The Obama administration has sought China’s help in recent days in blocking North Korea’s ability to launch cyberattacks, the first steps toward the “proportional response” President Obama vowed to make the North pay for the assault on Sony Pictures — and as part of a campaign to issue a broader warning against future hacking, according to senior administration officials.
“What we are looking for is a blocking action, something that would cripple their efforts to carry out attacks,” one official said.
So far, the Chinese have not responded.
[I]n April 2011, Nonghyup Agricultural Bank, a mid-sized South Korean bank, suffered intermittent service outages for three weeks after malware took down 273 of its 587 servers. While there was no smoking gun, a mountain of publicly available technical and circumstantial evidence led the South Korean government and many independent security firms to confidently link the Nonghyup attack to North Korea. For two days, all banking services were completely disabled and suffered intermittent issues for the next 18 days. Fortunately, because many South Koreans have multiple accounts at several banks, and the outage caused few major problems for ordinary citizens. However, if a similar attack were perpetrated against a major U.S. bank, it could cause major financial problems and widespread public panic, since many Americans only have one bank account and could be completely unable to access critical funds.
North Korea’s destructive attacks didn’t stop there. In June 2012, hackers destroyed article and photo databases and the editing production system at two conservative South Korean newspapers, one week after the North Korean military criticized them for their negative coverage. And, in March 2013, tens of thousands of computers at six South Korean banks and broadcasters simultaneously stopped working after malware overwrote critical hard drive components with the names of Roman army units. While these last two incidents may not seem like incredibly destructive or dangerous attacks, they set a precedent for targeting journalists, media outlets, and individuals that voiced disagreement with the North Korean regime. They were attacks on free speech…
As it stands, pariah states like North Korea are able to accomplish with cyber armies what they can’t with traditional ones: project power and fear globally, even in the United States, without shedding a single drop of blood.
[W]e do not need to speculate on the origin of the Sony attacks to find China complicit in the crime. After all, the attacks were routed through Chinese IP addresses. It is true that, in an apparent attempt to mask their origin, the attacks were also passed through, among other places, a Singapore convention center, Thailand’s Thammasat University, and a computer in Bolivia. No one is accusing the governments of Singapore, Thailand, or Bolivia of being behind the assaults.
The use of Chinese servers indicts Beijing, however. China maintains the “Great Firewall,” what many consider the world’s most comprehensive and sophisticated set of Internet controls. Chinese authorities can detect a single-line message sent from a computer or phone anywhere inside the People’s Republic. Therefore, these authorities knew or should have known about both the North Korean attacks passing out through the Firewall and the inbound data stolen from Sony, more than 100 terabytes worth.
Indeed, almost all the North’s telecommunications run through Chinese networks, which means all or virtually all of its Internet connections pass through China. Therefore, North Korea’s hacking, spanning decades, is well known to Beijing.
We know that the film’s assassination plot didn’t sit well with North Korea, a country that considers its leader tantamount to a god. Back in June, the North Korean ambassador to the United Nations called the film an “act of war” and urged the United States to “take immediate and appropriate actions to ban the production and distribution.” In a December 7th statement, the Korean Central News Agency praised the hackers for the “righteous deed,” even as Pyongyang professed ignorance of any matters related to Hollywood. “We do not know where in America the SONY Pictures is situated and for what wrongdoings it became the target of the attack nor we feel the need to know about it,” read a statement that KCNA attributed to an unnamed spokesperson for the Policy Department of the National Defense Commission. This was a characteristic North Korean statement—a nondenial intended to make readers disbelieve it.
Still, not everyone is convinced that North Korea carried out the attack, or was even indirectly responsible for it. “There is such a level of vindictiveness toward Sony that it feels more like an ex-employee or a business dispute,” Martyn Williams, a long-time North Korea watcher, who has taken a contrarian view on the attack, said. Williams believes that the hackers could be using North Korean software, or possibly imitating North Korean tactics, to cover their own tracks. He notes that the Guardians of Peace hackers didn’t mention “The Interview” before this week. He also believes that a recent message on a text-sharing Web site that threatened moviegoers and invoked 9/11 was unlikely to have come from North Korea. “North Korea is definitely capable of annoying its neighbors, but to make these kind of threats, saying ‘Remember 9/11,’ I don’t think North Korea is so stupid,’’ Williams said.
One hears a lot in cybersecurity circles that the government has “solved” the attribution problem. The evidence presented today shows why it has not come close to solving it.
First, the “evidence” is of the most conclusory nature – it is really just unconfirmed statements by the USG. Second, on its face the evidence shows only that this attack has characteristics of prior attacks attributed to North Korea. We know nothing about the attribution veracity of those prior attacks. Much more importantly, it is at least possible that some other nation is spoofing a North Korean attack. For if the United States knows the characteristics or signatures of prior North Korean attacks, then so too might some third country that could use these characteristics or signatures – “specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” and similarities in the “infrastructure” and “tools” of prior attacks – to spoof the North Koreans in the Sony hack.
