A Lot of Smart People Think North Korea Didn’t Hack Sony


Posted from WordPress for Android


  1. Tomi Engdahl says:

    Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators

    Alternative theories of who is responsible for the hack of Sony Pictures Entertainment have come fast and furious in recent weeks — especially since the FBI pointed a finger at the government of North Korea last week. But Norse Security is taking the debate up a notch: saying that they have conclusive evidence pointing to group of disgruntled former employees as the source of the attack and data theft.

    The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals

    New Clues In Sony Hack Point To Insiders, Away from DPRK

    A strong counter-narrative to the official account of the hacking of Sony Pictures Entertainment has emerged in recent days, with the visage of the petulant North Korean dictator, Kim Jong Un, replaced by another, more familiar face: former Sony Pictures employees angry over their firing during a recent reorganization at the company.

    Researchers from the security firm Norse allege that their investigation of the hack of Sony has uncovered evidence that leads, decisively, away from North Korea as the source of the attack. Instead, the company alleges that a group of six individuals is behind the hack, at least one a former Sony Pictures Entertainment employee who worked in a technical role and had extensive knowledge of the company’s network and operations.

    If true, the allegations by Norse deal a serious blow to the government’s account of the incident, which placed the blame squarely on hackers affiliated with the government of the Democratic Peoples Republic of Korea, or DPRK.

    Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President at Norse, said that his company identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand. The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.

    That HR data was the “golden nugget” in the investigation, revealing the details of a mass layoff at Sony in the Spring of 2014, including a spreadsheet identifying employees who were fired from Sony Pictures in the April-May time period.

    After researching those individuals, Norse said it identified one former employee who he described as having a “very technical background.”

    But the Norse account of the hack does answer some puzzling questions about the incident that are as yet unexplained, according to Mark Rasch, a former federal prosecutor and a principal at Rasch Technology and Cyberlaw. Among those questions: how hackers were able to obtain near-perfect knowledge of Sony Pictures’ network and, then, sneak terabytes of data off of the network without arousing notice.

    “It has always been suspicious that it was North Korea,” Rasch said. “Not impossible – but doubtful…It made a lot more sense that it was insiders pretending to be North Korea.”

    Rasch noted, as others have, that the attackers initially made no mention of the Sony Pictures film “The Interview” in communications with the company or the outside world.

  2. Tomi Engdahl says:

    Andy Greenberg / Wired:
    FBI Director: Sony’s ‘Sloppy’ North Korean Hackers Revealed Their IP Addresses

    Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has “very high confidence” in the FBI’s attribution of the attack to North Korea. And he named several of the sources of his evidence, including a “behavioral analysis unit” of FBI experts trained to psychologically analyze foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own “red team” simulations to determine how the attack could have occurred. And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.

  3. Tomi Engdahl says:

    Just WHY is the FBI so sure North Korea hacked Sony? NSA: *BLUSH*
    DOH! Clapper smacker for crapper tapper

    For those still wondering why US President Barack Obama and the FBI have so confidently blamed North Korea for the Sony Pictures hack, it’s apparently because the NSA compromised the secretive country’s computer network years before – giving American intelligence a front-row seat for subsequent shenanigans.

    The New York Times reports that the penetration (PDF) was accomplished in 2010, years before the hack of Sony Pictures, and initially with the assistance of South Korea.

    FBI Director James Comey went on the record earlier this month to say that one key piece of evidence implicating North Korea was that IP [Internet protocol] addresses used to post and to send the emails by the Guardian of Peace connected with the attack were coming from IPs that were exclusively used by the North Koreans. Comey told delegates at a cyber conference at Fordham University on 7 January that the North Koreans had erred by being “sloppy” in disguising the source of the attack.

    General James Clapper, director of the NSA, backed the attribution of the Sony attack to North Korea at the same conference without revealing the NSA’s apparent role.



    Quite why the Feds are going to such lengths to convince the doubting infosec community, drawing attention to a program to wiretap a hostile country’s internet infrastructure, is a puzzle. Perhaps the program had been uncovered. If not, why is the US intel community disclosing source and methods just to bolster the credibility of its explanation for the Sony hack?

  4. Tomi Engdahl says:

    Nork hackers no pantomime villains, but a hugely unpredictable menace
    Modest resources but still able to launch a debilitating attack

    North Korea’s cyber attack on Sony Pictures revealed two uncomfortable truths about cybersecurity: businesses don’t have to be an obvious target to get hacked, and their aggressors don’t have to be superpowers.

    Despite the US government’s insistence, the tech world is less than completely convinced that North Korea was behind last November’s Sony megahack, which saw thousands of computers on the entertainment giant’s network scribed with wiper malware, as well as the theft and subsequent release of all manner of confidential information, ranging from corporate emails and employee data to unreleased films.

