Cybersecurity experts looking at the FBI's explanation for why North Korea was behind the Sony hack say the logic keeps coming up short, as they increasingly question whether someone else could be behind one of the worst hacks in U.S. history.
These experts have called into question the timeline of the attack, aspects of the language used, and the capabilities of North Korea's bandwidth. Some say the FBI was too quick to point the finger without looking further than the most obvious clues in the malware.
"For hackers that's just brilliant. By blaming North Korea, the hackers have a carte blanche really," said Jeffrey Carr, founder and CEO of Taia Global, a Seattle-based company that provides cybersecurity consultations to government agencies and private companies. "I'm not aware of this ever being done before. They've successfully ripped apart a multinational corporation. They successfully got them to shut down a movie. And to top that off they've convinced the FBI and NSA that the North Korean government is responsible. If I was them, I'd be popping Cristal."
The proof pointing to North Korea's culpability in the attack was summarized by the FBI in a statement issued last week:
Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
Many leading cybersecurity experts have now challenged that statement, questioning everything from the code in the malware that was used, to the IP evidence and capabilities of North Korean infrastructure.
Malware code is often shared among hackers, as it is adopted and used for different attacks.
The FBI spotted similarities between the malware used in the Sony hack and a similar code used in an attack on South Korea last year. Nimrod Kozlovski, a partner in JVP Labs, one of Israel's leading venture capital firms that invests in cybersecurity companies, said he found that argument "hardly conclusive." Often after an attack, code gets posted online and shared in hackers' forums where it is used and reused.
"It can be easily cut and paste from one place to another," Kozlovski said. "Any hacker could do that."
North Korea is not exactly the "closed" environment suggested by the FBI.
As for the IP evidence mentioned by the FBI, Carr of Taia Global told BuzzFeed News that the "conventional wisdom is that North Korea's internet is a closed environment, so anything tracked to North Korea must be from them. But that is incorrect; there are plenty of ways to get access to North Korea's internet and launch attacks which appear to be from there."
In a blog post this weekend, Carr looked at several companies tasked with providing internet services to North Korea and zeroes in on Loxley Pacific, a Thai company that runs a joint venture with the North Korean government to provide fixed telephone lines, mobile phones, internet, and satellite communications to North Korea.
Carr pointed out that the geolocation of the first leak of the Sony data on Dec. 2 was traced to the St. Regis Hotel in Bangkok, just 2.5 miles from the Loxley offices. BuzzFeed News repeatedly tried to reach a Loxley company representative Monday, but was given no comment on the company's possible involvement.
"One of the easiest ways to compromise the internet of a country is to work through a vendor which supplies to that country. This is what we, in the security world, refer to as a supply chain vector. What it means is that if you can't attack a company or entity, you attack a supplier and get access that way," Carr said. "If what I propose is true, this is a supply chain attack using Loxley."
The language used in the malware and the written text of the threats could be faked.
Blogs that focus on syntax and language have analyzed the brief text released by the hackers and debated whether the grammatical errors are consistent with a North Korean person trying to write in English, or deliberately introduced errors to try and simulate such a person.
The Marc Rogers blog has also posted a thorough look at the language used in the attack in which he argues, "The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea … they don't speak traditional 'Korean' in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult."
Hacktavists say North Korea doesn't have the bandwidth to exfiltrate that kind of data with no one noticing.
In a recent statement on Pastebin, Anonymous wrote, "We all know the hacks didn't come from North Korea." Hector Monsegur, codename Sabu, who attacked Sony himself before turning into an FBI informant, has also questioned the likelihood of North Korea being behind the attack.
"For something like this to happen, it had to happen over a long period of time. You cannot just exfiltrate 1TB or 100TB of data in a matter of weeks," Monsegur told CBS This Morning. He explained it would have taken "months, even years" for someone to exfiltrate 100TB of data without anyone noticing. "Look at the bandwidth going into North Korea. I mean, the pipelines, the pipes going in, handling data, they only have one major ISP across their entire nation. That kind of information flowing at one time would have shut down North Korean internet completely."
Monsegur, and Anonymous, also point out that the Guardians of Peace, the hacking group that’s claimed responsibility for the attack, has also mocked the FBI’s investigation with the following video:
If not North Korea, then who?
Evan Goldberg, co-director of The Interview, who spoke to Vancouver-based site The Straight, said that while he doesn't have any inside knowledge, he doesn't think it was North Korea.
"For two seconds it was the North Koreans, and then the younger guys in our office who know way more about computers were like, 'No way. You'd have to know Sony's network, it has to be somebody on the inside.'"
Few have placed much stock in North Korea's denial of any involvement in an attack, or their offer for a joint investigation. President Obama last Friday declared that the U.S. was weighing a "proportionate response" to North Korea. On Monday, the North Korean internet went completely dark.
Cybersecurity experts say that if it weren't the North Koreans, it could have been a medley of other parties. "Let me put it to you this way. It could have been a group of hackers from China, from Thailand, from Russia, or here, from Israel, and they all would have been equally good at faking evidence to point to North Korea," said one Israeli cyberintelligence officer who spoke to BuzzFeed News on condition of anonymity as he is still in active service. "You have to look at motivations, and capability."
Israel, he said, has often seen the North Korean government hire out hackers in China or Russia to use for espionage activities on South Korea.
China has condemned the attack, but also said that it sees no clear evidence that North Korea was behind the malware. Cybersecurity experts point out that in the past, South Korea has found evidence of Chinese IPs being used in North Korean-sponsored attacks, showing some Chinese hackers could be cooperating with the North Korean regime.
"It would not be out of character for the North Korean government to support this type of hacking effort, even as it was undertaken by someone else," said the officer. "It's also possible they really had nothing to do with it but that they are the easiest to pin the blame on."
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.