Evidence of NoKo involvement in Sony Hack 'thin'

The tech blog Wired has a long, fascinating column by Kim Zeiter that calls into question allegations by the U.S. government that North Korea is behind the hack of Sony Corporation.

In fact, Zeiter's piece pretty much puts to rest the government claim of North Korean involvement.

First off, we have to say that attribution in breaches is difficult. Assertions about who is behind any attack should be treated with a hefty dose of skepticism. Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.

Nation-state attacks often can be distinguished by their level of sophistication and modus operandi, but attribution is no less difficult. It’s easy for attackers to plant false flags that point to North Korea or another nation as the culprit. And even when an attack appears to be nation-state, it can be difficult to know if the hackers are mercenaries acting alone or with state sponsorship—some hackers work freelance and get paid by a state only when they get access to an important system or useful intelligence; others work directly for a state or military. Then there are hacktivists, who can be confused with state actors because their geopolitical interests and motives jibe with a state’s interests.

Distinguishing between all of these can be impossible unless you’re an intelligence agency like the NSA, with vast reach into computers around the world, and can uncover evidence about attribution in ways that law enforcement agents legally cannot.

Zeiter goes on to point out that both the FBI and Sony deny NoKo involvement, and that it is far more likely that the hack originated with hacktivists.  A state-sponsored attack would not be so conspicuous as this hack was:

Nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack. Nor do they use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of GOP have done in media interviews. Nor do such attacks involve posts of stolen data to Pastebin—the unofficial cloud repository of hackers—where sensitive company files belonging to Sony have been leaked. These are all hallmarks of hacktivists—groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.

Despite all of this, media outlets won’t let the North Korea narrative go and don’t seem to want to consider other options. If there’s anything years of Law and Order reruns should tell us, it’s that focusing on a single suspect can lead to exclusionary bias where clues that contradict the favored theory get ignored.

There may be political reasons for blaming North Korea for the attack, but the technical evidence is flimsy, and regardless, it was premature of the government to hint at a state-sponsored attack.

Should Sony have surrendered to the hacktivists?  If they had gone ahead and released the film, and one theater were blown up, all the profits from the film would have been eaten up by lawsuits.  In this case, it may be good business to delay the opening, but it certainly makes Sony look bad for caving in to terrorists.

The tech blog Wired has a long, fascinating column by Kim Zeiter that calls into question allegations by the U.S. government that North Korea is behind the hack of Sony Corporation.

In fact, Zeiter's piece pretty much puts to rest the government claim of North Korean involvement.

First off, we have to say that attribution in breaches is difficult. Assertions about who is behind any attack should be treated with a hefty dose of skepticism. Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackers are identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.

Nation-state attacks often can be distinguished by their level of sophistication and modus operandi, but attribution is no less difficult. It’s easy for attackers to plant false flags that point to North Korea or another nation as the culprit. And even when an attack appears to be nation-state, it can be difficult to know if the hackers are mercenaries acting alone or with state sponsorship—some hackers work freelance and get paid by a state only when they get access to an important system or useful intelligence; others work directly for a state or military. Then there are hacktivists, who can be confused with state actors because their geopolitical interests and motives jibe with a state’s interests.

Distinguishing between all of these can be impossible unless you’re an intelligence agency like the NSA, with vast reach into computers around the world, and can uncover evidence about attribution in ways that law enforcement agents legally cannot.

Zeiter goes on to point out that both the FBI and Sony deny NoKo involvement, and that it is far more likely that the hack originated with hacktivists.  A state-sponsored attack would not be so conspicuous as this hack was:

Nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack. Nor do they use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of GOP have done in media interviews. Nor do such attacks involve posts of stolen data to Pastebin—the unofficial cloud repository of hackers—where sensitive company files belonging to Sony have been leaked. These are all hallmarks of hacktivists—groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.

Despite all of this, media outlets won’t let the North Korea narrative go and don’t seem to want to consider other options. If there’s anything years of Law and Order reruns should tell us, it’s that focusing on a single suspect can lead to exclusionary bias where clues that contradict the favored theory get ignored.

There may be political reasons for blaming North Korea for the attack, but the technical evidence is flimsy, and regardless, it was premature of the government to hint at a state-sponsored attack.

Should Sony have surrendered to the hacktivists?  If they had gone ahead and released the film, and one theater were blown up, all the profits from the film would have been eaten up by lawsuits.  In this case, it may be good business to delay the opening, but it certainly makes Sony look bad for caving in to terrorists.