The received wisdom that North Korea is responsible for hacking Sony Pictures Entertainment has taken over discussion so thoroughly that the Obama administration already has been chided for not taking firm action against the insular regime. Until Friday, official sources’ attribution of blame to North Korea was off the record; the FBI has now issued a formal accusation.
Yet that makes it even more important to point out that in the hacker and anti-hacker community the conclusion is by no means unanimous. Much of the evidence provided against North Korea up to now has been circumstantial: The regime was mad about Sony’s assassination comedy “The Interview,” it has expressed approval of the hacking (though not explicitly taken credit), etc.
The FBI filled in some blanks Friday by noting that “technical analysis of the data-deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed,” including “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.” The FBI also found Internet addresses linked to North Korea in the malware involved in the attack.
Still, it may be wise to stay cautious; some cybersecurity experts who were skeptical of the North Korean connection are still skeptical.
The North Korea/"Interview” narrative is comforting in several ways. It feeds into the tendency to attribute almost God-like capabilities to an adversary, especially a secretive one; that’s very much a scenario favored by Hollywood. (Think of the all-time definitive James Bond movie line, from “Dr. No”: “World domination--same old dream.”) And it helps Sony executives deflect blame -- how could anyone expect them to defend against an attack by such a sinister, all-powerful enemy? You can expect to see more coverage, like this piece from CNN, about North Korea’s shadowy “Bureau 121,” purportedly its Cyberattack Central.
There are great dangers in mistaken attribution -- it shifts attention from the real perpetrators, for one thing. A counterattack against North Korea could needlessly provoke the regime, wrecking the few diplomatic initiatives taking place.
Here’s a rundown of the counter-narrative.
--"Whitehat” hacker and security expert Marc W. Rogers argues that the pattern of the attack implies that the attackers “had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time ... Occam’s razor suggests the simpler explanation of an insider,” perhaps one out for workplace revenge. (N.B. “Occam’s razor” is the principle that the simplest explanation for something is often the best.)
--The assertion that the attack was uniquely sophisticated, which is an element of the accusation against North Korea, is both untrue and incompatible with the North Korea narrative. It presupposes that a nation-state without a native computer infrastructure could launch an unprecedented assault. More to the point, very similar hacking technology has been used in earlier hacks in Saudi Arabia and elsewhere. The consulting firm Risk Based Security has a discussion of these and other aspects of the Sony affair.
It’s worth noting that Risk Based Security’s team isn’t entirely convinced by the FBI statement. In an update to their commentary Friday, they observed that the agency has “not released any evidence to back these claims.” They add: “While the FBI certainly has many skilled investigators, they are not infallible. Remember, this agency represents the same government that firmly stated that Iraq had weapons of mass destruction, leading the U.S. into a more than ten year conflict, which was later disproven.
--Attribution of responsibility for attacks is much harder than laypersons believe. Kim Zetter of Wired observes, “Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail." Evidence pointing to North Korea, Zetter writes, is also consistent with attacks by “hacktivists,” who attack institutions for political motives of their own.