Third, the most significant line in the FBI statement is this: “While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following.” Let us assume that the United States has a lot of other evidence, including human or electronic intelligence from inside Korea, that corroborates its attribution conclusion. This might give the USG confidence in the attribution and might support the legality of a proportionate response. But if protection of “sources and methods” prevents the United States from publicly revealing a lot more evidence, including intelligence beyond mere similar characteristics to past attacks, then there is no reason the rest of the world will or, frankly, should believe that a response on North Korea is justified. (Compare Adlai Stevenson and Colin Powell before the United Nations.) And if the United States’ response is significant, and has wider geo-political implications, this inability to prove attribution could be a huge problem. The important point: Even if the attribution problem is solved in the basement of Ft. Meade and in other dark places in the government, that does not mean the attribution problem is solved as far as public justification – and defense of legality – is concerned.
1. First of all, there is the fact that the attackers only brought up the anti-North Korean bias of “The Interview” after the media did—the film was never mentioned by the hackers right at the start of their campaign. In fact, it was only after a few people started speculating in the media that this and the communication from North Korea “might be linked” that suddenly it did get linked. My view is that the attackers saw this as an opportunity for “lulz”, and a way to misdirect everyone. (And wouldn’t you know it? The hackers are now saying it’s okay for Sony to release the movie, after all.) If everyone believes it’s a nation state, then the criminal investigation will likely die. It’s the perfect smokescreen.
2. The hackers dumped the data. Would a state with a keen understanding of the power of propaganda be so willing to just throw away such a trove of information? The mass dump suggests that whoever did this, their primary motivation was to embarrass Sony Pictures. They wanted to humiliate the company, pure and simple…
4. You don’t need to be a conspiracy theorist to see that blaming North Korea is quite convenient for the FBI and the current U.S. administration. It’s the perfect excuse to push through whatever new, strong, cyber-laws they feel are appropriate, safe in the knowledge that an outraged public is fairly likely to support them.
5. Hard-coded paths and passwords in the malware make it clear that whoever wrote the code had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s (just) plausible that a North Korean elite cyber unit could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of a pissed-off insider. Combine that with the details of several layoffs that Sony was planning and don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all.
The hackers have called themselves Guardians of the Peace and the broken English in the posts they’ve left behind has been questionable, and Mr. Rodgers isn’t buying it.
“The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e. it reads to me like an English speaker pretending to be bad at writing English,” he wrote…
North Korean officials have denied involvement with the Sony hacks but that has been in stark contrast to the comical behaviour of the hackers signing off an e-mail as “North Korean Hacking Team.”
There is a commonly used credo among hackers that they are motivated by ‘the lulz’ — an internet parlance for amusement. And deflecting the world’s accusations onto Kim Jong Un would certainly be a serious amount of lulz.
Working under the code name Sabu, Hector Monsegur was responsible for some of the most notorious hacks ever committed. As he told “CBS This Morning” co-host Charlie Rose earlier this month, Monsegur began cooperating with the FBI after getting caught. He now works as a security researcher.
“For something like this to happen, it had to happen over a long period of time. You cannot just exfiltrate one terabyte or 100 terabytes of data in a matter of weeks,” Monsegur said. “It’s not possible. It would have taken months, maybe even years, to exfiltrate something like 100 terabytes of data without anyone noticing.”
Administration officials believe North Korea was behind the hack.
“It could be. In my personal opinion, it’s not,” Monsegur said. “Look at the bandwidth going into North Korea. I mean, the pipelines, the pipes going in, handling data, they only have one major ISP across their entire nation. That kind of information flowing at one time would have shut down North Korean Internet completely.”
“For hackers that’s just brilliant. By blaming North Korea, the hackers have a carte blanche really,” said Jeffrey Carr, founder and CEO of Taia Global, a Seattle-based company that provides cybersecurity consultations to government agencies and private companies. “I’m not aware of this ever being done before. They’ve successfully ripped apart a multinational corporation. They successfully got them to shut down a movie. And to top that off they’ve convinced the FBI and NSA that the North Korean government is responsible. If I was them, I’d be popping Cristal.”…
Evan Goldberg, co-director of The Interview, who spoke to Vancouver-based site The Straight, said that while he doesn’t have any inside knowledge, he doesn’t think it was North Korea.
“For two seconds it was the North Koreans, and then the younger guys in our office who know way more about computers were like, ‘No way. You’d have to know Sony’s network, it has to be somebody on the inside.’”
