Security experts: FBI report light on evidence linking North Korea to Sony hack
Even after the Federal Bureau of Investigation's official statement that North Korea was behind the Sony attack, many cybersecurity experts are still skeptical the hermit nation is truly the culprit, citing a lack of new and more convincing evidence.听
鈥淚t鈥檚 mostly a repeat of information that has been in the public before,鈥 Rob Graham, chief executive officer of research firm Errata Security, said of the FBI's statement issued Friday.听
Many prominent names in the field, Graham and others, took to Twitter to express their concern. "I'm completely underwhelmed by the FBI's 'proof' attributing Sony attack to North Korea," Graham tweeted from his @ErrataRob account. 听
The听FBI points to three听key factors that "in part" lead to its conclusion 鈥 and all three had already been disclosed to the public by Simon Choi, a virus researcher from Seoul's Hauri Inc.
The statement mentions the听similarities between deletion malware used in the Sony hack to deletion malware previously by North Korean hackers; it refers to tools used in the Sony attack that were similar to ones deployed in a North Korean attack on South Korean media and banks; and the agency pointed out that听infrastructure hardcoded into the malware (including IP addresses) matched infrastructure identified as North Korean in the past.
Even with this information,听many in the cybersecurity industry see these听links as tenuous at best. All of the technical watermarks听can and frequently be falsified or mimicked by hackers.听
鈥淲e know that hackers share malware on forums. Every hacker in the world has all the source code available,鈥 says Mr. Graham.
鈥淚 think you have to go back to the original ransom note,鈥 says Graham Cluley, a former antivirus software programmer and security consultant who currently writes about the industry for grahamcluley.com, a security blog.
鈥淚t didn鈥檛 ask for 'The Interview' to not be released, it asked for money," he says. "In Dark Seoul, there were no demands. They just wiped everything. We鈥檙e not even entirely sure that North Korea did that attack. We think they did, but it hasn鈥檛 been proven.鈥
Mr. Cluley told Passcode on Thursday that he was skeptical of then-anonymous reports of government agencies identifying North Korea as culprit. The FBI report has done nothing to change his mind.
Cluley says that investigations into data breaches are nearly impossible to conduct from a digital perspective without (at minimum) investigating the computer used to perpetrate the crime, and are rarely done in the type of timeframe that the FBI has blamed North Korea for Sony.听
The lack of convincing detail in the report would imply the accusation must be based on 鈥渉uman or signals鈥 intelligence, says听Rick Holland, principal analyst serving security and risk professionals at Forrester Research.听Basing the accusations on the detail released to the public would be rash, he says.
The NSA has a long history of monitoring hackers to copy their tactics, says Mr. Holland,听"There鈥檚 no reason to assume anyone considering an attack wouldn鈥檛 do the same thing."听
Ideally, says听Holland, the government would release more information to back up its claims.听But he isn鈥檛 holding his breath for more detailed technical information coming out of the government.
鈥淭he United States has a long history of declassifying imaging data to justify an accusation 鈥 we did that, for example, to show Russian tanks had crossed into the Russian border. But for this, there鈥檚 no equivalent of a photo of Russian tanks. With digital investigations, there鈥檚 nothing quite as definitive.鈥
Graham,听of Errata Security, who would like to the code used by the hackers released, takes a more cynical view.听鈥淭hey鈥檙e worried we鈥檒l prove them wrong," he says.
The FBI report is not without believers. Thomas Rid of Kings College London and Richard Bejtlich of FireEye immediately tweeted each other the evidence was "as good as it gets" -- when Rid's recent research partner and co-author of the well-read "OMGCyber" paper, Robert M. Lee, interrupted.
Lee, an Air Force cyber operations tweeted, "[A]听lot of what is attributed is based on their previous knowledge of infrastructure. How do we know its good?"
听
