Follow the Soapbox
 
Picture
Wired
by Kim Zetter
12/17/2014


Today Sony canceled the premiere of “The Interview” and its entire Christmas-Day release of the movie because of fears that terrorists might attack theaters showing the film.

The actions show just how much power the attackers behind the Sony hack have amassed in a short time. But who exactly are they?

1 The New York Times reported this evening that North Korea is “centrally involved” in the hack, citing unnamed U.S. intelligence officials. It’s unclear from the Times report what “centrally involved” means and whether the intelligence officials are saying the hackers were state-sponsored or actually agents of the state. The Times also notes that “It is not clear how the United States came to its determination that the North Korean regime played a central role in the Sony attacks.” The public evidence pointing at the Hermit Kingdom is flimsy.

Other theories of attribution focus on hacktivists—motivated by ideology, politics or something else—or disgruntled insiders who stole the data on their own or assisted outsiders in gaining access to it. Recently, the finger has pointed at China.

In the service of unraveling the attribution mess, we examined the known evidence for and against North Korea.

Attribution Is Difficult If Not Impossible First off, we have to say that attribution in breaches is difficult. Assertions about who is behind any attack should be treated with a hefty dose of skepticism. Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.

Nation-state attacks often can be distinguished by their level of sophistication and modus operandi, but attribution is no less difficult. It’s easy for attackers to plant false flags that point to North Korea or another nation as the culprit. And even when an attack appears to be nation-state, it can be difficult to know if the hackers are mercenaries acting alone or with state sponsorship—some hackers work freelance and get paid by a state only when they get access to an important system or useful intelligence; others work directly for a state or military. Then there are hacktivists, who can be confused with state actors because their geopolitical interests and motives jibe with a state’s interests.

Distinguishing between all of these can be impossible unless you’re an intelligence agency like the NSA, with vast reach into computers around the world, and can uncover evidence about attribution in ways that law enforcement agents legally cannot.

So let’s look at what’s known.

Sony and FBI Deny Connection to North Korea First of all, Sony and the FBI have announced that they’ve found no evidence so far to tie North Korea to the attack. 2 New reports, however, indicate that intelligence officials who are not permitted to speak on the record have concluded that the North Koreans are behind the hack. But they have provided no evidence to support this and without knowing even what agency the officials belong to, it’s difficult to know what to make of the claim. And we should point out that intelligence agencies and government officials have jumped to hasty conclusions or misled the public in the past because it was politically expedient.

Nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack. Nor do they use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of GOP have done in media interviews. Nor do such attacks involve posts of stolen data to Pastebin—the unofficial cloud repository of hackers—where sensitive company files belonging to Sony have been leaked. These are all hallmarks of hacktivists—groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.

Despite all of this, media outlets won’t let the North Korea narrative go and don’t seem to want to consider other options. If there’s anything years of Law and Order reruns should tell us, it’s that focusing on a single suspect can lead to exclusionary bias where clues that contradict the favored theory get ignored.

The Interview a Red Herring? Initial and hasty media reports about the attackers pointed to cyberwarriors from North Korea, bent on seeking revenge for the Sony movie The Interview. This was based on a complaint North Korea made to the United Nations last July about the Seth Rogen and James Franco flick, which was originally slated to be released in October before being changed to Christmas Day. North Korea’s UN ambassador said the comedy, about a TV host and his producer who get embroiled in an ill-conceived CIA plot to assassinate North Korean President Kim Jong-un, was an act of war that promoted terrorism against North Korea.

“To allow the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war,” UN ambassador Ja Song Nam wrote the UN secretary general in a letter. “The United States authorities should take immediate and appropriate actions to ban the production and distribution of the aforementioned film; otherwise, it will be fully responsible for encouraging and sponsoring terrorism.”

In other statements, North Korea threatened a “resolute and merciless” response if the U.S. didn’t ban the film.

But in their initial public statement, whoever hacked Sony made no mention of North Korea or the film. And in an email sent to Sony by the hackers, found in documents they leaked, there is also no mention of North Korea or the film. The email was sent to Sony executives on Nov. 21, a few days before the hack went public. Addressed to Sony Pictures CEO Michael Lynton, Chairwoman Amy Pascal and other executives, it appears to be an attempt at extortion, not an expression of political outrage or a threat of war.

“[M]onetary compensation we want,” the email read. “Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.”