It’s easy for attackers to plant false flags that point to North Korea or another nation as the culprit. And even when an attack appears to be nation-state, it can be difficult to know if the hackers are mercenaries acting alone or with state sponsorship—some hackers work freelance and get paid by a state only when they get access to an important system or useful intelligence; others work directly for a state or military. Then there are hacktivists, who can be confused with state actors because their geopolitical interests and motives jibe with a state’s interests…
Nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack. Nor do they use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of GOP have done in media interviews. Nor do such attacks involve posts of stolen data to Pastebin—the unofficial cloud repository of hackers—where sensitive company files belonging to Sony have been leaked. These are all hallmarks of hacktivists—groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.
One possible explanation is that North Korea only got involved in the attacks after the initial attack. Perhaps someone totally unconnected to Pyongyang compromised Sony’s network and then sold control and data to the North Korean government. Or perhaps the attack was carried out by a hacker group that sometimes does work for the North Korean government, but North Korea only became directly involved after the initial announcement. That would explain why they seemed to use some of the same tools and infrastructure.
This would also help to explain the skillful way the hackers manipulated the media into embarrassing Sony, increasing hackers’ leverage in the process. As Vox’s Todd VanDerWerff has written, the attackers doled out leaked documents in batches to strategically-chosen journalists, making it more likely that reporters from various media outlets would comb through the files looking for scoops.
That ensured that the media would publish a lot of damaging scoops about the company before the hackers pivoted to its Interview-related demands. Todd notes that if the hackers had focused on The Interview from the outset, media organizations would have been squeamish about participating in what amounted to a blackmail campaign against Sony.
It’s hard to imagine that North Korea, working alone, would have had sufficient understanding of American media habits and organizations to pull this off. But if North Korea were working with an outside group with ties to the West, they could outsource the details of the media campaign to them.
The hacker group Lizard Squad may have ties to Guardians of Peace, the group claiming responsibility for the latest Sony attack, according to research from IntelCrawler, a Los Angeles cyber-intelligence firm. Online postings from members of each group use similar language and slang. They cross-post on one another’s social-media accounts, make similar extortion attempts, and carry out attacks on almost identical timelines.
The connections suggest that North Korea and hacktivist groups could have worked together on different parts of the Sony Pictures breach, or there may have been overlapping attacks, says Dan Clements, president of IntelCrawler. Both groups have said they are preparing Christmas surprises for Sony. Lizard Squad posted to a now-suspended Twitter account, saying it’s “working together with #GoP on a Christmas project.”
“These gamers had been trolling Sony for years,” Clements says. “They had compromised credentials; who knows who they shared that with in the underground?”
Clues in the hackers’ attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one since North Koreans use a unique dialect. However you read it, this sort of evidence is circumstantial at best. It’s easy to fake, and it’s even easier to interpret it wrong. In general, it’s a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the “evidence” to suit the narrative they already have worked out in their heads…
Allan Friedman, a research scientist at George Washington University’s Cyber Security Policy Research Institute, told me that from a diplomatic perspective, it’s a smart strategy for the U.S. to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term U.S. interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement no matter what the truth is, and the real attackers have gone underground, then the U.S. decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.
Sony also has a vested interest in the hack being the work of North Korea. The company is going to be on the receiving end of a dozen or more lawsuits—from employees, ex-employees, investors, partners, and so on. Harvard Law professor Jonathan Zittrain opined that having this attack characterized as an act of terrorism or war, or the work of a foreign power, might earn the company some degree of immunity from these lawsuits.
The Sony hack was perpetrated by either the North Korean government itself or by its third-party proxies. There is really no doubt about this. It’s not that we need to accept U.S. government sources on this or the FBI, but the context of the attack leaves little doubt. This is often the flaw in the logic of the cybersecurity narrative. The engagement of cybersecurity issues often is done completely devoid of knowledge of the wider international security processes of the time. Dissecting the case against North Korea with little reference to history, culture, or capabilities leaves much of the story out…
Adding all this together, the remaining question is whether North Korea had the ability. Some say this attack had to be perpetuated by a Sony insider since the attacker grabbed so much information and seemingly understood the company’s systems. This conjecture assumes too much about a lone disgruntled operative. A lone disgruntled operative whose only demand seems to be to ask for money but to give no suggestions about how much, how it can be delivered, or when? While reports are correct to note that the movie The Interview was not mentioned with the first threat, back in June North Korea warned that it would seek revenge for the movie, which it considered an act of war and terrorism. North Korea often threatens to turn its enemies’ cities into a “sea of flames” and nothing comes of it. But it’s entirely possible, even likely, that this time it made good on its promise, in a way.
If this was a disgruntled employee, he or she is really bad at setting demands and achieving ends. South Korean intelligence claims that North Korea has 5,900 cybertroops. It is not tough to assume that at least a small percentage of these people are capable of gathering enough information about Sony and its employees online to be able to penetrate, map, and dissect Sony’s networks. This counters the most convincing claim about the nature of the attack, that there was too much knowledge and insider information about the corporation for North Korea to do it. Hire 100 capable hackers and you can pretty much map any corporation, given enough time.