Were laid off employees responsible for Sony hack?

A private cyber-intelligence firm briefed the FBI yesterday on their theory of the Sony hack.  The company, Norse, claims that its research shows that the hack was carried out by disgruntled former employees.

The tech community has been pushing back against the government's contention that North Korea was responsible for the attack.  And the FBI is standing behind its original thesis that the North Koreans are behind the hack.

Politico:

FBI agents investigating the Sony Pictures hack were briefed Monday by a security firm that says its research points to laid-off Sony staff, not North Korea, as the perpetrator another example of the continuing whodunit blame game around the devastating attack.

Even the unprecedented decision to release details of an ongoing FBI investigation and President Barack Obama publicly blaming the hermit authoritarian regime hasn’t quieted a chorus of well-qualified skeptics who say the evidence just doesn’t add up.

 

Researchers from the cyber intelligence company Norse have said their own investigation into the data on the Sony attack doesn’t point to North Korea at all and instead indicates some combination of a disgruntled employee and hackers for piracy groups is at fault.

The FBI says it is standing by its conclusions, but the security community says they’ve been open and receptive to help from the private sector throughout the Sony investigation.

Norse, one of the world’s leading cyber intelligence firms, has been researching the hack since it was made public just before Thanksgiving.

Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

[...]

In addition to Norse’s analysis of Internet forums where perpetrators may have communicated and compiled dates within the malware used, a report from firm Taia Global said a linguistic analysis of the purported hacker messages points to Russian speakers rather than Korean.

Security expert Bruce Schneier called the evidence “circumstantial at best” and considered a number of other possible explanations. CloudFlare principal researcher and DefCon official Marc Rogers wrote that the FBI’s indicators seem to rely on malware that is widely available for purchase and IP addresses easily hijacked by any bad guy. Errata Security’s Robert Graham also noted the hacker underground shares plenty of code, calling the FBI’s evidence “nonsense.”

Why would President Obama blame North Korea for the hack if he knew they were innocent?  What would the U.S. have to gain?  And why the rush to judgment?

A speculative conclusion is that the government has some unreleased direct intelligence that North Korea is behind the hack.  It would account for the quick assessment of blame by the FBI.  Do we have a  spy in the highest echelons of the North Korean government?  That's a tantalizing possibility.

Further, if you're going to accuse the Obama administration of not telling the truth, you have to come up with a motive.  To start a war with NoKo?  Not likely.  Tensions are already high on the peninsula, and South Korea is very vulnerable.

Possible leverage gained vis-à-vis China?  North Korea is isolated and doesn't have anything the Chinese want.  Besides, the Chinese appear to be tiring of North Korea's brinkmanship.

Of course, there's always the possibility that the FBI thinks it's right and believes that the techies are full of it.  Presumably, the FBI knows everything the techies know and still says there is no "credible evidence" that anyone except North Korea was involved.

I am open to any suggestions regarding a motive for blaming North Korea for the hack, even though we know they didn't do it. 

A private cyber-intelligence firm briefed the FBI yesterday on their theory of the Sony hack.  The company, Norse, claims that its research shows that the hack was carried out by disgruntled former employees.

The tech community has been pushing back against the government's contention that North Korea was responsible for the attack.  And the FBI is standing behind its original thesis that the North Koreans are behind the hack.

Politico:

FBI agents investigating the Sony Pictures hack were briefed Monday by a security firm that says its research points to laid-off Sony staff, not North Korea, as the perpetrator another example of the continuing whodunit blame game around the devastating attack.

Even the unprecedented decision to release details of an ongoing FBI investigation and President Barack Obama publicly blaming the hermit authoritarian regime hasn’t quieted a chorus of well-qualified skeptics who say the evidence just doesn’t add up.

 

Researchers from the cyber intelligence company Norse have said their own investigation into the data on the Sony attack doesn’t point to North Korea at all and instead indicates some combination of a disgruntled employee and hackers for piracy groups is at fault.

The FBI says it is standing by its conclusions, but the security community says they’ve been open and receptive to help from the private sector throughout the Sony investigation.

Norse, one of the world’s leading cyber intelligence firms, has been researching the hack since it was made public just before Thanksgiving.

Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

[...]

In addition to Norse’s analysis of Internet forums where perpetrators may have communicated and compiled dates within the malware used, a report from firm Taia Global said a linguistic analysis of the purported hacker messages points to Russian speakers rather than Korean.

Security expert Bruce Schneier called the evidence “circumstantial at best” and considered a number of other possible explanations. CloudFlare principal researcher and DefCon official Marc Rogers wrote that the FBI’s indicators seem to rely on malware that is widely available for purchase and IP addresses easily hijacked by any bad guy. Errata Security’s Robert Graham also noted the hacker underground shares plenty of code, calling the FBI’s evidence “nonsense.”

Why would President Obama blame North Korea for the hack if he knew they were innocent?  What would the U.S. have to gain?  And why the rush to judgment?

A speculative conclusion is that the government has some unreleased direct intelligence that North Korea is behind the hack.  It would account for the quick assessment of blame by the FBI.  Do we have a  spy in the highest echelons of the North Korean government?  That's a tantalizing possibility.

Further, if you're going to accuse the Obama administration of not telling the truth, you have to come up with a motive.  To start a war with NoKo?  Not likely.  Tensions are already high on the peninsula, and South Korea is very vulnerable.

Possible leverage gained vis-à-vis China?  North Korea is isolated and doesn't have anything the Chinese want.  Besides, the Chinese appear to be tiring of North Korea's brinkmanship.

Of course, there's always the possibility that the FBI thinks it's right and believes that the techies are full of it.  Presumably, the FBI knows everything the techies know and still says there is no "credible evidence" that anyone except North Korea was involved.

I am open to any suggestions regarding a motive for blaming North Korea for the hack, even though we know they didn't do it.