On Monday, Nov. 24, Sony Pictures employees went into work and discovered that their corporate network had been hacked. Sony staff was reportedly forced to work on whiteboards as administrators struggled to repair the damage. The hacking attack was the most destructive cyber attack ever seen on U.S. soil. Terabytes of data was stolen from Sony computers, including: five Sony movies (four of which were unreleased); and thousands of confidential documents – from private correspondence between Sony executives to salary and performance data about Sony employees.
The hackers called themselves the “Guardians of the Peace” (or “GOP”) and demanded that Sony cancel the planned release of the film The Interview, a Seth Rogan/James Franco comedy that depicts an assassination plot of North Korean leader Kim Jong-un. Largely because of the nature of GOP’s demands, North Korea came under early suspicion for the attack.
North Korean officials, however, specifically denied any involvement in the attack. “We do not know where in America the Sony Pictures is situated and for what wrongdoings it became the target of the attack nor we fell the need to know about it,” a spokesperson for the country’s government said in a statement. “The hacking into the Sony Pictures might be a righteous deed of the supporters and symppatreon.athizers with [North Korea] in response to its appeal.” (North Korea had previously threatened The Interview’s co-director and star Seth Rogan with “stern punishment” over the plot.)
Following threats of terrorism, Sony decided to cancel the December 25th theatrical release of The Interview. And then on December 17, United States intelligence officials stated their belief that the North Korean government was “centrally involved” in the hacking of Sony Pictures. Although the White House announced it was treating the situation as a “serious national security matter,” there was debate within the White House over whether to publicly accuse North Korea. That changed on December 19, when the Federal Bureau of Investigations (“FBI”) formally accused the North Korean government of conducting the cyber-attacks.
The FBI’s accusation was largely reliant on circumstantial evidence and the fact that North Korea had previously employed similar malicious hacking techniques on South Korean targets. Specifically, the FBI pointed to “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” that the FBI “knows North Korean actors [to have] previously developed,” and the fact that there was “significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea.” According to the FBI, for example, several IP addresses “associated with known North Korea infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”
On the back of the FBI’s conclusion, President Barack Obama promised a “proportional and appropriate” response. The “first aspect” of that response came on January 2nd when Obama signed an Executive Order that sanctioned key North Korean individuals and business holdings. The Executive Order marks the first time a county has been sanctioned over a cyber attack.
But here’s the problem with all of this? A growing body of evidence suggests that North Korea might not have had a “central role” in the Sony attacks. In fact, North Korea may not have had a role at all.
Although North Korea regularly carries out cyber attacks, these attacks have always been relatively crude. The cyber attacks on Sony, however, required a much higher level of sophistication. “What’s technically impressive about the attacks is not the fact that Sony was penetrated,” wrote Scott Bort, director of the U.S. Cyber Consequences Unit. “It’s the enormous amount of activity that the attackers managed to carry out inside Sony’s computers and networks without detection. They were poking into everything, identifying and mapping everything on the corporate network, opening huge numbers of documents, running many applications, pushing the CPU’s to very high utilization levels, and moving many terabytes of data around for months without being detected.”
In addition, there were numerous inconsistencies with previous cyber attacks that were blamed on North Korea. As North Korea Tech reported:
- Computers at Sony displayed a message threatening the release of internal documents if undisclosed demands were not met. North Korean hackers have never made such public demands.
- The message claimed the hack was carried out by “#GOP,” which stands for “Guardians of the Peace.” Attacks linked to North Korea have never included such claims of credit.
- The attackers posted messages on several Sony Twitter accounts, personally attacking Sony Pictures CEO Michael Lynton. North Korean attacks have never used such a tactic and state media has never called out Sony executives when criticizing the movie.
- North Korea has never launched such a targeted and public attack at an institution that angered it, and many organizations have angered it in the past.
Perhaps most damning, however, is the problem of motive. There is a huge disparity between the motive assigned to North Korea for the hack – over the film The Interview – and the motives the hackers themselves have given, which point to extortion.
On Nov. 21, three days before Sony computers were hijacked by the attackers, a strange email was delivered to several Sony executives. Although the attackers had been snooping around Sony’s infrastructure for some time, this was the first time Sony was made aware of their presence. The message did not talk about politics. It did not mention The Interview. What was it about? Money.
“We’ve got great damage by Sony Pictures,” the message said. “The compensation for it, monetary compensation we want. Pay the damage, or Sony Pictures will be bombarded as a whole.” The message, a copy of which was obtained and published by Mashable, was signed: “From God’sApstls.” The hackers had not yet claimed the moniker “Guardians of the Peace.”
The demand for monetary compensation was echoed in an email sent Nov. 30 from the email address used to leak Sony data. In the Nov. 30 email, one of the apparent hackers wrote a reporter with IDG News that “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years. It has brought damage to a lot of people, some of whom are among us.” The hacker continued: “Nowadays Sony Pictures is about to prey on the weak with a plan of another indiscriminate restructuring for their own benefits. This became a decisive motive for our action. We required Sony Pictures to stop this and pay proper monetary compensation to the victims.”
Because of these problems, many security experts have questioned the belief that the attack was carried out by North Korea. Of course, none of the problems discussed above necessarily means that North Korea wasn’t involved in the Sony attack. In fact, it’s difficult to believe that the U.S. government would take the absolutely unprecedented step of formally blaming another nation for a cyber attack – something that has never occurred before – absent it having other evidence that it can’t disclose. As Kim Zetter in Wired recently noted, “When the government has pointed a finger directly at other nations for cyber attacks, it has generally come from individual officials speaking to the press, not from a formal press statement – let alone the president.”
However, there is reason to question the popular narrative, and each of these factors makes it less and likely that North Korea was involved. Implicating North Korea in the cyber attack made the entire story a tidy, clean narrative. But if we’ve learned anything since September 11, it’s to be suspicious of such narratives, and to follow where the evidence leads us.
The sort of evidence we have been presented with “is circumstantial at best,” wrote Bruce Schneier in The Atlantic. “It’s easy to fake, and it’s even easier to interpret it wrong. In general, it’s a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the ‘evidence’ to suit the narrative they already have worked out in their heads.”