US reportedly blaming North Korea for Sony Pictures hack. But why?


Kim Jung-unThe New York Times is reporting that the White House is pointing the finger of blame at North Korea for the hack of Sony Pictures.

So far, at least, there has been no official confirmation from the United States government and all the NYT has are sources that won’t go on the record. Meanwhile, Sony has officially cancelled the release of the controversial Seth Rogan movie “The Interview”

As regular readers will know, I have been somewhat skeptical of the claims that North Korea is involved. It just doesn’t feel right.

The truth is, as has been shown time and time again, trying to determine the location of internet hackers can be as hard as nailing jelly to the ceiling.

Attributing internet attacks to a particular country is extremely difficult, as it’s so easy for hackers to cover their tracks or point investigators in the wrong direction. It’s not uncommon at all for attackers to use compromised computers in other countries as part of their attack to throw investigators off the scent, and allegations of where hackers might be based is often founded on the flimsiest of “evidence”.

Here’s what we do know:

  • The hackers initially emailed Sony executives days before the “skull attack”, and demanded money. No mention of “The Interview”, no mention of North Korea.
  • The hackers then plastered grisly skull images over Sony computers, and threatened to release the company’s data unless their demands were not met. No mention of “The Interview”, no mention of North Korea.
  • Suddenly the media, following the Re/code report, starts linking the attack to “The Interview” and North Korea.
  • We also know that state-sponsored attacks don’t tend to put skull images on the computers they’re targeting (it makes the attack kinda obvious!) or demand money.
  • If it was all a plot by North Korea (or N Korean sympathisers) to attack Sony because of the movie, why didn’t the initial demands or the malware mention this?
  • Similarities have been drawn between the Sony Pictures attack and the DarkSeoul malware that hit South Korean broadcasters in 2013. That attack wasn’t shy of using skull imagery either.

And, if unnamed White House sources are now pointing an accusatory finger at North Korea we need to ask ourselves:

  • Why are they unnamed sources? Why won’t they go on the record? What do they hope to gain by making the claims anonymously?
  • What proof do the US authorities have that North Korea is behind the attack?
  • How do the US authorities explain the malware and the demands not making a reference to the movie or N Korea? Yes, we know that a later anonymous PasteBin post started ranting about the movie and made 9/11 threats.

So, consider me a skeptic. I would like to have answers to a few more questions, and hear some of the evidence, before falling behind the claim that North Korea has orchestrated the attack against Sony.

If I were a betting man, I would agree that whoever is responsible for the attack has a big grudge against Sony and its executives (not that that narrows down the list of suspects much!). One avenue for investigation should definitely be to explore whether a disgruntled (possible former) employee played a part in this hack.

One final thought. If Sony Pictures’ network security was as poor as it appears - is it possible that more than hacking gang have had access to its information?

Tags: , , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , , ,

6 Responses

  1. Andy

    December 18, 2014 at 12:47 pm #

    I wouldn’t put these hacks past the U.S. gov’t. Have you noticed that a large chunk of the documents released relate to pay disparities between the sexes? Hasn’t the POTUS been on a an equal pay rant?

    • Barry Obama in reply to Andy.

      December 18, 2014 at 12:55 pm #

      Oh, snap! The US Govt sure is going to buckle under the Cluley threat. And now the Andy Analysis? They are sure to come clean now.

      Your bias and paranoia is showing, boys.

      • Coyote in reply to Barry Obama.

        December 18, 2014 at 6:53 pm #

        Cluley threat. What might that be? Telling them they are… yes, intentional… clueless and until they wake up, things will only get worse? And they should mark his words! He’ll make sure it comes true if they don’t. Oh, but wait… even if they do wake up, it’ll still get worse. In other words, it is reality.

        I won’t elaborate because you’ll think I’m a lunatic (you might be on to something.. maybe) but that (above) isn’t paranoia.

    • Coyote in reply to Andy.

      December 18, 2014 at 6:38 pm #

      The US government couldn’t ‘hack’ (the quotes are intentional but only in the meaning you use it - the other meaning is very correct) themselves out of a paper bag if they were armed with an axe. The current administration is not at all the first administration to have a breach. They won’t be the last. At least the last three administrations (there were defacements - and similar[1] - of government sites including indeed during both Bush Jr and Clinton (and if Bush Sr was not here it would be because much less people were online including indeed much less kiddies[2])).

      [1]The fact there were popular mirrors of web defacements didn’t help the matter because it got to their heads and they thought they were proving something (they were proving something but nothing they were trying to prove). gH comes to mind as one group. But defacements wasn’t the only thing, either, that much is for sure.

      [2]Yet somehow I have a vague memory that there were issues then, too. Nothing comes to mind, however, so I don’t know for sure (and don’t feel I need to verify one way or another).

  2. Coyote

    December 18, 2014 at 6:31 pm #

    The truth is, as has been shown time and time again, trying to determine the location of internet hackers can be as hard as nailing jelly to the ceiling.”

    Sigh. I really wish people would get a clue here. Yes, it is near impossible. Even if it comes from a specific country that does not mean it is state sponsored[1] (and some times, as I noted elsewhere, it is nationals of one country IN another country attacking the country they are IN but none of which means it is state sponsored).

    [1]This logical fallacy is abused far too often. This person supports X… or this person is in X. X is stupid/a convict/list goes on. Therefore person is stupid/a convict/.… It rarely works that way. When it does it does not mean (and to think otherwise is a fallacy itself, ironically trying to validate fallacy with fallacy).

    ” It’s not uncommon at all for attackers to use compromised computers in other countries as part of their attack to throw investigators off the scent, and allegations of where hackers might be based is often founded on the flimsiest of “evidence”. ”
    And don’t forget bouncing off multiple proxies, hosts, … Evidence is more like blame game and is in the family of it can never be ‘my fault’, it is always someone else! I’m a victim and anyone else is the perpetrator (or sympathiser).

    I don’t buy this either. I also have to wonder if the supposed sources are more like sources of where they got the information (and I mean to say maybe someone ELSE claims that THEY got information from the government). Whether that is true or not, is hard to know. But even if the government is claiming this, it doesn’t really mean much: they are clueless in this department, as time has shown again and again. However, until there actually IS evidence that they are claiming this, I’ll give the benefit of the doubt (because I don’t assume and I don’t libel/slander or otherwise defame). Even if they do claim it, it doesn’t mean it is true.

  3. Jim

    December 30, 2014 at 3:03 am #

    Thought you might be interested in this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.