
US Links North Korea to Sony Hacking - mcfunley
http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html
======
nikcub
> The attacks at Sony were routed from command and control centers across the
> world, including a convention center in Singapore and a computer at
> Thammasat University in Thailand. But one of those command and control
> servers, a computer in Bolivia, had been used before, in a limited set of
> cyberattacks on South Korean targets two years ago.

The evidence has to be better than this to make an accusation against a state.
Botnets overlap a lot because the way they are built is with automated
scanners that take advantage of common vulnerabilities. It isn't uncommon to
find a botnet client that has been hacked a half-dozen other times and has had
rootkits installed each time. A large part of sophisticated botnet droppers is
_removing all the previously installed botnets_ on a server where a
vulnerability has been found.

Having _one_ client in common with another attack network is a low or
insignificant figure.

Similar applies to common modules found in other malware. Authors reverse
engineer and re-appropriate techniques or libraries from other successful
malware all the time. That is also not evidence of a link to North Korea.

~~~
xnull2guest
Attribution in cyberwarfare is infamously difficult.

However, there is an age old equation that works fairly well for attribution:
opportunity + motive + evidence. Opportunity in cyberwarfare is a complex item
to tease out and has more to do with opportunity costs than anything else (the
strategy of cyberwarfare demands owning everything immediately rather than
later and the exercise becomes one of triage).

In this instance we _do_ have both a motive and some evidence that point to
North Korea, and it is in line with the sort of theatrical politics NK is
known for. IMHO more evidence and an analysis of opportunity cost are a must
to pin NK down further, but you can be assured that (unless officials have
ulterior geopolitical motives) they have a pretty good idea about the cyber
capabilities and actions of other nation states - more than they are apt to
release to media outlets.

~~~
nikcub
This is my concern - they are starting with a motive and the DPRK and then
working backwards to fit the evidence in.

Everybody seems to have forgotten that this started as a financial ransom
demand and the attackers made no mention of the movie or the DPRK until Sony
and the media did.

I'm not suggesting the DPRK _are not_ involved, but that it is a very big leap
to go from media speculating about motives to the US government formally
accusing them. The details leaked to the NyTimes do not substantiate this
leap.

~~~
marincounty
Plus, would terrorists offer an opt out(for personal information) for rank and
file Sony personnel?

~~~
xnull2guest
Whoa. Terrorists? Which terrorists? What terrorism are you talking about?

~~~
deciplex
Any action that results in rich assholes losing a bit of money or potentially
losing a bit of money falls under the umbrella of terrorism now, or 'economic
terrorism' if you will. So copyright infringement and of course any form of
organized protest fit the bill, along with hacking a Japanese company with
offices in the US.

You can try to fight the total annihilation of meaning in our language, but as
you see here it is a losing battle.

~~~
xnull2guest
Oh my. This is a derailment of the thread but here are some (political) words
off the top of my head having been annihilated recently:

terrorism

socialism

marxism

hero

capitalism

free market

invisible hand

imminent

torture

collect

to brief

espionage

surveillance

privacy

freedom

search

------
ianhawes
TMZ is reporting [1] that studio executives are convinced this was an inside
job based on layoffs at Sony that included IT employees. Before you write them
off, they've broken several big stories this year, and their sources at movie
studios are probably spot on.

If you think about it, it makes perfect sense. The continuous release of
leaked data means the attacker probably had access for a considerable amount
of time to completely download the large number of files. My guess is that
they had escalated their own access during employment and routinely monitored
the communications of executives.

This was most likely the work of someone that had or maintained a blackhat
past. This is someone that most likely had access to a botnet, knew where to
go to buy/download malware (underground forums), and knew how to obscure their
connections (and where to directly connect). And if you think about it,
posting to Pastebin? Definitely a US-thing, and not so much a Chinese thing.

I'm willing to bet this person/people will be caught through old-fashioned
profiling. Cross-checking the terminated IT employees with previous
convictions for computer crimes, their personal emails with known hacker
aliases, and other investigative techniques.

[1] [http://www.tmz.com/2014/12/17/sony-hack-inside-job-north-
kor...](http://www.tmz.com/2014/12/17/sony-hack-inside-job-north-korea-
investigation/)

~~~
xnull2guest
Why would #GOP demand that 'The Interview' not be shown? To throw off the
scent? Also I'd be interested in your thoughts as to why an ex-employee bent
on revenge demand a ransom not to engage in the sabotage?

