Thursday, December 18, 2014

Was DPRK behind the Sony hack?

UPDATE: While this post was embargoed, various news outlets have claimed that sources in the US Government are confirming North Korea's involvement in the Sony hack.  I don't have the intelligence they have access to and North Korea has already denied participation in the hack publicly.  If North Korea was behind the attack, then it heralds a new era in state sponsored hacking - one in which nations attempt not only to steal secrets from other government and commercial interests, but also attempt to extort money directly from the victims.  Regardless of the outcome, I'd like to share my thought process in evaluating cyber attribution and attacker motivations.

There are lots of opinions out there about whether or not North Korea (DPRK) was behind the Sony attacks.  Is this really a plausible theory? Maybe, but it's unlikely.  Why did this get such traction in the press?  Let's be honest: a nation state hacking a movie studio because they are releasing a movie that paints their supreme leader in a bad light is an awesome story line.

But did they really do it?  I don't think so, and neither does famed OPSEC expert @thegrugq.  He posted some notes detailing why he doesn't think North Korea was behind the Sony hack.  The biggest reason he cites is the need to supply a dedicated handler very fluent in English to interface with the media the way the attackers have.  I won't argue whether DPRK has such people available. That's not the issue.  The real issue here is that most communications from DPRK are very heavily slanted towards communism rhetoric and there's none of this in the communication with the press.

But that's not the most compelling argument against the DPRK. The most compelling argument, in my mind, is the fact that the attackers tried to extort money from Sony.  This text was sent to Sony days before the hack was made public:
We've got great damage by Sony Pictures.
The compensation for it, monetary compensation we want.
Pay the damage, or Sony Pictures will be bombarded as a whole.
You know us very well. We never wait long.
You'd better behave wisely.
From God'sApstls
Nation-state attackers usually don't try to extort money from their victims.  Also, they generally don't perform destructive operations - preferring instead to collect intelligence.  Put bluntly, while the DPRK angle makes for a good story, it is just that: fiction.

Some will probably argue that the recent terroristic threats against moviegoers that see The Interview are evidence of DPRK involvement in the Sony breach. I don't think we have enough evidence to make such claims.  Multiple terrorist groups regularly (and fraudulently) claim responsibility for bombings and other terrorist actions in the physical space. Why discount this as an option in the digital realm as well?  Finally, while the threats to moviegoers may be from DPRK (and I'm not saying they are), that doesn't mean they were behind the hack.

This was cross posted at the SANS DFIR blog.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.