both Sony over the movie and South Korea and U.S. military networks looking for that type of info?” he says.
  
  He also says his team found malware samples used by Silent Chollima that contain words used only in North Korea. “There are some intricacies from North Korean language, some words are spelled differently, and the use of these words were an indication that these were North Korean actors,” he says. He wouldn’t provide examples of the words to WIRED, however, because he says the malware sample containing the words has not been publicly disclosed yet.
  
  In the meantime, Symantec has said that a Trojan it discovered last August, called Volgmer, also has ties to the Sony hack in that it was programmed to communicate with one of the same command-and-control servers used by the Sony hackers. The Trojan is designed to open a backdoor onto infected systems to allow attackers to do reconnaissance and install additional malware. There’s no evidence at this point that the Sony hackers used Volgmer in their attack on the studio, but Symantec thinks it may have been used by the DarkSeoul hackers, since the sample of Volgmer they examined was designed to work only on machines using the Korean language.
  
  The Motive Problem
  While it may turn out that the South Korea attacks can be attributed to North Korea and that the Sony hackers are responsible for both sets of assaults, none of this explains the apparent disparity between the motive assigned to North Korea for the hack—over the film The Interview—and the motives the hackers themselves have given, which point to extortion.
  
  In a message sent Nov. 30 from the email address used to leak Sony data, one of the apparent hackers wrote a reporter with IDG News that “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years. It has brought damage to a lot of people, some of whom are among us,” they wrote. “Nowadays Sony Pictures is about to prey on the weak with a plan of another indiscriminate restructuring for their own benefits. This became a decisive motive of our action. We required Sony Pictures to stop this and pay proper monetary compensation to the victims.”
  
  The demand for monetary compensation echoed an email the attackers apparently sent to Sony executives Nov. 21, a few days before Sony employee computers were hijacked by the attackers.
  
  Alperovitch, however, says none of this is inconsistent with the erratic behavior of North Korea. “You have to look at the fact that North Korea is very special. They do things other nations don’t do,” he says. “You can’t judge them by the stick you would other countries. They do engage in blackmail, extortion and money laundering to finance the regime. I don’t think it’s that out of character.”
  
  Did the U.S. Knock North Korea Off the Internet?
  As questions about North Korea’s role in the Sony hack continue to confound, North Korea’s four internet connections were knocked offline yesterday, cutting the country off digitally. Was this the “proportional response” President Obama had warned about, some wondered?
  
  Doug Madory, director of internet analysis at Dyn Research, says it’s unlikely. Dyn Research has sensors placed at strategic points throughout the internet backbone to monitor connectivity in most parts of the world. Madory says the problems with North Korea’s networks occurred intermittently on Sunday before they went completely dark on Monday, which makes Madory think “some joker,” perhaps even a hacker in South Korea, is behind it and was adjusting his attack to increase its power until he knocked all four connections offline.
  
  To suggest the outage was caused by the U.S. is an insult, he says. “This is a pretty clumsy way to take care of business,” he notes. “If this is a DDoS attack [from the U.S.] surely our tax payer money [could pay] for a better internet blackout.”
  
  Others suggest China, which has grown angry and annoyed with North Korea’s antics over the years, was behind the outage. But Madory thinks if that were the case, the connectivity would have gone down completely on Sunday, instead of wavering a day before going dark.
  
  “Any joker on the internet that knows how to conduct DDoS attacks can be behind this,” he says. “DDoS attacks happen as a matter of routine these days—and run a spectrum of sophistication. If [North Korean networks] are vulnerable, they can be knocked offline by some teenager in South Korea.”
  
  Some media outlets called it a “massive” outage. But North Korea has just four networks, composed of about 1,000 IP addresses, that connect to the internet through a North Korean ISP and through China Unicom. “It’s a microscopic internet,” Madory says of North Korea’s connectivity. “The U.S has 150,000 routes [of internet connectivity], and South Korea is about 17,000 routes. North Korea is just 4 routes. They are the smallest they can possibly be….It has no role in the economy or life in North Korea.”
  
  In fact it’s so insignificant that he says it would make no difference to the country to just ignore the outage and leave the networks down for six months.
  
  North Korea’s internet outage is the least concern at this point, however. The mysteries behind Sony’s hack still linger and may never be fully resolved.