Evidence Linking North Korea To Sony Hack ‘Pretty Weak’

Giuseppe Macri Tech Editor
Font Size:

U.S. government officials and the FBI declared last week that North Korea was “centrally involved” in the massive cyberattack against Sony Pictures in November — an indictment based on evidence many cybersecurity officials describe as circumstantial at best.

In an announcement Friday formally confirming the statements of multiple unidentified U.S. officials, the FBI laid the blame on Pyongyang based on a short list of digital forensic evidence pulled from Sony’s systems in the wake of the attack. (RELATED: U.S. Officially Names North Korea In Sony Hack)

The bureau didn’t mince words, and said it had “enough information to conclude that the North Korean government is responsible for these actions,” which forced Sony Pictures to cancel the Dec. 25 film debut of “The Interview” in response to a 9/11-style terrorist threat by the hackers, the self-described “Guardians of Peace.”

According to the statement, that information includes specific lines of code, encryption algorithms, data deletion methods, compromised networks and a host of infrastructure used in previous attacks, including several Internet protocol (IP) addresses “associated with known North Korean infrastructure” and “tools” used against South Korean banks and media outlets last year.

The malware the agency described was found in the aftermath of destructive cyberattacks against the Saudi Arabian oil company Aramco in 2012, known as “Shamoon,” and that which crippled South Korea around the 63rd anniversary of the start of the Korean War, known as “DarkSeoul.”

Those attacks have been “previously linked directly to North Korea” by the U.S. government, but in the years and months since the attacks, outside experts have weighed in with some contradictory findings.

In an in-depth analysis of the Aramco attack cited by cybersecurity expert Marc Rogers — who screens papers for leading hacker conference DEF CON — the Shamoon virus was later concluded to be shoddy work of amateurs based on a series of “silly mistakes,” and attributed to a group calling themselves “the Cutting Sword of Justice.”

The DarkSeoul virus that hit South Korea in June of 2013 contained malware tied to an attack earlier that year against banks and TV broadcasters. Security software developer Symantec attributed the earlier March attack, known as “Jokra,” to the “DarkSeoul gang,” a group of South Korean hackers possibly bankrolled by the dictator to the north, though no evidence alleging so exists.

“So while North Korea has certainly been hinted at for each of these two hacks, the evidence is flimsy and speculative at best,” Rogers said in a blog post this week breaking down the FBI’s evidence.

Although the malware found in the “Destover” virus that decimated Sony’s systems bears technical similarities to that found in Shamoon and DarkSeoul, Rogers said that shared DNA among malware is “hardly a smoking gun.”

“The strength of this particular line of analysis weakens when you consider just how much sharing happens in the malware world,” Rogers wrote. “Many of these pieces of malware use publicly available tools and libraries. Many of these pieces of malware are based on malware source code that has been sold/released/leaked and is therefore accessible and easy to use. Finally many of these pieces of malware are available for purchase.”

“It’s pretty weak in my books to claim that the newest piece of malware is the act of a nation state because other possible related pieces of malware were ‘rumored’ to be the work of a nation state,” Rogers said. “Until someone comes up with solid evidence actually attributing one of these pieces of malware to North Korea I consider this evidence to be, at best, speculation.”

Rogers described the IP addresses used in the attack and cited by the FBI as even less compelling evidence that implies “a fundamental misunderstanding” of Internet traffic flow and how hackers operate.

Routing attacks through public, open or otherwise vulnerable networks is hacking 101. The IP addresses cited by the FBI to route the Sony attack include networks in Singapore, Thailand and Bolivia (the last of which was used in an attack on South Korea two years ago). All of them are public, well-known waypoints for spam and malware according to cybersecurity expert Scot Terban (a.k.a. Dr. Krypt3ia).

“At the end of the day, if these are all the IP’s that the U.S. is using as evidence that DPRK carried out this attack I think it is pretty weak as evidence goes,” Terban wrote. “The majority of these systems are proxies and known to be such and the others are weak systems that have likely been compromised for use in this attack and maybe others because hackers share a lot of these C&C boxes. They do so to muddy the waters so to speak, the more groups using them the more confusion can be sewn.”

Though expanded analysis of the FBI’s evidence muddies the waters surrounding the agency’s statement of evidence, the bureau claims such evidence only partly justifies the North Korean accusation, and that the ongoing investigation “precludes us from sharing all of this information.”

Other sources claim hackers hardcoded into the Destover virus pathways and passwords that would have been necessary to navigate Sony’s systems so effectively, and that such information would have to have come from a source inside the company.

Proponents of the theory recall some major restructuring that took place at Sony earlier this year, including the dissolution of Sony Pictures Technologies, which was scrapped along with the jobs of less than 50 employees as part of Chairman Michael Lynton and Co-Chairman Amy Pascal’s plan to cut Sony’s overhead costs by $250 million. Both Lynton and especially Pascal had a slew of embarrassing emails stolen and dumped online by the hackers, along with troves of personal employee information and several unreleased films.

Though Pyongyang has been unyielding in its condemnation of the “The Interview” — which stars Seth Rogen and James Franco in a comedic attempt to assassinate North Korean dictator Kim Jong-un — the country has maintained denial of any involvement in the attack.

North Korea vowed to retaliate against the U.S. as a whole this weekend in response to the statement by the FBI and a CNN interview with President Obama, during which he described the attack against Sony as “cybervandalism.”

Follow Giuseppe on Twitter and Facebook