December 30, 2014

"Researchers from the cyber intelligence company Norse have said their own investigation into the data on the Sony attack doesn’t point to North Korea at all..."

"... and instead indicates some combination of a disgruntled employee and hackers for piracy groups is at fault."
Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon....

“Whenever we see some indicators or leads that North Korea may be involved, when we follow those leads, they turn out to be dead ends,” Stammberger said. “Do I think it’s likely that [U.S. government officials] have a smoking gun? … We think that we would have seen key indicators by now in our investigation that would point to the North Koreans: We don’t see those data points. So if they’ve got them, they should share some of them at least with the community and make a more convincing case.”

40 comments:

Tank said...

Tank's meme:

You cannot believe anything the gov't tells you.

Also, other gov'ts.

Also, the "media."

SociallyExtinct said...

The only people who bought the Sony/US intelligence "North-Korea-did-it" line from the beginning were probably the same people that paid money to watch this piece of crap.

paminwi said...

Just a way for Obama to push "the government" needs to take control of the internet idea. "If a small, undeveloped country like North Korea can do all this damage, what kind of damage could China, Iran or Russia do" says " the government" of Obama? "You poor schmucks really need our help!"



rhhardin said...

It's a world of narratives.

rhhardin said...

The only thing you can believe is math. You can check it yourself.

Matt Sablan said...

That will be incredibly embarrassing for everyone involved if true. I never really weighed in one way or the other, but I just assumed when we were told that North Korea did it, that they actually had proof.

Welp, there's another hit to my naive faith.

Bob Boyd said...

I saw an article in Rolling Stone that claims Sony went to a frat party, was lured to an upstairs room and that's where it was penetrated.

libertariansafetyguy said...

What crime did we commit if we launched a cyber attack against North Korea and they weren't reponsible for the original hack?

richlb said...

It was because of a YouTube video.

TreeJoe said...

The problem with the FBI/media's claim was both the speed at which it was determined and the lack of any notable evidence cited. The FBI claimed a foreign government was responsible for industrial sabotage on a major American company, released that claim, and then did nothing to back it up.

I have no actual insight into what happened, but an analog would be the GWB administration claiming a country's government was responsible for 9/11 in the days and weeks following that event - and then never backing it up. This type of major attack, whether lives are lost or not, is an act of war by a foreign government. You don't claim that government is responsible without presenting evidence as to why.

Gabriel said...

Hackers aren't magic. They need not only modern technology but exposure to and experience of modern methods of security, and they have to learn things from somebody, and they have to stay current.

Hackers in the developed world are part of a community that goes back to the beginning of computing.

North Korea has fewer IP addresses than a single building in New York City. Their self-imposed isolation means that it is not very plausible that they have hackers who are going to capable of much.

chickelit said...

Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

And yet, Al Sharpton - AL SHARPTON! -- landed a position as an advisor/consultant out of it.

Go figure.

rehajm said...

I was surprised by the quantity of supposedly intelligent leftie mainstream media types bragging about downloading the movie. Then actually watching it. Then actually enjoying it.

One need not participate in the leftie email lists to come to the correct conclusions.

Skipper said...

But, but, POTUS told us so.

traditionalguy said...

This sounds suspiciously like one of Bill Cosby's techniques. Were you there? How do you feel? More importantly, are you pregnant?

JSD said...

The FBI sucks at investigation. They are champs once they get somebody in the box. Access anything and everything about a suspect and then crush them. Lawyers with badges. They don’t always get right person as was the case in Boston.

ron winkleheimer said...

Figuring out the source of an attack in cyberspace is extremely difficult because hackers, not surprisingly, take great pains to conceal their identity.

To do so they use already compromised computers, concealing their IP address/location by routing their traffic through those computers. Thus someone in Atlanta, sitting in a Starbucks or Barnes and Noble, using free wifi, connects to a previously hacked computer in Barcelona and from that computer connects to a server in China, etc. A chain of 10-20 hops makes tracing the traffic back to a perpetrator pretty much impossible, especially if some of the intermediate computers reside in countries hostile to the U.S.

