32 comments

[ 2.2 ms ] story [ 83.5 ms ] thread
"Taking a look at these addresses we find that all but one of them are public proxies."

I think this is a very key point for another reason. If this was perpetrated by North Korea, why would they use an anonymizing proxy in the first place? What would be the point? Have we ever known North Korea to not crave media attention? If they were behind the attack wouldn't they want the world to know? If it was North Korea then why are they suddenly trying to stay out of a spotlight they've never avoided before? Retribution? Doubtful.

Umm... North Korea tries to avoid media attention all the time, phone up the consulate and ask for a VISA to roam around the country taking pictures, this is why they call it the hermit kingdom.

What NK tries to do is control the media.

Also, when they are successful at avoiding media attention you don't hear about it, so you have selection bias based on their regular outlandish threats that DO get media attention.

While i doubt it was NK, if they didnt mask their ip, then everyone would just block that range(i heard they only have a few, although im not 100% certain).
>I think this is a very key point for another reason. If this was perpetrated by North Korea, why would they use an anonymizing proxy in the first place? What would be the point? Have we ever known North Korea to not crave media attention?

Yes. When they do something provocative they try to maintain plausible deniability, because otherwise the target of the provocation would have to do something. The best example is the sinking of the Cheonan. Everyone knew it was the Norks, but they played coy because otherwise South Korea would have been forced to respond. Probably by sinking the North Korean navy.

Also, if the cyber attack was DPRK, it was likely carried out by the unit that does espionage, and for a unit like that proxies are just standard procedure.

All that said, I'm skeptical that it actually was North Korea. They do have this kind of capability, but they tend to use it for more concrete gains, like uncovering spies and stealing technology. A big in-your-face attack on a company like this is out of character for a regime that wants to retain its cyberwar capability for clandestine uses.

Exactly. But NK is a convenient bogeyman for the real aim: CISPA:

http://www.zdnet.com/article/white-house-wants-congress-to-r...

Interesting. Do you have you have more than this article to go on (I found it's connection tenuous, but it could be just this report). Has the white house nudged CISPA specifically? What's quoted in this article is sort of a blanket "partnership with private sector" statement.

The problem is that there are tons of different ways that national and military partnership expresses itself and especially in the case of cyber partnership. For example here's a quote from Richard A. Clarke, previous National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, on the private sector and cybersecurity: "There are certain circumstances under which private sector companies may be legally targeted by national militaries both in kinetic and cyber conflict. Under the law of armed conflict and the principle of distinction, civilian infrastructure is generally considered to be separate from military objects, with military installations always targettable during international conflict and civilian infrastructure off limits from direct attack. However, even in the physical realm, there is often ambiguity about what constitutes civilian infrastructure...

Without extensive private sector involvement, governments would not be able to devise international cyber norms that would work or be accepted. Beyond the need for their expertise, private sector cyber corporations also have equities in the conduct of governments in cyberspace. Private actors must participate in the development of international norms related to cyber war if for no other reason than they are potential targets for attack."

I have been looking for close to a week for Infosec professionals who believe DPRK was responsible for attacks.

So far I have found two.

One is @daveaitel, who sells security solutions to governments.

The other is @thegrugq, who believes that everything we've heard from FBI is a lie, and the NSA simply told them who it was.

Neither is particularly convincing. Does anyone know of any others?

Krebs absolutely counts, but if Krebs says yes and Schneier says no, which he did, then it's a very open question.
Is anyone aware if these experts have a CISSP? Otherwise their opinions are irrelevant.
Krebs is a journalist, not a cybersecurity expert, fwiw.
The most damning argument is, as mentioned in the article, that the NK+The Interview conclusion was not mentioned by the attackers until the media started speculating.

That those responsible for investigation have not looked at the relation to the embarrassing attack on the Playstation network from years ago, that also resulted in droves of user and likely employee data that could be utilized for future attacks, is astounding.

This isn't 2002 where the US Gov can make a claim on hidden evidence and have people believe them, be they the world or its own people. Either put up or shut up.

But the attackers did confuse a lot of people when they threatened with '9/11-style attacks' should any cinema show the movie in question. So either someone else is speaking on their behalf, or they are at least partial sympathetic to the North Korean regime.

Edit: Or perhaps - as the article speculate - they were simply using the opportunity to threaten threats they couldn't live up to, but it wouldn't have mattered as their identity remains anonymous and whether or not Sony caved would be irrelevant to the argument on whether to make the threat.

I agree the logic of the threats makes no sense. There are very few state actors that are this detached from objective and logic. In-fact it feels like the work of a troll, aka anonymous or a reincarnated Lulzsec. The same people responsible for the last Sony hack and whom some might be still sitting on the data trove from that attack. Then again, N.K. could claim to be the original troll.
Then again, had the attackers made their intentions clear up front, media outlets would be reticent about doing someone else's very dirty dirty work for them. By releasing what amounted to to celebrity gossip and no clear demand, lots of outlets that would otherwise hold back dived right in. Only when the story was well and truly a monster did the attackers show their full hand.