    A group of hackers named Guardians of Peace claimed responsibility for the megahack.

    The (main) alternative theory — backed by most IT security experts up until fairly recently — is that disgruntled ex-employees, possibly in co-operation with hacktivists types, are the most likely culprits1.

    “Sloppy” North Korean Sony attackers let their real IP addresses slip on occasion, according to the Feds.

    Infosec pros characterised that particular strain of evidence as flimsy and circumstantial. IP addresses are, after all, easily fake or spoofed.

    Politically motivated hacking isn’t new, and the Sony hack is sadly far from unprecedented. Anonymous did something similar to the internet security company HBGary Federal, exposing corporate secrets and internal emails, back in 2011.

    The Sony hack does however differ from previous assaults as it has become the first to create a diplomatic row, leading directly to the imposition of tougher sanctions against North Korea and an unconfirmed reprisal cyber attack against North Korea’s internet on-ramp and flimsy internet infrastructure.

    Politically motivated hacking isn’t new, and the Sony hack is sadly far from unprecedented. Anonymous did something similar to the internet security company HBGary Federal, exposing corporate secrets and internal emails, back in 2011.

    North Korea has had extensive offensive cyber capabilities for years, as covered by Voice of America (here), Al Jazeera (here), and news.com (here). And it has extensive support from China, its primary (if not only) ally on the world stage.

    Reuters reports that North Korea has poured the country’s scant resources into creating a cyber warfare cell called Bureau 121, made up of a “handpicked and pampered elite” of computer science majors around 1,800 strong.

    Nation state V US company

    “We routinely see attacks of 10-20Gbps against our commercial clients, with those of 100Gbps no longer uncommon,” said Ofer Gayer, a security researcher at DDoS mitigation firm Incapsula. “Even if North Korea had ten times its publicly reported bandwidth, bringing down its connection to the net would not be difficult from a resource or technical standpoint.”

    Attribution of the Sony Pictures hack to North Korea may have taken the general public by surprise but security intelligence firms have been tracking the mendacious actives of the North Koreans for some time.

    For example, South Korea banking and TV station networks were hit by wiper malware in March 2013 during the so-called Dark Seoul attacks.

    Adam Meyers, CrowdStrike’s VP of intelligence, told El Reg that while Russian attacks employed sophisticated trade-craft, Chinese attacks were of a far greater volume. “Chinese attacks are like a giant vacuum cleaner” for confidential data, according to Meyers. The security intelligence expert added that slinging computer wiper malware is a standard modus-operandi for North Korean cyber operations.

    CrowdStrike is confident that North Korea attacked Sony Pictures

    Security response firm Mandiant, which was called in to help Sony Pictures in the aftermath of the breach, said that “neither [Sony] nor other companies could have been fully prepared”.

    “Sony was not an attack on our critical infrastructure,” Sorebo writes in a blog post. “While Sony will suffer, neither our infrastructure nor our economy will feel any noticeable impact. What the attack does demonstrate is the lengths that a rogue state or terrorist group will go to achieve a seemingly limited aim, to stop the release of a movie.”

  5. Tomi Engdahl says:

    SONY HACK WAS WAR says FBI, and ‘we’re still struggling to hire talent’
    Cybercrims may be safe at home, but Feds dare them to go on holiday

    Cloudsec Yesteryear’s hack of Sony Pictures was an act of war, stated FBI Supervisory Special Agent Timothy Wallach, who delivered the FBI’s gradation system of cybercriminals to net security conference Cloudsec on Thursday, 17 September.

    US agencies have fingered the North Korean government for the Sony attack repeatedly, initially to much scorn as the nation is popularly believed to be residing in the technical dark ages.

    However, the Norks role in the breach has been increasingly accepted, as information about the NSA’s role in attribution has been made public.

    Presenting the act of war at one end of the spectrum, with hacktivists at the other end, FBI Supervisory Special Agent Timothy Wallach told Cloudsec about the agency’s ongoing efforts to deal with cybercrime.

    Wallach made it clear the FBI distinguished hacktivists – a term he suggested covered ideological actors, including everyone from LOIC and Lizard Stresser ego-hackers, through to those defacing police websites following the shootings of young African American men – from those cybercriminals who were motivated by financial gain or espionage.

    The hack of Sony pictures, he suggested, was an act of warfare, though it remains unclear how it might be considered a military act of sabotage, other than its nation-state backing.

    According to Wallach, who is currently assigned to lead the Cyber Task Force in the Seattle Field Office of the FBI, reports of breaches increased by 55 per cent between 2013 and 2014.

    These breaches often targeted personal identifiable information, although an increasing number went after healthcare information, which Wallach regards as a larger target.


Leave a Comment

Your email address will not be published. Required fields are marked *