To make matters confusing, however, the email wasn’t signed by GOP or Guardians of Peace, who have taken credit for the hack, but by “God’sApstls,” a reference that also appeared in one of the malicious files used in the Sony hack.

A person purporting to be a Guardians of Peace spokesperson then emphasized again, in an interview with CSO Online published Dec. 1, that they are “an international organization … not under direction of any state.” The GOP’s members include, they wrote, “famous figures in the politics and society from several nations such as United States, United Kingdom and France.”

The person also said the Seth Rogen film was not the motive for the hack, but that the film was problematic nonetheless in that it exemplified Sony’s greed and fed political turmoil in the region:

“Our aim is not at the film The Interview as Sony Pictures suggests,” the person told CSO Online. “But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money. The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures.”

It was only on December 8, after a week of media stories connecting North Korea and the Sony film to the hack, that the attackers made their first reference to the film in one of their public announcements. But they continued to trounce the theory that North Korea was behind their actions, and they denied ownership of an email sent to Sony staffers after the hack, threatening them and their families with harm if they didn’t denounce their employer.

At this point, it’s quite possible the media are guilty of inspiring the hacker’s narrative, since it was only after news reports tying the attack to the Sony film that GOP began condemning the movie in public statements. This week the hackers have pounced on that narrative, using it to escalate the stakes by making oblique terrorist threats against the film’s New York premiere and theaters scheduled to screen it Christmas day. Even if members of GOP lack the means or intent to pull off a terrorist attack on their own, they’ve now created an open invitation for opportunistic attackers to do so in their name—in essence, escalating their crimes and influence to a level no other hackers have achieved to date.

So why do some people continue to claim that North Korea is the culprit? There are two forensic discoveries that fuel this assertion, but they are flimsy.

Evidence: Malicious Files Point to Possible Korean Speakers Four files that researchers have examined, which appear to be connected to the hack, seem to have been compiled on a machine that was using the Korean language. This refers to the encoding language on a computer; computer users can configure the encoding language so that content on their machine renders in a language they speak. But an attacker can set the language on a compilation machine to any language they want and, researchers note, can even manipulate information about the encoded language after a file is compiled to throw investigators off.

Evidence: Files Show Up In Other Hacks The Sony attackers didn’t just siphon data from the studio’s networks, they also used a wiper component to destroy data. To do the wiping, they used a driver from a commercially-available product that had been used by other attackers before. The product, called RawDisk, uses drivers that allow administrators to securely delete data from hard drives or for forensic purposes to access memory.

The same product was used in similarly destructive attacks that hit Saudi Arabia and South Korea. Since some people have claimed those were both nation-state attacks—U.S. officials blamed Iran for the Saudi Arabia attack; South Korea blamed China and North Korea for its attack—people assume the Sony hack is also a nation-state attack. But the evidence pointing to those other attacks as nation-state attacks is also flimsy.

The 2012 attack in Saudi Arabia, dubbed Shamoon, wiped data from about 30,000 computers belonging to Saudi Aramco, the state-owned oil conglomerate. Although U.S. officials blamed Iran for it, researchers found that malware used in the attack contained sloppy code riddled with errors and attributed it to hacktivists with political motives rather than a nation-state. The malware displayed part of an image of a burning U.S. flag on infected machines before they were wiped. What’s more, a group calling itself the Cutting Sword of Justice took credit for the hack. “This is a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression,” they wrote in a Pastebin post. “We invite all anti-tyranny hacker groups all over the world to join this movement. We want them to support this movement by designing and performing such operations, if they are against tyranny and oppression.”

That sounds like a call to recruit other like-minded activists who might also be opposed to, say, a “criminal” company like Sony.

Last year, a similarly destructive attack, dubbed Dark Seoul by researchers, struck computers at banks and media companies in South Korea. The attack used a logic bomb, set to go off at a specific time, that wiped computers in a coordinated fashion. The attack wiped the hard drives and master boot records of computers at three banks and two media companies simultaneously, reportedly putting some ATMs out of operation and preventing South Koreans from withdrawing cash from them. As with the Sony and Saudi Aramco hacks, the attackers used a RawDisk driver for their attack. They also left an image of a skull on the web site of the South Korean president’s office. And an IP address used for one of the attackers’ command-and-control servers matches an IP address the Sony hackers used for one of their command servers.

South Korea alternately blamed North Korea for the attack as well as China—since an IP address in China appeared to be part of the campaign. Officials later retracted the allegations.