~~~
ianhawes
Why would North Korea demand a ransom and then demand the movie not be shown?

I think its more to embarrass Sony than anything.

~~~
xnull2guest
I do think that the ransom makes the North Korea explanation less likely,
unless NK reached out to #GOP after they were not given a ransom and offered
to pay?

The other explanation seems to be that #GOP would demand the movie not be
shown to confuse the scent of their real motive (revenge? lulz?) (but this is
also questionable IMO). It also seems unlikely that an ex-employee would use
the same IPs from previous Korean state sponsored attacks, although maybe they
could have bought access to these servers on underground forums? Others are
suggesting that this is entirely invented evidence - I see no good reason to
believe that.

------
mtmail
And they say North Korean hacking is often done from China. And the US tries
actively to infiltrate North Korean computers... Sorry, I don't trust any
source, it's just finger pointing. Wired offers a different perspective of the
same story [http://www.wired.com/2014/12/north-korea-did-not-hack-
sony-p...](http://www.wired.com/2014/12/north-korea-did-not-hack-sony-probs/)

~~~
BillFranklin
Silver lining is it's incredible press for The Interview, excellent crisis
management by Sony's PR people. Apart from this Wired article all I've read is
PR and political finger pointing.

~~~
jonnathanson
Incredible press for a movie whose release they just canceled? The movie's
getting a hell of a lot of attention; I'll grant you that. But I don't see how
this helps the movie.

I know a lot of people are speculating that Sony has something up its sleeve,
like a limited-time-only release right after Xmas, or early next year, or a
digital release, etc. I'd consider that an extraordinarily slim to nil outside
possibility. The material leaked in the Sony hack does not exactly give the
impression that these guys are marketing geniuses. Just sayin'. :)

For what it's worth -- not saying you're suggesting this, just that I've now
heard the theory a couple dozen times -- some people are speculating that Sony
engineered this entire fiasco as a publicity stunt for the movie. That sort of
thinking is beyond-the-pale naive. Sony doesn't want to be civilly or
criminally liable for having doxxed thousands of its own employees. Believe
me.

~~~
foobarian
The movie was unlikely to make much money and was risking the other, more
major releases.

I bet they will release it later in the new year with excellent financial
results.

~~~
jonnathanson
They may well attempt to rerelease it, and its notoriety may attract a decent
opening weekend. But notoriety alone won't save a turkey. If it's actually
bad, this incident won't be able to turn around its long-term prospects. If
it's good, that's a different story -- but if it were good, you'd think Sony
wouldn't have pulled support so quickly in the first place.

~~~
BillFranklin
It doesn't matter if it's a good film. That's why you see marketing campaigns
saying 'just try it' \- even if the product is crap they still make 1 sale.

The film is getting such incredible hype a huge amount the profits will be in
the opening night. Check out the Rotten Tomatoes score: critics are divided on
whether it's a good film, but 96% of people want to see it.

If Sony don't release the film __eventually __internationally, they 'll lose
money - but withholding it makes it a scarce commodity, drives hype etc.

What you are now reading about The Interview isn't politics, it's PR crisis
management.

[http://www.rottentomatoes.com/m/the_interview_2014/?search=t...](http://www.rottentomatoes.com/m/the_interview_2014/?search=the%20interview)

~~~
jonnathanson
Sure. But hence my point about opening weekend (trial) vs. what happens after
opening weekend (ongoing business, lifetime earnings). You can drive trial of
a bad product, but it's extremely hard to get people to keep coming back, or
to tell others it's worth seeing. So your bad product + ultra-hype is
basically a recipe for a big opening with extreme decay every day thereafter.
This usually isn't enough to recoup the production, print & advertising costs
of a major movie, especially when you factor in profit-sharing and other cuts
to top-line revenue (Rogen and Goldberg are almost assuredly getting points on
the movie's gross, and it's possible that Franco is, too.)

A general rule of thumb is that a movie studio spends at least as much on
prints and advertising ("P&A") as it does on production costs for the movie
itself. That is to say, if the movie cost $35M to make, Sony sunk another $35M
or more into P&A. So it would need to earn more than $70M to break even (more
than that, because everyone's taking points off the top-line gross, plus
profit-sharing with theaters and distributors, etc.). Is it possible that Sony
could earn that much on this sort of movie, given its notoriety? Maybe, maybe
not. Notoriety alone can rarely get you to $70M. (It's possible, but
unlikely.) To stand a better chance, your movie also needs to be halfway
decent.

Once again, I have no idea if this movie is good or bad. Just saying this for
the sake of explanation.

