It’s been nearly two years since a massive cyberattack hit Sony Entertainment, resulting in the leaks of thousands of private emails, social security numbers, unreleased films, and a complete data wipe of half of the company’s network.
And in the months and years that followed, attribution of the attack has zeroed in on North Korea — thought to be angered over the release of the film “The Interview” — but as one well-respected hacker told Tech Insider in a recent interview, that claim should be taken with a grain of salt as long as solid evidence continues to be withheld.
“The problem with that one is that the Sony network was documented Swiss cheese,” said Cris Thomas (known as Space Rogue in hacker circles), a strategist at Tenable Network Security. “People have been in and out of the Sony network for the last decade. There’s a list of who hacked Sony when.”
Indeed, the website Attrition.org has a running tally of at least 24 hacks into Sony properties since 2011.
There’s even a term hackers use to describe getting hacked (or owned) as much as Sony: Sownage.
“So by the time North Korea got around to it — if it was North Korea — it was a known wide open network,” Thomas said.
Sony declined to comment.
On its hacking list, Attrition wrote, “Sony has demonstrated they have not implemented what any rational administrator or security professional would consider ‘the absolute basics.'”
At least that was true in the period before the 2014 attack. As we learned in the ensuing fallout, Sony kept email records on its servers for many years, did not encrypt data, and it even kept thousands of passwords in a folder literally named “password.”
Prior to the alleged North Korean hack, Sony’s Playstation Network was breached by Anonymous, a hacker named “b4d_vipera” breached one of its music sites through a simple SQL injection, LulzSec used the same technique on its Japanese sites, and the group Lizard Squad conducted a large-scaled denial-of-service attack on Sony’s gaming networks.
And that’s just a partial list.
About a year before the 2014 breach, Sony was warned of unidentified hackers that had breached its network and mined its databases regularly, according to Bloomberg. Investigators found at least three hacking groups rooting around its systems, with a Russian group causing the “most damage” over a period of two years.
Much of the evidence pointing toward North Korea has come via statements from government officials or the FBI, but neither have offered hard evidence. And that has led security professionals to still doubt the country’s role in the attacks, with Thomas among them.
“It brings me back to the Cuban Missile Crisis, when President Kennedy famously gave his press briefing where he actually showed U-2 spy plane photos in his press briefing,” Thomas said. “And this gave away great secrets of the United States, but it also proved to the world that there were, in fact, missiles in Cuba.”
But nothing like that occurred after the 2014 Sony hack. It was as one Fordham law professor summed it up to Fortune, “trust us, but we’re not going to let you verify.”
And it’s interesting to note how strange it is for the president to call something like the Sony hack an “a serious national security matter” and have officials exhibit “high confidence” it was North Korea but offer no reasoning as to why. Now contrast that with the numerous reports, photos, videos, and other data offered as evidence the Syrian government used chemical weapons in 2013.
Thomas will likely remain sceptical until the US shares intelligence data that really explains the rationale behind attributing the attack to North Korea. What would avoid a “he said, she said” debate is evidence of IP addresses and packet captures, among other data.
“It’s a dogpile,” Stuart McClure, CEO of cybersecurity firm Cylance, told Fortune. ”‘Well, that one is North Korea, and this one looks like it, so it must be North Korea.’ There’s no objective evidence.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.