The same group behind this attack are said to be behind other attacks in South Korea that occurred on the anniversary of the Korean War.

OK, So Who Hacked Sony? Regardless of whether the Sony, Saudi Aramco and South Korea attacks are related, the evidence indicating they’re nation-state attacks is circumstantial. And all of the same evidence could easily point to hacktivists. Our money is on the latter.

This is likely a group of various actors who coalesce and disperse, as the Anonymous hackers did, based on their common interests. But even with that said, there is another possibility with regard to the Sony hack: that the studio’s networks weren’t invaded by a single group but by many, some with political interests at heart and others bent on extortion. Therefore, we can’t rule out the possibility that nation-state attackers were also in Sony’s network or that a nation like North Korea was supportive of some of these hackers, since they shared similar anger over Sony. Another interesting scenario was recently posited by Deadline, suggesting that China may have initiated a breach at Sony during business negotiations with the studio last year, before handing off control to freelance hackers.

1,2: Update at 8p.m. 12/18/14: Minutes after we published this story examining the known evidence for and against North Korea as the source of the hack, The New York Times and other media outlets announced that the U.S. administration was ready to conclude North Korea was involved in the Sony hack. We have updated the story with this new information.


 


Comments

12/22/2014 10:42am

Hey that was excellent to study. Thanks for the wonderful post .Loved every portion of it.

Reply
12/24/2014 6:00am

In our religion it is our first obligation to have enough education and we all love and want to accept and fulfill the order of our religion so we all should to do effort in having of education as this will lead to fulfill the order of our religion.

Reply

Wow! You seriously impressed me by this post of yours. And what exactly is far more commendable would be the authenticity of your content material.Thanks for shearing the details.

Reply

Great blog share. I like your all blogs.

Reply

Honestly, the pleasure of approaching your blog!

Reply
01/19/2015 10:33pm

Great post!! Really you share a impressive blog with us.

Reply

Great blog share. I like your all blogs

Reply
01/20/2015 4:30am

Excellent post share with us and this blog is impresses more people to reading that blog.

Reply
01/20/2015 11:00pm

Nice Blog share. I like your post.

Reply
01/21/2015 2:13am

Nice Blog share. I like your post thanks for share that.

Reply

Hey, It is actually quite good and informative site. Maintain writing the great work, Nice to find out your site.

Reply
01/31/2015 3:42am

Great Article !! your article is very unique and informative..

Reply
02/02/2015 11:22pm

This is nice one post that you share.. I like..

Reply

Reply
02/13/2015 10:17pm

Excellent blog !! You share a good information with us.

Reply

Nice post !! i likt this type of blog. keep it up...

Reply

This was a really great contest and hopefully I can attend the next one. It was alot of fun and I really enjoyed myself.

Reply
05/23/2015 9:47pm

Really your blog is very informative and attractive.

Reply
05/29/2015 5:54am

I impress with you post its a interesting and it attract other peoples to read this blog.

Reply

Hello, if you don't mind, may I share this post in my WA group? There are many users that might be interested in whatever you write. Thanks.

Reply
07/28/2015 11:18am

Indeed, I’ve been searching any article talking about this issue for ages and I think it's the most suitable one.

Reply

Sukere Infotechs IT company in india offers internet marketing, web designing, web development, ppc (pay per click), digital marketing services,Bulk SMS Services Provider.

Reply
10/16/2015 2:13am

Nice post!! Thanks a lot for the kind of perfect topic I have not a lot of information about it but I have got an extra unique info in your unique post.!

Reply
10/16/2015 2:14am

I am very pleased to see this post, thank you for sharing

Reply

Great Post !! Very interesting topic will bookmark your site to check if you write more about in the future.

Reply

Thanks for share that type blog. Many people like that blogs...

Reply

Nice Blog share. I like your post.

Reply

Great post!! Really you share a impressive blog with us...

Reply

Nice and effective blog post. The content is too short but effective. I love the information you share here. Its an well written blog post by you. This is awesome blog post.

Reply
04/13/2016 6:42am

nice post to share

Reply

nice article.

Reply
07/11/2016 9:46pm

Nice Blog share. I like your post thanks for share that.

Reply
08/14/2016 4:05pm

The major films and videos on Sony production is simply famous worldwide. The evidence is also found in North Korea. Sony also cancelled the interview about the major filmmakers and celebrities.

Reply



Leave a Reply