December 29, 2014
NEW YORK (CNNMoney)
What we now know about the Sony Pictures hack shows this cybermystery isn't over yet.
The FBI presented evidence that North Korea was behind the hack. Upon closer examination, security experts, hackers, and people familiar with Sony's computer networks are uniting with this disheartening reality: Anyone could have pulled this off.
It could have been a disgruntled Sony employee, profit-seeking hackers, North Korea--or a combination of the three.
Here's the facts about the hack that we do know:
- Hackers used computer servers in Bolivia, Cypress, Italy, Poland, Singapore, Thailand and the United States to attack Sony.
- The IP addresses associated with those servers have "previously [been] linked to North Korea" by the FBI
- The malware used against Sony had what the FBI calls "lines of code" and "data deletion" methods similar to malware "North Korean actors previously developed."
- The computer-wiping software used against Sony was also used in a 2013 attack against South Korean banks and news outlets, which the FBI attributed to North Korea.
- The malware was built on computers set to Korean language--unusual in the hacking world.
- Hackers demanded Sony Pictures pull "The Interview" to avoid starting a war over a movie.
These facts are why the Obama administration has accused North Korea of hacking Sony Pictures and has vowed to retaliate.
But security experts aren't 100% ready to point their fingers at North Korea--not yet, anyway.
Technical evidence shows anyone can tap servers for hacking and spamming. Hackers routinely borrow and share computer code. Computer wiping software can be bought legally by anyone. A computer's language settings can be changed on a whim. And this hack actually started as an extortion attempt on Nov. 21 when Sony executives got emails saying "The compensation for it, monetary compensation we want."
Robert Graham, a researcher with Errata Security, stresses that anyone can hire hackers on the black market. These cybersoldiers of fortune might work on behalf of a country or an ex-Sony employee--and not even know it.
He's also wary of how quickly the US government blamed North Korea. Hacking investigations typically take months, including the FBI's takedown of online drug bazaar Silk Road and hunting down members of LulzSec.
"Even if its true that is was North Korea, I don't think the FBI would do it in three weeks," Graham said. "Maybe six months."
This year's major hacks are a perfect example. Law enforcement still hasn't publicly identified--or arrested--those who broke in to Target, Home Depot, and JPMorgan and stole millions of credit cards and lots of personal data.
Robert M. Lee, co-founder of consulting and software firm Dragos Security, puts it this way: There might be evidence against North Korea, but what the FBI presented doesn't cut it.
Lee, until recently a U.S. Air Force intelligence officer specializing in cyber warfare, also worries about how quickly North Korea was blamed. Lee said intelligence agencies and law enforcement don't typically work together at this kind of breakneck speed--and when they do, they often rely on outdated or inaccurate information, because there are so many conflicting intelligence reports.
For its part, North Korea's government says it was framed. Take that for what you will.
Adding to the fog: Lots of Sony employees with critical access to the computer network were laid off by the company earlier this year, according to ex-employees. And early on, the hackers talked about seeking "equality" at Sony.
A simple explanation points to North Korea. But those who understand hacking worry its just too simple.