The Convoluted Trail Linking North Korea to Sony

A trail of breadcrumbs led the FBI to conclude that North Korea was behind the recent massive cyberattack on Sony, but it's not clear who left the trail or why. Perhaps it was "sloppy" North Korean hackers -- or perhaps clever North Korean hackers who wanted credit. Or maybe it was hackers who wanted to trick the U.S. into wrongfully accusing the volatile and unpredictable North Korean government.

FBI Director James Comey has “very high confidence” that North Korea was behind last November’s cyberattack on Sony, he said at a cybersecurity forum held last week at Fordham University. The attack resulted in large amounts of intellectual property, confidential communications and employee data being posted on the Internet for public view.

New evidence of the link includes documentation of the hackers’ failure to cover their tracks with proxy servers on several occasions, Comey said.

Most of the time, the hackers, who called themselves the “Guardians of Peace,” obfuscated the paths of their communications, the director explained, but several times they got “sloppy” and exposed their home IP addresses — all used exclusively by North Koreans.

Comey’s remarks bolstered the Obama administration’s decision to impose sanctions on North Korea, but some critics have expressed reservations over the FBI’s conclusions.

No Smoking Gun

“I know a number of people who are concerned that we don’t have definitive proof to give proper attribution to the attack, but in cases like this we rarely have all the evidence we need to provide attribution,” noted Michael Sutton, vice president of security search for Zscaler.

“In an attack like this, it’s just too easy to spoof locations and copy code and do other things to prevent following the breadcrumbs,” he told TechNewsWorld.

“I do think that while we don’t have conclusive proof — the FBI hasn’t been that transparent with us — I do think North Korea remains the most viable suspect in this attack,” Sutton said.

“When they are able to have visibility into IP addresses, I would say there is probably no doubt that North Korea is behind it,” CounterTack VP for Security Strategy Tom Bain told TechNewsWorld.

Comey would have liked to reveal more about the Sony attack, he told his Fordham audience, but since the scenario likely will be repeated, it would be unwise to let the attackers know what law enforcement has learned about their operations.

That knowledge is likely substantial.

“The fact that the president issued sanctions against North Korea for the first time in the history of the U.S. as retaliation for a cyberattack is setting a precedent,” said Tom Kellermann, vice president of cybersecurity at Trend Micro.

“He wouldn’t have taken that action if he hadn’t verified the truth behind the investigation methods of the FBI by the NSA,” he told TechNewsWorld.

Arms Bazaars

Critics of the FBI’s finger-pointing have argued that North Korea doesn’t have the sophistication to mount a cyberassault as complex as the attack on Sony.

However, these days, it isn’t very hard for a nation state — or anyone, for that matter — to get the tools needed for mounting a cyberattack, Kellermann maintained.

“North Korea has been able to modernize and exponentially increase its capabilities by partaking in the arms bazaars in Eastern Europe where it can purchase cyberweaponry and can learn the latest techniques from a myriad of nefarious cyberconsultants,” he pointed out.

“Anyone can enter these arms bazaars and purchase cyberweaponry,” added Kellermann. “No one cares who you are as long as you’re willing to pay top dollar.”

North Korea also has been discounted because it denies it took part in the Sony attack. That’s not consistent with a government that usually takes every opportunity to boast about its exploits against the West.

That could be part of a ploy, though, noted Marc Gaffan, cofounder of Incapsula.

“Though it is hard to know for certain the motives of the attackers, denying publicly while leaving clues is one way to demonstrate prowess without taking the brunt of public criticism,” he told TechNewsWorld.

IP Fallacy

The FBI and NSA base their accusation of North Korea on the logic that any attack linked to a North Korean IP address must be sanctioned by the North Korean government, because it tightly controls IP blocks in the country.

However, that’s not necessarily true, argued Jeffrey Carr, CEO of Taia Global.

“Access to those blocks is relatively easy if you go in through China, Thailand, Japan, Germany or other countries where North Korea has strategic connections,” he wrote in a recent blog post.

“As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn’t commit,” he said. “I predict that these hackers, and others, will escalate their attacks until the U.S. figures out what it’s doing wrong in incident attribution and fixes it.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels