Was North Korea Behind the Sony Hacking?

Was North Korea Behind the Sony Hacking? December 27, 2014

Sony released The Interview, which has to be a terrible movie, on Christmas day and a whole bunch of people, fully knowing the movie would be shitty, went to it out of some weird “patriotic” duty to thumb their nose at Kim Jong-un. But many cyber security experts say it’s very unlikely that North Korea was actually behind the hacking, including Marc Rogers.

All the evidence leads me to believe that the great Sony Pictures hack of 2014 is far more likely to be the work of one disgruntled employee facing a pink slip.

I may be biased, but, as the director of security operations for DEF CON, the world’s largest hacker conference, and the principal security researcher for the world’s leading mobile security company, Cloudflare, I think I am worth hearing out.

The FBI was very clear in its press release about who it believed was responsible for the attack: “The FBI now has enough information to conclude that the North Korean government is responsible for these actions,” they said in their December 19 statement, before adding, “the need to protect sensitive sources and methods precludes us from sharing all of this information”.

He goes on to detail how flimsy the evidence that the FBI has released is. Like this:

The first piece of evidence described in the FBI bulletin refers to the malware found while examining the Sony Picture’s network after the hack.

“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

So, malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other attacks attributed to North Korea.

This may be the case—but it is not remotely plausible evidence that this attack was therefore orchestrated by North Korea.

The FBI is likely referring to two pieces of malware in particular, Shamoon, which targeted companies in the oil and energy sectors and was discovered in August 2012, and DarkSeoul, which on June 25, 2013, hit South Korea (it was the 63rd anniversary of the start of the Korean War).

Even if these prior attacks were co-ordinated by North Korea—and plenty of security experts including me doubt that—the fact that the same piece of malware appeared in the Sony hack is far from being convincing evidence that the same hackers were responsible. The source code for the original “Shamoon” malware is widely known to have leaked. Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator. Increasingly, criminals actually lease their malware from a group that guarantees their malware against detection. Banking malware and certain “crimeware” kits have been using this model for years…

1. First of all, there is the fact that the attackers only brought up the anti-North Korean bias of “The Interview” after the media did—the film was never mentioned by the hackers right at the start of their campaign. In fact, it was only after a few people started speculating in the media that this and the communication from North Korea “might be linked” that suddenly it did get linked. My view is that the attackers saw this as an opportunity for “lulz”, and a way to misdirect everyone. (And wouldn’t you know it? The hackers are now saying it’s okay for Sony to release the movie, after all.) If everyone believes it’s a nation state, then the criminal investigation will likely die. It’s the perfect smokescreen.

2. The hackers dumped the data. Would a state with a keen understanding of the power of propaganda be so willing to just throw away such a trove of information? The mass dump suggests that whoever did this, their primary motivation was to embarrass Sony Pictures. They wanted to humiliate the company, pure and simple.

Bruce Schneier also thinks it’s unlikely that North Korea was behind the Sony hack. He does note that there may be evidence that hasn’t been released that ties the government of North Korea convincingly to it, but also that we have little reason to trust our own government on this question:

Tellingly, the FBI’s press release says that the bureau’s conclusion is only based “in part” on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq’s weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

Allan Friedman, a research scientist at George Washington University’s Cyber Security Policy Research Institute, told me that, from a diplomatic perspective, it’s a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

So is North Korea behind this? I don’t know. But there’s good reason to doubt it. I think Rogers’ argument about how the whole situation was about embarrassing Sony by releasing emails until someone began to speculate about North Korea and this movie is a compelling argument against North Korean responsibility.

Browse Our Archives

Follow Us!

What Are Your Thoughts?leave a comment
  • Reginald Selkirk

    I think this can be spi=lit into two separate issues. If your motivation to see this crappy movie is freeze peach, does it matter whether the hackers demanding it not be shown are associated with North Korea or not?

  • It’s a valid critique of gaming journalism.

  • sanford

    It may be a lousy movie, but it did make million dollars in its opening day. It only played on about 300 screens. So that is considered pretty good. No doubt a lot of people went just to see what the stink was all about. The reviews on Rotten Tomatoes, was about 50 per cent which means it was not good. On the other hand you can never believe what critics have to say.

    Even if it wasn’t North Korea, Sony must have believed it as did the big movie chains. Some have said this was a good excuse to pull a bad movie. I am sure worse movies have been released. Plus this is Seth Rogen, whose movies have been successful. Doubt they would have pulled it even if it was bad.

  • colnago80

    Well, it has been given an 8.1 rating so far over at the IMDB, which is pretty high. Of course, that may be based on a small sample, considering that the movie hasn’t been released yet.

  • colnago80

    In the unlikely event anyone is interested, bootleg copies of the movie are available on BTtorrent and the copies are flying off the internet in droves.


  • Larry

    Why didn’t the hackers attack Peter Jackson’s studio instead and thus keep me from wasting my money and losing 3 hours of my life on his p.o.s. Battle of the Five Armies.

  • dingojack

    “… a whole bunch of people, fully knowing the movie would be shitty, went to it out of some weird “patriotic” duty to thumb their nose at Kim Jong-un”.

    (Assuming the unlikely case). Paging Barbra Streisand, Miss Streisand to the white courtesy phone please…

    🙂 Dingo


    PS: Note how much of a ‘Internet Tough Guy’ Kim has made himself — classic PR fail.

  • @colnago80″

    In the unlikely event anyone is interested, bootleg copies of the movie are available on BTtorrent and the copies are flying off the internet in droves. “

    Has anyone ever actually seen Kim Jong Un and Kim Dotcom in the same room together?

  • blf

    In addition, the malware used apparently contained, embedded within it, specific server/account names and passwords. Whilst still circumstantial, that is highly suggestive of an Sony insider.

    A disgruntled insider has the motivation to “dump” the harvested data. Whilst it’s unknown why the hypothetical insider is disgruntled, Sony has announced (and is in the process of?) plans to lay-off a rather consider number of people.

    Source: New Study May Add to Skepticism Among Security Experts That North Korea Was Behind Sony Hack (New York Times).

  • dingojack

    blf – ‘Lies of our Times: All the News That’s Fit to Make-up” — oooh I’m so convinced now!

    @@ Dingo

  • dingojack

    blf – Personally, my gut thinks your basic premise is correct — all you need is a creditable source.


  • Cait

    What I’ve been seeing in the security press is a bit more nuanced; some of the attacks on Sony bear distinct signatures that support a North Korean source. But during that, it appears that another group, likely aided by someone on the inside, took advantage of that to do some additional damage. The things that have happened overall just don’t fit the profile of a single vector.

  • blf

    dingojack, That’s Faux Noes, “Straight from your wallet to the Kochroach brothers.”

  • blf

    My@13 is a snark in response to dingojack@10. I do not share the her/his apparent automatic dismissal of everything in the NYT (@11). And I note the report does include sources (and additional speculations not unlike cait@12).

  • colnago80

    Re blf

    The Chihuahua’s idea of a reliable new source is the former Soviet outlets Pravda (news) and Izvestia (truth). As they used to say, there is no news in Pravda and no truth in Izvestia.

  • hunter

    Larry @6: Have you seen the other five LOTR and Hobbit movies? Any of them? And you still went to see the new one?

  • mithrandir

    hunter @16: well, I kind of liked B5a, but you are right at least that, after the first two Hobbit movies, you should have known exactly what to expect of the last.

  • thebookofdave

    As common as major data breaches of Sony are, my only concern is they happen too randomly to serve as reminders for me to pick up my dry cleaning.

  • Alverant

    Well Reginald, that depends why they did the hack. At this point I wouldn’t be surprised to learn the hack was staged as a PR stunt so people will overlook the fact that it’s bad and go see it anyway. Follow the money, who wound up profiting from this? Who else would want to keep people from seeing the movie. We’ve been lied to and mislead so much that I can’t dismiss the possibility that NK is just claiming responsibility to look tough and defiant even though they had nothing to do with it.

  • lorn

    So … “many cyber security experts” , exactly how many are in a ‘many’ , disagree with an assertion that seems to be based upon a series of assumptions and few details. … And the form of objection is based upon a series of assumptions and few details …

    That is, of course, the form of most conspiracy theories. Big on casting doubt but short on providing more credible alternatives.

    For now the working, albeit provisional, assumption remains that NK did it or had it done.

  • Childermass

    Alverant @ 19: “Follow the money, who wound up profiting from this?”

    Certainly not Sony. Even a flop would have made more money in wide release. And releasing it on YouTube on the day which a bunch of adults are might choose to watch it together for $5.99 hardly seems to be a way to make up the loss.