Most of the analysis I have read leans towards the "a Sony insider did it" theory because the malware used had hard coded passwords, computer hostnames, and file paths. That sort of information could have been discovered by an intruder and then incorporated into the malware, but that is not the modus operandi of most hackers. Your malware discovers such things and they are encapsulated as variables. Saves typing.

In addition, the claim is that initial contacts from hackers did not mention the movie and were more orientated towards extortion of money. And a lot of the data revealed to the Internet is the sort that a hacker would release to tell the world they pwned Sony whose security sucks.

What I have not seen anywhere is speculation that it could be a Sony insider and involve North Korea.
If I am a North Korean spy tasked to get dirt on Sony executives my first reaction is not going to be to attempt a time consuming, and possibly futile attempt to hack Sony. I am going to do what intelligence operatives have done from time immemorial. I am going to suborn an insider through blackmail, money, ideological appeal, sex or (most likely) a combination of all of the above if possible.

Public source information informs you that Sony recently laid of a bunch of IT workers. Some of those people are going to be angry and need money. The only real risk in approaching them is that they might inform the authorities. But, you are a North Korean intelligence agent. So threatening them and their families with death if they do so is not off the menu.

The FBI claims that the malware used has been used by North Korea in the past, but if that is the case it would be a simple matter to provide it to the suborned insider. And, now that I think about it, it might not have been a laid off IT worker. A laid off IT worker would not have access to the latest IT information which might have been changed since they last worked there. An currently employed IT worker would be best.

You know, you could write a pretty good movie based on this.

ron winkleheimer said...

Also, linguistic analysis seems to indicate the hackers speak Russian. Russia has a thriving blackhat hacker community.

So North Korea hires some competent hackers and suborns an insider (possibly blackmails them with pictures of them cheating on their spouse.)

The hackers provide the insider with the malware which he or she introduces into Sony's network. The insider also provides them with all the information he has concerning the network, greatly simplifying the hackers' job. The hackers then go off script, realizing that they might be able to extort a lot more money from Sony execs than the North Koreans are paying them, causing the North Koreans to remind them that North Korean intelligence agents are not adverse to a bit of behavioral modification through murder and torture.

PuertoRicoSpaceport.com said...

Remember the movie "Olympus has fallen" a year or two back? Remember that about the same time there was a big meme about NoKo and nukes and how they were going to destroy us?

Remember how it turned out to be basically a big promo for the movie?

I had a Matt Lauer interview with Gerald Butler where Butler said as much but the link no longer works.

Did Sony realize they had a turkey on their hands and promote the idea that NoKo had hacked them as a movie promotion?

It is looking more and more like that though we will probably never know for certain.

John Henry

SomeoneHasToSayIt said...


The too-quick ID-ing of North Korea has a much simpler explanation, one in keeping with the pervasive deceit that is this Administration's SOP.

It was meant to buttress the false narrative that a video CAN be a sole source of deep offense and then outrageous reaction, e.g., Benghazi.

Pitiful.

FullMoon said...

After talking with Norse, the FBI still says it was NK.

ron winkleheimer said...

By the way, you don't really have to have superior technical skills to be a hacker. Kevin Mitnick, at one time the most wanted computer criminal in the U.S. according to wikipedia, used dumpster diving and social engineering to gain the info he needed to break into computer networks.

And these days, security auditing and network exploration software are available for purchase or you can download open source software with that functionality for free.

ron winkleheimer said...

And its possible the FBI is not revealing how they know it was the North Koreans because doing so would expose "sources and methods."

Perhaps the U.S. has suborned a North Korean intelligence official who has told them that NK did this?

Perhaps that NK agent is a double agent and is lying because they want the U.S. to think they have greater capabilities than the really do?

Who knows?

Brando said...

Not surprising at all--I remember thinking that the Norks didn't have the resources to pull off anything like this, and that making empty threats that it couldn't follow up on would be irrational. The Norks just want to seem crazy, but they actually have behaved rationally in an evil way.

