Questions remain after FBI charges North Korea with attack on Sony Pictures

FBI says that DPRK was responsible, but the evidence is questionable

The FBI formally accused North Korea of attacking Sony Pictures on Friday, citing three levels of evidence that has led to this conclusion. But does the FBI have it right, or are they missing the obvious?

There's no denying that the attack against Sony Pictures was catastrophic. To date there have been more than 230GB of data leaked by the attackers. The entire network was compromised, with each business unit being impacted.

Worse, after the attackers made thinly veiled threats of physical attacks, Sony was forced to cancel the movie The Interview, ultimately meeting one of the demands made by the attackers.

In a statement issued on Friday, the FBI says that after working with other U.S. government departments and agencies, they now had enough information to conclude that North Korea was responsible for the attack on Sony Pictures.

The formal accusation comes just over a week after the FBI said there was nothing linking North Korea to the attack.

Pointing to the need to protect "sensitive sources and methods" the FBI didn't itemize their proof; instead the agency listed three points that helped them reach their conclusion.

"Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks."

The problem is, just because code is similar doesn't mean that it is from the same source. Criminals recycle code all the time, and anyone could cut and paste code from DarkSeoul (the malware used in the attacks on South Korea) and use it in a new attack.

Furthermore, the FBI's own technical memos on the Sony malware note that public tools were used by the attackers – tools that anyone could access. Also, it's an important fact to remember that wiper malware has existed for years.

"The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack."

Using IP addresses as a source attribution doesn't always work. In most cases it's unreliable, because criminals can use proxies, compromised systems, or other means to further their attack, while hiding their origins.

Also, according to the Wall Street Journal, there was only a single instance where the malware on Sony's systems contacted North Korea. One IP doesn't mean anything in an attack such as this.

As to the other infrastructure mentioned, the FBI hasn't sad much, but their memos on the attack point to several other countries where C2 activity was observed, such as Italy, Thailand, or Poland.

It isn't clear how they can ignore the other – common and frequent – sources and stick to a single destination (other than the fact that it fits a narrative that was constructed early on in the Sony timeline).

"Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea."

Again, most code can be recycled, and the tools used by the wiper malware at Sony were publicly available, according to the FBI's own reporting on the subject. This doesn't prove that North Korea did anything.

After reading their statement, and considering the storyline of the Sony Pictures hack so far, it's almost as if the FBI ignored the fact that things such as rented botnets, recycled code, or proxies exist.

In short, those with an expertise in information security and hacking (both legal and criminal) aren't buying the FBI's conclusions.

On Twitter, Dave Kennedy, the CEO of TrustedSec, said that the language used by the FBI, "sets a major precedence."

"Using words to attribute NK with Sony and no firm evidence with a million man army is ill-advised."

Speaking to Salted Hash, he expanded on that line of thought.

"Evidence provided to me was nothing different than what's already public and many indicators where we can't say it's North Korea. There's no report on analysis how they had inside knowledge and designed the malware for Sony, or any steps taken during incident response to show evidence supporting it."

So the FBI has taken a stand, but this case is far from over.

In related news, Sony Pictures is said to have caved further to the demands made by their attackers, removing the official website and the trailer for The Interview on Friday.

On the following page, are comments from various experts and officials who have offered their take on the FBI's conclusions or the situation. Salted Hash presents them unedited as additional sources of thought and opinion.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)