If this is, in fact, what happened it represents a far more media savvy approach than most people would expect from NK. That suggests any involvement they had was in partnership with people who actually knew how to operate in America.

>The most damning argument is, as mentioned in the article, that the NK+The Interview conclusion was not mentioned by the attackers until the media started speculating.

This is technically true but the full situation is more complicated.

First, it is difficult to know which of the Pastebins were really made by the hackers and which were made by copycats/trolls.

Second, the media began speculating about the connection to The Interview one day after the hack, Nov. 25. Some probably the day of. The hackers only explicitly mentioned The Interview ("Stop immediately showing the movie of terrorism which can break the regional peace and cause the War!") on Dec. 8.

However, between Nov. 25 and Dec. 8 they released a number of dumps and messages addressing Sony, the public, and the media, while not mentioning The Interview at all. So if they wanted to jump on the sensationalism bandwagon, in my opinion it would have made more sense to start hinting at the movie specifically before Dec. 8. Of course, they may have randomly decided to wait that long for any number of reasons.

Third, I think "Guardians of Peace" is a pretty clear allusion to "protecting the peace [by preventing the release of this terroristic movie]", which they made quite clear in later statements, including in statements before the Dec. 8 mention of the movie. And they used the name Guardians of Peace from day one. "Guardians of Peace" simply doesn't line up with the disgruntled insider or hacktivist hypotheses at all. This does not at all mean it was North Korea, but in my opinion it means the perpetrators either used The Interview as a motive, or as a pretext, from day 1.

There are many possible explanations as to why this could have really been North Korea and why they did not explicitly mention the movie until Dec. 8. There are certainly many explanations as to why it could mean it isn't North Korea, but it's not damning evidence at all.

Obama signed five new cybersecurity bills into law on the 18th. The FBI announcement was Dec 19th.
> It is this piece of evidence—freely available to anyone with an enquiring mind and a modicum of cyber security experience—which I believe that the FBI is so cryptically referring to when they talk about “additional evidence” they can’t reveal without compromising “national security”.

The evidence mentioned here are the addresses of the Command and Control servers. But the author does not give any reason for why he or she thinks this is the thing the FBI is being cryptic about?

First of all, there might be several things to be cryptic about. Second, the article gives nothing that I can see to connect that bit of information to being something that FBI would hold back on. Third, the author just revealed it, so if it were what the FBI was keeping secret, that seems silly.

Did I miss something?

I believe it's implied that the FBI can trace past the proxy servers (not much of a stretch). Naturally, the FBI does not want to give up information on how it does that to avoid cybercriminals counteracting that method of tracing. Just a guess.
Interesting. If so, then the FBI does have information the author lacks, and that information does sound like something which could help pinpoint the culprits.
The FBI doesn't have any special ability to trace connections, especially not outside the US. The NSA might, but it's questionable that they would tip their hand and release classified covert intel just because one company got hacked. China has been hacking our corporations for over a decade but you never hear this much about it in the press.

Edit: then again, China doesn't threaten to bomb our theaters. Could be NK just goofed. But the whole thing is too ridiculous to be plausible.

> But the whole thing is too ridiculous to be plausible.

This is my take as well. State sponsored attacks, or at least the attacks that have allegedly been state sponsored up until now, have been quiet little things that go on for months or years so far under the radar that they only get revealed months afterwards by accident. They aren't filled with green-on-black text and pixelated skeleton images. Something just doesn't feel right about blaming North Korea for this. Maybe it came from the DPRK, but if so it had about as much to do with them as 9/11 did with the Saudis.

Does anyone also feel that the media is the only one that really linked the DPRK to this? I don't recall hearing about North Korea until after the "whodunnit" questions started coming out and speculation between the DPRK's denouncement months ago about The Interview and the very weak correlation between Chinese IPs being frequently involved in attacks and the DPRK's relationship with China, and the recycled malware that has some loose ties to Korea were thrown in a pot and mixed together. Once that started rolling, it seemed that the hackers started playing the Korean card, more for lulz than anything tangible. And now, long after the media has shifted from Poor Sony to Damned Korea (with even the President stepping in with his opinions), we're really heard very little from the attackers. It honestly feels like a bunch of guys in a basement collectively said to themselves "Oh shit, the President of the United States is talking about shit I did, time to cool off". From what I've read about the abysmal security at SPE, it wouldn't be surprising in the least that it didn't take a state sponsored group to do as much damage as they did. Blaming the DPRK only helps Sony sound less like a failure.

The only facts I can be sure of is that Sony did everything wrong in response. Every CIO should learn from this as what _not_ to do when hacked.

>The evidence mentioned here are the addresses of the Command and Control servers. But the author does not give any reason for why he or she thinks this is the thing the FBI is being cryptic about?