The question remains, though, why would our government want us to think the Norks could do it? How would this benefit them?

ron winkleheimer said...

For anyone who is actually interested in hacker culture and hacking I would recommend The Cuckoo's Egg by Cliff Stoll which is about KGB sponsored hacking just before the dawn of the Internet and The Hacker Crackdown by Bruce Sterling.

The latter was the first book where the author kept the electronic publishing rights and released the book for free on the Internet.

Larry J said...

Hacking a company seldom requires the talent or resources of a national government. Many governments employ hackers for various reasons, good or otherwise. It always seemed improbable to me that it would've taken the North Koreans to hack Sony. It might've been beyond the abilities of your generic script-kiddies but well within the capabilities of organized hackers or organized crime.

Bob Boyd said...

libertariansafetyguy said...
What crime did we commit if we launched a cyber attack against North Korea and they weren't reponsible for the original hack?

Turns out it wasn't us. The NK internet outage was traced to a faulty, three outlet power strip.

DrSquid said...

I thought it seemed a bit strange several days ago when the embarrassing e-mails were released, such as the possible movie preferences of our first African-American president. What gives a NORK cyber spy the insight to understand why such lame humor would be embarrasing to an American movie producer? Seems pretty obvious to us who have long marinated in our peculiar political correctness and highly developed taking of offense, but how in the hell would that nation of shut-ins understand that. Maybe they hired a consultant to advise them in how to exploit what they had stolen.

ron winkleheimer said...

@Larry J

Considering some of the passwords in use at Sony as revealed by the Hackers, I'm not so sure script-kiddies couldn't have done it.

I remember, way back when I was in the Army, a colonel who kept his password on a post-it note hid under his keyboard.

Fernandinande said...

North Koreans are too busy to bother with hacking.

Kim Jong Un Visits June 8 Farm of KPA
"Pyongyang, December 26 (KCNA) -- Kim Jong Un, first secretary of the Workers' Party of Korea, first chairman of the DPRK National Defence Commission and supreme commander of the Korean People's Army (KPA), gave field guidance to the newly-built vegetable greenhouses at the June 8 Farm of the KPA.

He was very pleased to see the greenhouses in rows, saying that they were built neatly and they look like a picture."

ron winkleheimer said...

Another possibility occurs to me, rival Sony exec looking to oust current studio head in collaboration with IT insider.

Also, I bet the FBI wishes all these security experts would shut up. There spooking the insider and the FBI has them under surveillance in order to identify other people who were involved.

Mitch H. said...

It's been my impression for years that a significant percentage of "security researchers" are playing both sides of the fence with the deliberate intent to drum up business coming and going. You can't trust them further than you can throw them.

I've always assumed that North Korea hired some black hats to do the work for them. Who is the most likely propaganda beneficiary of the attacks? North Korea. The alternate explanations are frankly ludicrous, and the fact that a lot of people are buying into it only illustrates the cultural damage done by decades of Hollywood fantasies of Machiavellian Evil Corporations.

Although I have to say that Ralph Hyatt's various suggestions aren't totally implausible. It's just that the whole idea that North Korea *can't* have been involved is so... myopic-paranoid. It's almost note-for-note the very sort of modern Hollywood "oh, it looked like it was evil third-world people, but twist! it's actually horrible American corporate fatcats!" bushwalla that companies like Sony traffic in so shamelessly.

So maybe it's just karma?

ron winkleheimer said...

"the whole idea that North Korea *can't* have been involved is so... myopic-paranoid"

I agree. The NK government has agents involved in criminal enterprises including drug smuggling and human trafficking for the sole purpose of raising money for the NK regime. They have kidnapped Japanese citizens off of Japanese beaches because they needed native Japanese speakers to teach their operatives how to speak Japanese. It is believed that NK is the source of high quality counterfeit $100 bills. NK is ruled by what is, essentially, a criminal gang.

Hiring some Russian hackers and suborning a Sony employee would seem to be well within its capabilities.

Bobby said...

