Sony insider -- not North Korea -- likely involved in hack, experts say

'We can't find any indication that North Korea either ordered, masterminded or funded' Sony hack -- Norse exec

Federal authorities insist that the North Korean government is behind the cyberattack on Sony Pictures Entertainment.

Cybersecurity experts? Many are not convinced.

From the time the hack became public Nov. 24, many of these experts have voiced their suspicions that a disgruntled Sony Pictures insider was involved.

Respected voices in the online security and anti-hacking community say the evidence presented publicly by the FBI is not enough to draw firm conclusions.

They argue that the connections between the Sony hack and the North Korean government amount to circumstantial evidence. Further, they say the level of the breach indicates an intimate knowledge of Sony's computer systems that could have come from someone on the inside.

This week, prominent San Mateo, Calif., cybersecurity firm Norse Corp. — whose clients include government agencies, financial institutions and technology companies — briefed law enforcement officials on evidence it collected that pointed toward an inside job.

"We can't find any indication that North Korea either ordered, masterminded or funded this attack," Kurt Stammberger, a senior vice president at Norse, said in an interview with The Times. Although conceding that his findings were not conclusive, Stammberger added: "Nobody has been able to find a credible connection to the North Korean government."

Stammberger said a team of nine analysts dug through data including Norse's worldwide network of millions of Web sensors, internal Sony documents and underground hacker chat rooms. Leads suggesting North Korea as the culprit turned out to be red herrings and dead ends, he said.

Instead, the data pointed to a former employee who may have collaborated with outside hackers. The employee, who left the studio in a May restructuring, had the qualifications and access necessary to carry out the crime, according to Stammberger.

Moreover, names of company servers and passwords were programmed into the malware that infiltrated the studio's network, suggesting hackers had inside knowledge of the studio's systems, Stammberger said.

The FBI, which first accused North Korea on Dec. 19, has stood by its conclusion, saying in a statement there is "no credible information to indicate that any other individual is responsible for this cyber incident."

Sony Pictures declined to comment.

President Obama this month said North Korea was behind the Sony attack and pledged a "proportional" response. North Korea's Internet suffered outages in the days following the announcement. The U.S. hasn't taken responsibility for the outages, but North Korea has blamed Obama.

Federal investigators have cited several findings to support their conclusion.

Analysis of the malware used in the attack revealed links to destructive software previously used by those working on behalf of the rogue state, and the FBI found "significant overlap" with the cyberactivity previously linked to North Korea. Additionally, the tools used against Sony bore similarities to those used in an attack carried out by North Korea against South Korean banks and media outlets last year, the agency said.

But analysts said attribution in cyberattacks is difficult, and hackers are skilled in obfuscation and misdirection to avoid getting caught. Also, software-wiping technology used by the so-called Guardians of Peace group against Sony is widely available to hackers and can be easily purchased. Many were surprised that the FBI made its announcement so quickly.

"You don't want to jump to conclusions in a cyberattack," said Rob Sloan, head of cybercontent and data at Dow Jones. "Attributing attacks is really a non-scientific art."

Then there's the question of "The Interview." The Sony comedy thought to be at the center of the attack depicts a fictional assassination attempt on Kim Jong Un, the leader of North Korea. Although North Korea has denied involvement in the attack, it condemned the movie as an "act of war" as early as June.

Sony halted its planned Christmas Day wide release of "The Interview" after the majority of theater owners opted against showing it in the face of threats of physical violence from hackers. The studio later allowed it to screen in more than 300 independent theaters and released it online for rental and purchase.

But analysts said the connection to "The Interview" is tenuous. The hackers didn't begin to mention the Seth Rogen-James Franco farce in their public messages until media outlets had already reported that the movie was the catalyst for the attack, said Ralph Echemendia, chief executive of the Los Angeles-based digital security consulting firm Red-e Digital.

Echemendia said Guardians of Peace may have latched onto the notion of "The Interview" as their motivation after attempts to use the stolen data for ransom failed.

"If a hacker group can't figure out how to monetize data, they sit on it and sit on it, and then it becomes trolling," he said, referring to the practice of provocative online activity. "This is probably the biggest troll I've ever seen. Their attitude became 'Let's have some fun with this.'"

One cybersecurity firm using linguistic analysis of the hackers' messages even suggested that the attackers were Russian rather than Korean.

Shlomo Argamon, chief scientist at Seattle cybersecurity consulting firm Taia Global, said he and other researchers examined 20 phrases "that are not normally used in English and conducted word-for-word translations" in Korean, Mandarin Chinese, Russian and German. Of the 20 phrases, 15 matched Russian phrases, and nine matched Korean phrases.

"I don't think we have a clear picture, but there's certainly reason to doubt the total attribution of this to North Korea," Argamon said.

The FBI said it could not provide additional information on the case, but said its attribution to North Korea is "based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector."

Even skeptics who doubt the attack was state-sponsored said the FBI may have more convincing evidence that it has chosen to keep secret.

"Being in the intelligence community, I trust the FBI has some information that I do not have," said Tom Chapman, a former U.S. Navy intelligence officer and director of the cyberoperations group at Edgewave.

Times staff writer Bob Drogin contributed to this report.

Copyright © 2016, Los Angeles Times
60°