The fbi and several other sources publicized the select portion of the code base that linked the ips to shamoon. Presumably, the piece the fbi is being cryptic about is the servers behind the proxy, which, as mentioned, it probably isn't too much of a stretch to guess the government might be able to trace.

Is it possible the FBI/NSA/XXX agency is suppressing evidence in order to protect an informant?

Example scenario: US intel has agent or informant in NK, working high in cyber command. That person shows US intel code used to hack sony, and/or simply tells them that yes, NK did it. Consequently, FBI is confident NK did it, but cannot reveal reason for confidence without jeopardizing safety of informant.

Yes, it is, and this point is actually addressed in the article. The problem is that it's grown more and more difficult to just allow the government to hide behind the veil of confidentiality when they've shown they abuse this power.
North Korea does not have the sophistication to carry out this attack. https://www.youtube.com/watch?v=5hUegMTSh0U#t=59
NK has nukes. NK sends its elite citizens to western university. NK has its own linux distro.

Most of NK would have no clue how to perform this hack - but you could say the same of America. Give a computer to an illiterate Appalacian and see how far they get. NK will carefully train some elites. Those people will have access to the wider Internet and will uave the knowledge to pull off this relatively simple hack.

That's not to say that NK actually did it - just that saying NK is unsophisticated and thus couldn't have done it misses the point.

The linux distro is probably unpatched to every linux vulnerability discovered in the last 10 years-easy to get a shell and start an attack.

You assume NK people think like Americans. Every scientist is working out of fear and therefore is doing the minimal amount possible to not be scolded. I lived in a communist country and the same way the economy was in the hole, so was scientific advancement. A good analogy is Cuba- they have one of the most rigorous schools for becoming a doctor, but they wouldn't know how to operate an MRI since none exist in the country. An NK citizen may have taken security class at an university, but may not have the talent, like a logical anarchist, required to become a great hacker. The number of skilled, motivated hackers outside NK is greater than those inside. Look at the video-how do you find the 10x programmer in that computer lab?

NK's way of keeping 24M people from protesting is by controlling INFORMATION. To have a hacker untraceable and talented enough to enter SONY, they must be read on the latest trends. This same hacker, if informed, would be smart enough to google his way out of the horrible living conditions in NK. The nuke scientists copied 1950's tech.

To me this sounds like the WMD's of the early 2000's. If NK doesn't have any credibility they will be easily blamed for political leverage with no evidence.

I welcome the FBI to open source the malware, traffic and trace logs for community analysis.

Come back and read this comment when hackers acquire this data themselves and provide technical proof of NK NOT being at fault.

A good analogy is Cuba- they have one of the most rigorous schools for becoming a doctor, but they wouldn't know how to operate an MRI since none exist in the country.

A report here from 2006 says otherwise:

Cuba spends ∼16% of its GNP directly on the health system, roughly $320 per year per person. As would be expected, tertiary medical facilities lack both the amenities and the technology found in industrialized countries. A recent modernization campaign, however, has brought interventional cardiology and MRI, for example, to the 48 referral hospitals and ultrasound and endoscopy to polyclinics.

http://ije.oxfordjournals.org/content/35/4/817.full

I am responding specifically to the part that says NK could not have sophisticated hackers, not whether those hackers did it or not.

> NK's way of keeping 24M people from protesting is by controlling INFORMATION. To have a hacker untraceable and talented enough to enter SONY, they must be read on the latest trends. This same hacker, if informed, would be smart enough to google his way out of the horrible living conditions in NK. The nuke scientists copied 1950's tech.

Can you explain people living outside DPRK ho align to DPRK?

http://en.wikipedia.org/wiki/Chongryon

> The other main organization is called Mindan, the Korean Residents Union In Japan, and consists of Zainichi Koreans who have adopted South Korean nationality. Currently, among 610,000 Korean residents in Japan who have not adopted Japanese nationality, 25 percent are members of Chongryon, and 65 percent are members of Mindan. Chongryon's strong links to North Korea, its allegiance to the North Korean ideology and its opposition to integration of Koreans into Japanese society have made it the more controversial of the two organisations in Japan.

I remain agnostic and can't think of a basis for arguing one side to the exclusion of the other. On the one hand, it's not unthinkable that NK had a mole at Sony, or that the attack succeed beyond expectation owing to Sony's abysmal security practices, using vectors that have supposedly been known to black hats for a while. And of course it's possible that the U.S. has hard evidence that can't be revealed. On the other hand, there's the "trust me" problem with the US Govt, the constant push for a free hand from the agencies (and the contractors who supply them and the politicians who enjoy their campaign contributions), and the embarrassment to a Hollywood that overwhelmingly supports the President and his party. Finally, there's the curious statement by Obama last Sunday that this isn't "an act of war," but rather "an act of cyber vandalism"--odd way to characterize actions by a hostile state if he knows that to be the case.