None of this is new or revelatory. Hector Monsegur, the former Anonymous hacker and LulzSec co-founder known as Sabu, talked in great detail about this on CNET two weeks ago. According to Monsegur, North Korea lacks the physical infrastructure to have downloaded all of that data (their bandwidth is so limited it would have taken months, if not years, according to him). He did not rule out, however, the possibility that North Korean state hackers (who are very good) could have done it from some other location, or that NK could have simply hired hackers from other countries or that it was an inside job from a corrupt Sony employee. Note that none of these exclude any of the others.

NorthOfTheOneOhOne said...

DrSquid said...

I thought it seemed a bit strange several days ago when the embarrassing e-mails were released, such as the possible movie preferences of our first African-American president. What gives a NORK cyber spy the insight to understand why such lame humor would be embarrasing to an American movie producer? Seems pretty obvious to us who have long marinated in our peculiar political correctness and highly developed taking of offense, but how in the hell would that nation of shut-ins understand that. Maybe they hired a consultant to advise them in how to exploit what they had stolen.

Beat the drum about Sony (and America) being greedy capitalist enemies of the revolution and we all would have yawned. This is what the Norks would have done if acting alone.

But release an email where Amy Pascal calls Angelina Jolie a spoiled brat and half the country goes apeshit.

Somebody with a better grasp of American culture than the Norks had a hand in this.

Anonymous said...

Sony insider hacks Sony, but blames it on NK.

NK obliges by releasing creepy statement, because who wouldn't want to appear all powerful?



ron winkleheimer said...

First step is to acquire a corporate directory or organizational chart. As crappy as Sony's security seems to be that may have been as simple as checking the dumpster outside their corporate hq. (Such materials, if printed out, should be marked as confidential and shredded before discarding.) If they do have adequate controls in place, then bribe a janitor or get hired by the company that provides janitorial services to Sony and steal the material.

Once that material is obtained find out who has titles that indicate that they could be useful, such as network administrator.

Use public sources of information to discover if the identified individuals have money issues. Run a credit check on them. Are they divorced? Paying child support? Have kids in college?
Do they frequent a bar? Perhaps they can be seduced and the pictures used to blackmail them?

Once suborned, give them a usb flashdrive and instruct them to plug it into their computer and reboot it.

Corporate firewall bypassed, malware installed on internal network.

Malware uses http protocol to call home, defeating firewall traffic monitoring (if that is happening at all) by encapsulating traffic. Commands are sent to the malware encapsulated in http protocol as responses to http requests.

For that matter, the whole suborn an insider step may not be necessary, depending on how bad the computer security is. Security auditing firms have given away usb flashdrives in the parking lots of corporations they are auditing, pretending it is some sort of promotion, and employees have accepted them, taken them into their office, and plugged them into their computer.

I don't know what malware was used, but you can buy malware off the Internet. Plenty of people who call themselves hackers who are actually just using tools created by others that they don't understand.

Since there was hard coding of passwords, etc. that doesn't seem to be the case here. But the KGB has in at least one case, worked with non-government hackers who were hacking US computers and offered the info gleaned to the KGB for money. Obviously NK and Russian intelligence agencies have contact. If the NK needed some hacking expertise they could ask their Russian counterparts to point them in the right direction.

ron winkleheimer said...

@Bobby

"He did not rule out, however, the possibility that North Korean state hackers (who are very good) could have done it from some other location"

I recall reading somewhere that FBI believed the actual hacking originated in China in an area adjacent to NK and their was some speculation that China (or perhaps corrupt Chinese officials) may have been involved.

ron winkleheimer said...

The problem with that, however, is how could they know that the hack originated in China. I don't think the Chinese are giving them the server logs? Perhaps those servers are just an intermediary step to hide the true source?

Conserve Liberty said...

Occam's Razor:

Sony's insurer can be forced cover their liability to a class of individuals whose identities were suborned if the hacker was a rogue state, but not if the hack was the result of ordinary blackhat security trolling.

Especially if Sony had declined to implement security layers recommended or demanded by their liability insurers.

Oh, shit!! Wait - there's an easy fix. We bought Obama