Entries Tagged "North Korea"

Page 3 of 3

Did North Korea Really Attack Sony?

I am deeply skeptical of the FBI’s announcement on Friday that North Korea was behind last month’s Sony hack. The agency’s evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the US government would make the accusation this formally if officials didn’t believe it.

Clues in the hackers’ attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one, since North Koreans use a unique dialect. However you read it, this sort of evidence is circumstantial at best. It’s easy to fake, and it’s even easier to interpret it incorrectly. In general, it’s a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the “evidence” to suit the narrative they already have worked out in their heads.

In reality, there are several possibilities to consider:

  • This is an official North Korean military operation. We know that North Korea has extensive cyberattack capabilities.
  • This is the work of independent North Korean nationals. Many politically motivated hacking incidents in the past have not been government-controlled. There’s nothing special or sophisticated about this hack that would indicate a government operation. In fact, reusing old attack code is a sign of a more conventional hacker being behind this.
  • This is the work of hackers who had no idea that there was a North Korean connection to Sony until they read about it in the media. Sony, after all, is a company that hackers have loved to hate for a decade. The most compelling evidence for this scenario is that the explicit North Korean connection — threats about the movie The Interview — were only made by the hackers after the media picked up on the possible links between the film release and the cyberattack. There is still the very real possibility that the hackers are in it just for the lulz, and that this international geopolitical angle simply makes the whole thing funnier.
  • It could have been an insider — Sony’s Snowden — who orchestrated the breach. I doubt this theory, because an insider wouldn’t need all the hacker tools that were used. I’ve also seen speculation that the culprit was a disgruntled ex-employee. It’s possible, but that employee or ex-employee would have also had to possess the requisite hacking skills, which seems unlikely.
  • The initial attack was not a North Korean government operation, but was co-opted by the government. There’s no reason to believe that the hackers who initially stole the information from Sony are the same ones who threatened the company over the movie. Maybe there are several attackers working independently. Maybe the independent North Korean hackers turned their work over to the government when the job got too big to handle. Maybe the North Koreans hacked the hackers.

I’m sure there are other possibilities that I haven’t thought of, and it wouldn’t surprise me if what’s really going on isn’t even on my list. North Korea’s offer to help with the investigation doesn’t clear matters up at all.

Tellingly, the FBI’s press release says that the bureau’s conclusion is only based “in part” on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq’s weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

Allan Friedman, a research scientist at George Washington University’s Cyber Security Policy Research Institute, told me that, from a diplomatic perspective, it’s a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

Sony also has a vested interest in the hack being the work of North Korea. The company is going to be on the receiving end of a dozen or more lawsuits — from employees, ex-employees, investors, partners, and so on. Harvard Law professor Jonathan Zittrain opined that having this attack characterized as an act of terrorism or war, or the work of a foreign power, might earn the company some degree of immunity from these lawsuits.

I worry that this case echoes the “we have evidence — trust us” story that the Bush administration told in the run-up to the Iraq invasion. Identifying the origin of a cyberattack is very difficult, and when it is possible, the process of attributing responsibility can take months. While I am confident that there will be no US military retribution because of this, I think the best response is to calm down and be skeptical of tidy explanations until more is known.

This essay originally appeared on The Atlantic.

Lots more doubters. And Ed Felten has also written about the Sony breach.

EDITED TO ADD (12/24): Nicholas Weaver analyzes how the NSA could determine if North Korea was behind the Sony hack. And Jack Goldsmith discusses the US government’s legal and policy confusion surrounding the attack.

EDITED TO ADD: Slashdot thread. Hacker News thread.

EDITED TO ADD (1/14): Interesting article by DEFCON’s director of security operations.

Posted on December 24, 2014 at 6:27 AMView Comments

Reacting to the Sony Hack

First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I’ve heard calls for us to strike back, with actual missiles and bombs. We’re collectively pegging the hype meter, and the best thing we can do is calm down and take a deep breath.

First, this is not an act of terrorism. There has been no senseless violence. No innocents are coming home in body bags. Yes, a company is seriously embarrassed–and financially hurt–by all of its information leaking to the public. But posting unreleased movies online is not terrorism. It’s not even close.

