At this point, anyone who doubts that North Korea helped hack Sony is disagreeing with top cybersecurity experts in the world and the US intelligence community.
Nevertheless, many smart people are highly sceptical that a tinpot dictatorship with almost no internet connectivity could compromise an American-based subsidiary of a multinational corporation.
The prevailing alternative theories — detailed by oft-cited security researcher Bruce Schneier — include that independent North Korean nationals hacked Sony, that a Sony insider (“Sony’s Snowden”) did it, or that hacktivist pranksters did it for the lulz (ie, for a good bit of sadistic fun).
While all of these are possibilities, there is no conclusive evidence corroborating any of these theories. And there is plenty of evidence suggesting North Korean involvement.
What We Know
On Nov. 22, computer screens of Sony employees flashed a warning indicating the company’s computer systems had been compromised and data had been stolen.
Sony’s systems were subsequently crippled. A unknown group calling itself GOP claimed credit for the hack.
Over the next few weeks, all hell broke loose in the entertainment world. Hackers dumped information online and news organisations scrambled to cover every possible angle. Threats of violence against movie theatres led to Sony cancelling the Dec. 25 theatrical release of “The Interview,” a film in which Seth Rogen and James Franco play talk show hosts enlisted by the CIA to assassinate North Korean leader Kim Jong Un.
American officials concluded that North Korea was “centrally involved,” and intelligence officials told The New York Times that the US intelligence community “concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil.”
The FBI’s public assessment, undertaken with assistance from other intelligence services, cited technical analysis of the code and overlap of techniques used in previous attacks of this kind.
Immediately after the attack, cybersecurity experts began looking at the code and techniques involved in the breach. Kaspersky Lab and other cyber security firms found that the malware involved in the Sony incident is capable of wiping disk drives and other data. Kaspersky dubbed the malware “Destover,” noting that similar malware had been used in previous attacks.
Computer researcher Kurt Baumgartner, drawing on Kaspersky’s initial investigation, detailed how the Destover malware used in the Sony hack looks a lot like two previous “wiper” attacks: One called “Shamoon,” which targeted 30,000 Saudi Aramco workstations in 2012, and another called “Dark Seoul,” which targeted South Korean banks and two of the country’s top broadcasters the following year.
Furthermore, Kaspersky notes that the defacement placed on Sony employee computers is similar to the warning message in the “Dark Seoul” attack, even down to the skull icons.
An assessment by HP published on Dec. 19 detailed how “several factors support that North Korea played a role in the attacks.”
HP noted that “it is difficult to discern whether the regime acted alone. It is plausible that the actors responsible for this attack relied on the assistance of an insider.”
Jason Lancaster, senior threat intelligence analyst at HP, noted to Business Insider that “the system that was used by the author of the malware use in the Sony case was compiled on a windows system with a Korean language set, specifying its keyboard. … So the keyboard for the system that was used to compile this malware … was done in the same way as other malware associated to it.”
Investigative journalists at Krebs on Security noted on Dec. 14 that CrowdStrike, a security firm that focuses heavily on identifying attribution and actors behind major cybercrime attacks, had independently concluded that North Korea orchestrated the hack before the FBI officially blamed Pyongyang.
“We have a high-confidence that this is a North Korean operator based on the profiles seen dating back to 2006, including prior espionage against the South Korean and US government and military institutions,” said Dmitri Alperovitch, chief technology officer and co-founder at CrowdStrike.
“These events are all connected, through both the infrastructure overlap and the malware analysis, and they are connected to the Sony attack,” Alperovitch added. “We haven’t seen the sceptics produce any evidence that it wasn’t North Korea, because there is pretty good technical attribution here.”
Despite these assertions from experts and officials in the know, the frank scepticism persists:
One day media analysts are going to look at Obama’s Friday press conference as one of the greatest presidential snookerings in US history.
— Tim Shorrock (@TimothyS) December 24, 2014
“I worry that this case echoes the ‘we have evidence — trust us’ story that the Bush administration told in the run-up to the Iraq invasion,” Schneier writes.
As sceptics come to terms with the evidence pointing to North Korea, which may have had help from other groups, statements like these will not age well.
Armin Rosen contributed to this report.
Business Insider Emails & Alerts
Site highlights each day to your inbox.