President Obama has done his best to tamp down fury at North Korea for hacking Sony--"I don't think it was an act of war," he said Sunday on CNN, but "cybervandalism"--but to find true skepticism about North Korea's role in the attack, you have to turn to the professional hacking and anti-hacking community.
Many hackers, anti-hackers and cybersecurity experts still don't share the FBI's conclusion that "the North Korean government is responsible for these actions," as the agency declared last week. They've picked apart the FBI's evidence, which was set forth in a public memo Friday and a much more detailed alert circulated to corporation security departments early in December, and found it wanting.
As we explained earlier, that's important for two main reasons: You don't want to stoke anger at a government that may be either innocent or peripherally involved (North Korea has denied responsibility for the Sony attack), and you don't want the real perpetrators to evade the law-enforcement net.
Let's take a look at what the experts are saying. Our first stop is Marc W. Rogers, whose anti-hacking credentials are impeccable; among other roles, he helps screen papers for presentation at DEF CON, the leading hacker conference.
In his latest blog post, Rogers underlines what he sees as the major weaknesses in the FBI's claim. The agency says it blamed North Korea in part because the software deployed against Sony resembles that used, purportedly by North Korea, in two other major hack attacks, one targeting the Saudi arm of the oil company Aramco in 2012, and a crippling attack on South Korean businesses in 2013.
The problem there is that North Korea's role in the earlier attacks is itself unproven. Rogers writes that it's "pretty weak in my books to claim that the newest piece of malware is the act of a nation state because other possible related pieces of malware were 'rumored' to be the work of a nation state. Until someone comes up with solid evidence actually attributing one of these pieces of malware to North Korea I consider this evidence to be, at best, speculation."
Rogers also questions the FBI's assertion that "significant overlap" exists "between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. That infrastructure comprises IP, or Internet protocol, addresses purportedly used in the past by North Korea and found in the malware deployed against Sony.
But as Rogers and fellow hacker "Dr. Krypt3ia" assert, the IP addresses cited by the FBI (in its earlier flash alert) are proxy addresses that, Dr. Krypt3ia says, "could be used by just about anyone" to hide their location and identity. They're not located within North Korea or even in China, which is sometimes identified as its accomplice, but rather in Thailand, Poland and other countries--all "open to the public" and used in previous span and malware attacks. "No North Koreans," Rogers says, "just common garden internet cybercriminals."
The anti-hacker community isn't ruling out North Korea. Many also acknowledge that the FBI may have stronger evidence against North Korea that it's chosen not to make public. It's also proper to note that disdain for the FBI--indeed, for the government in general--runs deep in this community.
But these experts' warnings that it may be premature to declare the case closed should be taken seriously. To quote Dr. Krypt3ia again: "Let’s take a step back here and ponder the FBI statement today on colonel mustard in the study with the laptop before we go PEW PEW PEW ok?"