Expert view: Tracking the Sony hackers

Despite the US pinning the blame on North Korea, certainty in attribution is almost impossible

The World Today Published 6 February 2015 Updated 7 December 2018 2 minute READ

Caroline Baylon

Sony’s film The Interview attracted controversy after a cyber attack on the company by a group calling itself the Guardians of Peace in November, which released thousands of documents and destroyed files. The US government blamed North Korea, who had objected to the film’s storyline about two reporters told to assassinate the country’s leader, Kim Jong Un. President Obama imposed sanctions on the regime, despite Pyongyang’s denials. However, attributing the attack to North Korea is not that straightforward.

How attribution is made

Attributing a cyber-attack is difficult and requires a combination of technical methods, inferences derived from these, contextual data, and espionage. Technical means include analyzing network log files for ‘indicators of compromise’, such as IP addresses, which identify internet devices, used to update malware or steal data. Traceback tactics can follow the path of a malicious email by examining the routers’ IP addresses. Clues of its origin can also be found in the malware program. However, hackers can spoof IP addresses, use proxy servers to mask them, route attacks through compromised command-and-control servers or through multiple countries to hinder attribution. Moreover, malware is sold on the black market, making attribution difficult. An aggressor country could hire an independent hacker group to carry out an attack, or launch it from outside the country.

Inferences from technical data, such as hacker targets and behaviours, can reveal patterns of known hacker groups. Linguistic analysis of malware code can also help determine the author’s native language, while file timestamps can reveal the author’s time zone. But hackers increasingly insert ‘false flags’.

Contextual information, including geopolitical considerations, can indicate who might have an incentive to launch an attack. Of course there is always the possibility that one country could be trying to frame another.

Amid all this uncertainty, evidence from espionage can be key. A country’s security agency may have access to hacker communications about the attack, for example. However, disclosing such intelligence could jeopardize sources.

The Sony evidence

Many arguments have been presented for and against North Korean culpability. The FBI statement accusing Pyongyang referred to technical evidence, saying the data-deletion malware code resembled other malware linked to North Korea, like the DarkSeoul attacks on South Korean businesses last year.

Moreover, IP addresses associated with the malware are linked to North Korea, including those of command-and-control servers used in DarkSeoul.

James Comey, the FBI director, added that the Guardians of Peace’s emails to Sony used IP addresses connected with North Korea.

This is scant evidence, however, since many experts doubt North Korea was behind DarkSeoul. The code also resembles that used in the Shamoon attacks on Saudi Aramco two years ago, suggesting the malware is widely available. Cloudmark, the security company, found that many North Korean computers were infected with malware, too, which could allow any hacker to route attacks through North Korean IP addresses.

The FBI cited clues from technical data, noting that the malware was created on computers that used Korean language packs. Critics counter that if the authors were North Korean, they would have taken the precaution of changing the language settings. Additionally, linguistic analysis of the Guardians of Peace’s messages by Taia Global, the cybersecurity consultancy, found they were more likely Russian speakers.

From a contextual standpoint, the large amount of data released is not typical of nation states, who favour covert actions. Further, the Guardians of Peace’s initial email to Sony was an extortion demand. They didn’t mention The Interview until the media made the connection.

The cybersecurity firm Norse suggests the culprit may be an insider, pointing to a recently fired employee who subsequently contacted the Guardians of Peace. Norse notes that a USB stick would be the easiest way to get so much data off a network. That is more plausible than the FBI theory that a systems administrator opened a phishing email that then stole his login credentials.

Much of the FBI case, therefore, rests on intelligence, which it has acknowledged using. The New York Times reported that the National Security Agency’s surveillance of North Korean networks – and those in China where North Korean hackers also operate – was vital for its attribution determination.

However, the US government has not provided any details about this evidence to the public or cybersecurity firms. Given the US’s past intelligence mistakes – including asserting that Iraq possessed weapons of mass destruction – trusting the FBI requires a leap of faith.