Nor is this an act of war. Stealing and publishing a company’s proprietary information is not an act of war. We wouldn’t be talking about going to war if someone snuck in and photocopied everything, and it makes equally little sense to talk about it when someone does it over the internet. The threshold of war is much, much higher, and we’re not going to respond to this militarily. Over the years, North Korea has performed far more aggressive acts against US and South Korean soldiers. We didn’t go to war then, and we’re not going to war now.

Finally, we don’t know these attacks were sanctioned by the North Korean government. The US government has made statements linking the attacks to North Korea, but hasn’t officially blamed the government, nor have officials provided any evidence of the linkage. We’ve known about North Korea’s cyberattack capabilities long before this attack, but it might not be the government at all. This wouldn’t be the first time a nationalistic cyberattack was launched without government sanction. We have lots of examples of these sorts of attacks being conducted by regular hackers with nationalistic pride. Kids playing politics, I call them. This may be that, and it could also be a random hacker who just has it out for Sony.

Remember, the hackers didn’t start talking about The Interview until the press did. Maybe the NSA has some secret information pinning this attack on the North Korean government, but unless the agency comes forward with the evidence, we should remain skeptical. We don’t know who did this, and we may never find out. I personally think it is a disgruntled ex-employee, but I don’t have any more evidence than anyone else does.

What we have is a very extreme case of hacking. By “extreme” I mean the quantity of the information stolen from Sony’s networks, not the quality of the attack. The attackers seem to have been good, but no more than that. Sony made its situation worse by having substandard security.

Sony’s reaction has all the markings of a company without any sort of coherent plan. Near as I can tell, every Sony executive is in full panic mode. They’re certainly facing dozens of lawsuits: from shareholders, from companies who invested in those movies, from employees who had their medical and financial data exposed, from everyone who was affected. They’re probably facing government fines, for leaking financial and medical information, and possibly for colluding with other studios to attack Google.

If previous major hacks are any guide, there will be multiple senior executives fired over this; everyone at Sony is probably scared for their jobs. In this sort of situation, the interests of the corporation are not the same as the interests of the people running the corporation. This might go a long way to explain some of the reactions we’ve seen.

Pulling The Interview was exactly the wrong thing to do, as there was no credible threat and it just emboldens the hackers. But it’s the kind of response you get when you don’t have a plan.

Politically motivated hacking isn’t new, and the Sony hack is not unprecedented. In 2011 the hacker group Anonymous did something similar to the internet-security company HBGary Federal, exposing corporate secrets and internal emails. This sort of thing has been possible for decades, although it’s gotten increasingly damaging as more corporate information goes online. It will happen again; there’s no doubt about that.

But it hasn’t happened very often, and that’s not likely to change. Most hackers are garden-variety criminals, less interested in internal emails and corporate secrets and more interested in personal information and credit card numbers that they can monetize. Their attacks are opportunistic, and very different from the targeted attack Sony fell victim to.

When a hacker releases personal data on an individual, it’s called doxing. We don’t have a name for it when it happens to a company, but it’s what happened to Sony. Companies need to wake up to the possibility that a whistleblower, a civic-minded hacker, or just someone who is out to embarrass them will hack their networks and publish their proprietary data. They need to recognize that their chatty private emails and their internal memos might be front-page news.

In a world where everything happens online, including what we think of as ephemeral conversation, everything is potentially subject to public scrutiny. Companies need to make sure their computer and network security is up to snuff, and their incident response and crisis management plans can handle this sort of thing. But they should also remember how rare this sort of attack is, and not panic.

This essay previously appeared on Vice Motherboard.

EDITED TO ADD (12/25): Reddit thread.

Posted on December 22, 2014 at 6:08 AMView Comments

News

Great moments in security screening

The U.S. government’s cybersecurity chief resigned with a day’s notice. I can understand his frustration; the position had no power and could only suggest, plead, and cheerlead.
Computerworld
Washington Post
FCW.com
CNet

North Korea had over 500 trained cyberwarriors, according to the South Korean Defense Ministry. Maybe this is true, and maybe it’s just propaganda–from either the North or the South. Although certainly any smart military will train people in the art of attacking enemy computer networks.
channelnewsasia.com

Posted on October 18, 2004 at 9:23 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.