    And I very much doubt that Sony would really want to distribute really embarrassing emails about itself or make the world think that its computers are not all the secure.

    Whether it is the Korean dictator or a disgruntled employee, I think it most likely this was done by someone who wanted to hurt Sony.

  • In addition, the malware used apparently contained, embedded within it, specific server/account names and passwords. Whilst still circumstantial, that is highly suggestive of an Sony insider.

    Only if you work for the FBI, and don’t understand that the initial penetration involved an SQL injection attack that led to accessing some user credentials, which were then used to exploit the attack further into the network. I’d say the odds of this being an insider or the North Koreans are about zero. People seem to be cheerfully forgetting that there were a number of breaches at Sony in the last few years. There is no need to conjure up the spectre of a North Korean attack or an insider; it’s probably the same crew as before – they know their way around Sony by now.

  • badgersdaughter

    Psst… colnago80 @ #15: “Pravda” is “truth” and “Isvestia” is “news”.

    Just Helping 😀

  • gog

    Even though there’s an investigation happening, and even though Sony claims that they were hacked by… somebody, I remain utterly unconvinced that this wasn’t some sort of publicity stunt AND a test for putting blockbusters on YouTube. Everybody wants to be a viral hit now.

  • colnago80

    Re badgersdaughter @ #23

    Right you are. Got it ass backwards.

  • 24,

    You think they hacked themselves, wiped their records and made a false crime report, triggering a major FBI investigation all for publicity? They made a risk-reward calculation that testing the waters for streaming a movie on Youtube and risking indictment on multiple federal felony charges would be a reasonable course of action? And they did all this not knowing that theaters would refuse to show the movie and that Youtube would be willing to host the movie? I know other people on the internet are making this claim, but I find this line of speculation utterly implausible.

  • Many, possibly most, of the wars the US has been involved in were started under false pretenses. The Spanish-American War in 1898 was provoked by the explosion of the USS Maine in Havana harbor: the US said it was an unprovoked assault by Spain, even though the captain said it was a gas build up in the steam powered battleship’s coal bin. The White House had several hours of forewarning of the “surprise” attack on Pearl Harbor, enough time to order that surplus WW I planes be hauled out to insure their destruction, guaranteeing new, better equipment for the war that FDR desperately needed to break us out of the Depression. The Gulf of Tonkin Incident was started by trigger-happy US ship captains, not the North Vietnamese. The Persian Gulf War, the invasion of Afghanistan and the Iraq War were based on lies cooked up by both Bush administrations.

    There is little doubt in my mind that North Korea is the next war being planned.

  • I’m kind of in agreement with Ranum on this: It probably wasn’t just one insider, and it probably wasn’t an op sanctioned by the NK government either; I’m guessing it was somewhere in between — a bunch of hackers who either had access to NK malware bits already out there, or who got help from NK hackers who were doing a school project or something.

    Also, didn’t the FBI admit the hack came from outside NK? That kinda weakens the “Kim Jong Un did it” theory a little more.

    The last thing anyone needs now is for this BS to be used to drum up support for a Second Korean War.

  • @Dr. X #26 – The hack itself is probably legitimate (if that is the right word.) Blaming it on North Korea is almost certainly a false flag claim made by the US government. The alleged emails from North Korea taking credit and threatening the studio are very likely the result of Sony taking immediate action to build hype for their movie.

  • The White House had several hours of forewarning of the “surprise” attack on Pearl Harbor…

    No, they really didn’t. Our intel picked up lots of Japanese and Abwehr chatter about Pearl Harbor; but it also picked up the same kind of chatter about nearly every other potential US target in the Pacific. Pearl Harbor didn’t stand out in all that noise until it was too late. The US was unprepared for that attack, partly because it was worried about sabotage more than air raids; but it was not ignoring any sort of clear and specific warning.

  • For now the working, albeit provisional, assumption remains that NK did it or had it done.

    Why do we have to “work with” an “assumption” (which is basically an assertion not supported by evidence, otherwise we’d be calling it a “conclusion”), when we have actual evidence to work with?

  • AMM

    colnago80 @25:

    You had the saying right the first time. If you translate the names of the newspapers into English, the Russian saying becomes “there is no news in The Truth and no truth in The News

    (I think the Russian goes something like в Правде нет известий, а в Известиях нет правды)