I got this in my inbox last night:
IT Nerd, let me get straight to the point. Do you think North Korea is behind the Sony hack or someone else is responsible?
Thanks for the question.
I have nothing but a gut feeling on this…. Well, a bit more than a gut feeling… But I would say that I don’t believe that North Korea is behind the Sony hack. I will admit that North Korea does have the ability to do this sort of thing, plus they have people at arms length that are capable of doing this sort of thing as well (they’re arms length so that it gives North Korea plausible deniability). I don’t see either being responsible as this doesn’t quite fit the usual modus operandi from either of these groups. From what I do understand about North Korea and the hackers that do their bidding, they’re more of the hit and run sort. In other words, they get in, get what they are looking for and get out. They’re also in it for economic gain or to disrupt some project or goal the target has. Regardless of the end goal, they don’t broadcast what they’ve done, nor do they have fancy names for themselves. If we look at this hack, we have the “Guardians Of Peace” which is a group nobody has ever heard of. Not computer security experts, not intelligence agencies (at least not that they admit to), nobody. They’ve not only hacked Sony, they’ve released data that has embarrassed Sony and made threats of “9/11 style attacks” that their ability to pull off is dubious at best. A government who is behind a hack of this sort would not want to do any of that because it draws way too much attention to their covert hacking activities. Thus, that really casts doubt on North Korea being responsible.
So, who could be responsible? It could be hackers who are using “The Interview” and the North Korean connection as cover. After all, Sony is a company that hackers have targeted for years. So quite literally, anybody could be responsible for this. Alternately it could be a disgruntled ex-employee, though they would need the skills to pull this off. A deskside support guy isn’t going to have those skills. But maybe a network admin who has some friends with the required skill could pull this off as long as they know enough about the Sony Pictures infrastructure to make this a viable attack. What makes the latter plausible is the fact that there were significant layoffs at Sony Pictures recently. It isn’t too much of a stretch to think that someone who got separated from their job was looking for a bit of revenge. You could come up with all sorts of plausible theories on this front that would make sense. Thus it further casts doubt on the whole North Korea angle.
Now the FBI did lay out their reasoning in their press release on the subject. Here’s the key points:
- Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
- The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
- Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
Here’s where the reasoning that’s printed above falls apart. Reusing malware code and the tools to make this attack on Sony happen is a great way for hackers to cover their tracks and they do this all the time. Just because malware “x” was used in one particular attack doesn’t mean that the same people are using it in another attack. Plus, another way for hackers to cover their tracks is to make it look like the attack is coming from someplace else. This is called spoofing and it’s not just hackers who do this. People in Canada who get access to the shows on the US version of Netflix or those who get access to BBC iPlayer from Canada make use spoofing to make themselves appear to be in the US or the UK respectively and it doesn’t take a whole lot of skill to pull that off. Thus none of this is a smoking gun that points definitively at North Korea.
While it is possible that North Korea is behind this hack, I don’t think that there’s enough evidence here to say so definitively. I think when cooler heads prevail, it will be discovered that someone else not even remotely associated with North Korea was behind this. It will be interesting to see what happens if and when that day comes.
Like this:
Like Loading...
Related
This entry was posted on December 23, 2014 at 7:00 am and is filed under Commentary with tags hack, North Korea, Sony. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hey IT Nerd! Do You Think That North Korea Is Behind The Sony Hack?
I got this in my inbox last night:
IT Nerd, let me get straight to the point. Do you think North Korea is behind the Sony hack or someone else is responsible?
Thanks for the question.
I have nothing but a gut feeling on this…. Well, a bit more than a gut feeling… But I would say that I don’t believe that North Korea is behind the Sony hack. I will admit that North Korea does have the ability to do this sort of thing, plus they have people at arms length that are capable of doing this sort of thing as well (they’re arms length so that it gives North Korea plausible deniability). I don’t see either being responsible as this doesn’t quite fit the usual modus operandi from either of these groups. From what I do understand about North Korea and the hackers that do their bidding, they’re more of the hit and run sort. In other words, they get in, get what they are looking for and get out. They’re also in it for economic gain or to disrupt some project or goal the target has. Regardless of the end goal, they don’t broadcast what they’ve done, nor do they have fancy names for themselves. If we look at this hack, we have the “Guardians Of Peace” which is a group nobody has ever heard of. Not computer security experts, not intelligence agencies (at least not that they admit to), nobody. They’ve not only hacked Sony, they’ve released data that has embarrassed Sony and made threats of “9/11 style attacks” that their ability to pull off is dubious at best. A government who is behind a hack of this sort would not want to do any of that because it draws way too much attention to their covert hacking activities. Thus, that really casts doubt on North Korea being responsible.
So, who could be responsible? It could be hackers who are using “The Interview” and the North Korean connection as cover. After all, Sony is a company that hackers have targeted for years. So quite literally, anybody could be responsible for this. Alternately it could be a disgruntled ex-employee, though they would need the skills to pull this off. A deskside support guy isn’t going to have those skills. But maybe a network admin who has some friends with the required skill could pull this off as long as they know enough about the Sony Pictures infrastructure to make this a viable attack. What makes the latter plausible is the fact that there were significant layoffs at Sony Pictures recently. It isn’t too much of a stretch to think that someone who got separated from their job was looking for a bit of revenge. You could come up with all sorts of plausible theories on this front that would make sense. Thus it further casts doubt on the whole North Korea angle.
Now the FBI did lay out their reasoning in their press release on the subject. Here’s the key points:
Here’s where the reasoning that’s printed above falls apart. Reusing malware code and the tools to make this attack on Sony happen is a great way for hackers to cover their tracks and they do this all the time. Just because malware “x” was used in one particular attack doesn’t mean that the same people are using it in another attack. Plus, another way for hackers to cover their tracks is to make it look like the attack is coming from someplace else. This is called spoofing and it’s not just hackers who do this. People in Canada who get access to the shows on the US version of Netflix or those who get access to BBC iPlayer from Canada make use spoofing to make themselves appear to be in the US or the UK respectively and it doesn’t take a whole lot of skill to pull that off. Thus none of this is a smoking gun that points definitively at North Korea.
While it is possible that North Korea is behind this hack, I don’t think that there’s enough evidence here to say so definitively. I think when cooler heads prevail, it will be discovered that someone else not even remotely associated with North Korea was behind this. It will be interesting to see what happens if and when that day comes.
Share this:
Like this:
Related
This entry was posted on December 23, 2014 at 7:00 am and is filed under Commentary with tags hack, North Korea, Sony. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.