More Evidence From Sony Hack Leads Away From North Korea, Suggests Insider

Giuseppe Macri Tech Editor
Font Size:

The latest cybersecurity firm to weigh in on the massive November cyberattack and threat against Sony Pictures found evidence this week that a company insider may be to blame for the hack, which the U.S. government has formally accused North Korea of perpetrating.

“Sony was not just hacked, this is a company that was essentially nuked from the inside,” cybersecurity firm Norse’s senior vice president Kurt Stammberger told CBS this week. “We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history.”

Stammberger’s comments joined a chorus of analyses by noted cybersecurity researchers this week casting doubt over the FBI’s claim last week that Pyongyang was behind the attack on Sony, which forced the company to limit the Christmas Day theatrical release of “The Interview” in response to a terrorist threat by the hackers.

After breaking into Sony’s servers the week of Thanksgiving and torpedoing the company’s network, the self-described “Guardians of Peace” leaked a trove of personal employee data, executives’ emails and unreleased films online before threatening to attack movie theaters if Sony didn’t pull the release of “The Interview,” which stars Seth Rogen and James Franco as bumbling reporters tasked by the CIA with assassinating North Korean dictator Kim Jong-un.

Last Friday the FBI formally accused Pyongyang of taking a central role in the attack based on the virus’ coding and the use of a global network of computers, both of which were employed in attacks against South Korea in the last two years. The FBI claims to have previously tied North Korea to those attacks, and in conjunction with other information the bureau declined to elaborate on due to the ongoing investigation, declared Pyongyang “responsible” for the hack.

Yet according to a growing number of cybersecurity experts, the FBI’s conclusion is based on unconfirmed information, as the coding and network used in the South Korean attacks only link to North Korea circumstantially at best. The type of malware used in the attack in commonly available and shared among hackers online, and the global network used to route the attack to Sony uses well-known waypoints for trafficking spam and viruses. Coupled with that, further recent analyses by experts of the attacks cited by the FBI have concluded they were carried out by hackers with no direct link to Pyongyang. (RELATED: Evidence Linking North Korea To Sony Hack ‘Pretty Weak’) 

As more details about the highly effective attack emerge, many suspect a Sony insider would have been crucial to obtaining the passwords and directionality hardcoded into the malware that efficiently scorched Sony’s network. Stammberger and Norse, though not involved in the official investigation, claim they may have found the turncoat.

According to Stammberger, Norse believes it has identified a woman claiming connection with the “Guardians of Peace” as a former Sony employee who was perfectly placed to acquire the information needed to execute the attack.

The woman, who calls herself “Lena,” worked for Sony in Los Angeles for a decade until last May.

“This woman was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised,” Stammberger said.

What are seemingly North Korean fingerprints have all turned out to be “decoys or red herrings,” according to Stammberger.

Skeptics also point out that the hackers’ original message to Sony made no mention of “The Interview,” and requested money in exchange for withholding a data dump of Sony property stolen from the company’s servers. Many claim that, as far as they can tell, the threats to pull the film didn’t emerge until media reports speculated North Korea, which has denied any involvement.

An analysis of the broken English wording of the threats cited by The New York Times found the linguistics inconsistent with English translations of Korean. Instead, the computational linguists at cybersecurity consultancy Taia Global found the speech patterns more closely resemble Russian speakers than Korean.

Russian Foreign Ministry spokesman Alexander Lukashevich on Thursday offered sympathy to North Korea in response to its outrage against “The Interview” and the accusation that it was behind the attack against Sony. Lukashevich said the U.S. has failed to establish any credible link to Pyongyang, and that White House threats of retaliation against North Korea were “counterproductive.”

Lukashevich said the country’s anger over “The Interview” was “quite understandable.”

Sony released the film on Google Play, Xbox Live and YouTube Wednesday, and in select theaters Thursday. The movie has since risen to the top spot on YouTube and sold out showings all across the U.S.

Follow Giuseppe on Twitter and Facebook