~~~
BillFranklin
Surely if the movie is bad this ([http://www.bbc.com/news/entertainment-
arts-30589472](http://www.bbc.com/news/entertainment-arts-30589472)) is still
an incredibly good launch by world class pr people. If the movie is good then
it's still a good launch and will make money afterwards. The thing about bad
movies is you can _only_ make money on the opening weekend - this marketing
was free (+the original marketing costs already spent and ignoring the lasting
costs of being hacked) so the ROI will be incredibly good. Any film that
caused the president to give a speech about it pre-release is going to do well
on the opening weekend - I still don't think it matters if it turns out its a
bad film or not, but I can't wait for the data. I guess it will be here?
[https://en.wikipedia.org/wiki/The_Interview_(2014_film)](https://en.wikipedia.org/wiki/The_Interview_\(2014_film\))
And total costs around <$100m (again discounting hack).

This also isn't taking into account the ROI from turning Sony into the victim
in this scenario - not a massive company with a tiny, unsophisticated infosec
team who messed up big time by not investing more in security.

------
grownseed
As mentioned by others, there isn't any solid evidence here. I consider NYT
one of the more reputable news sources out there (the bar is pretty low...),
but this situation reminds me all too well of the following which I half-
jokingly shared with a friend recently:

    
    
      How to be a media outlet in 5 easy steps:
      - do not provide any sources, at all, unless of course you're dogfooding
      - make bold claims based on hearsay, comments from random strangers and uneducated/irrelevant celebrities
      - judge and slander people before any researched verdict has been reached
      - spread lies and make them truths through mob behavior, then support your original lies by pointing to the "public consensus"
      - do not take responsibility for any of your actions, ever, unless it generates money and/or attention
    

The repercussions of these half-assed "investigations" worry me to say the
least.

------
AlyssaRowan
Not to put too fine a point on it, Sony's security practices were so
negligent, _anyone_ could have done it. The tools used were very unimpressive
and easily available.

The evidence linking this to any nation-state at all at the moment is
incredibly weak, bordering on non-existent.

~~~
higherpurpose
Not just "anyone", but there could've been _multiple_ unrelated groups hacking
them at once. Didn't they say there's some evidence of hacking from 2 years
ago? Some of them could've just hacked them and Sony never found out about it.

------
j4pe
I was certain that the story of NK being the actor here was just publicity,
paid for by Sony to promote the film and capitalize on their hacking disaster.
The release cancellation nixed the idea that Sony was behind the threats, but
it still didn't point to NK's culpability. Any lunatic could have bombed any
theater in the country next week and Sony would have been liable.

With these administration comments, is it more likely that NK was actually
responsible? It's still possible that this will turn out to be the overblown
suspicions of somebody unfamiliar with how digital attacks work, published too
quickly because they fit the narrative. We've seen the state of journalistic
fact checking lately, and even if this is the NYT, 'senior administration
officials' isn't a bulletproof source. But it's also possible that we now live
in an era where nations wage proxy digital war against corporations not just
for theft but for ideology.

This would be a strange new state of affairs. I wonder how long before
corporations are fighting back? If, say, Samsung's expected value for
government reconstruction contracts following NK's fall was in the tens of
billions, how difficult would it be for them to cause a couple military
installations, power plants, or leaders' flights to explode and make regime
change more likely?

~~~
josephlord
> Any lunatic could have bombed any theater in the country next week and Sony
> would have been liable.

Source? The bomber would be liable but why would Sony be? (Provided that they
informed at least law enforcement and certainly if they made the details of
the threats public).

~~~
j4pe
I meant that the probability of losing a civil suit, in the event that the
threatened disaster occurred, was high enough to impose heavy cost on showing
the film. Criminal liability would of course fall to the perpetrator.

In retrospect, I was wrong - it was the theater chains who would be exposing
to themselves to that risk, so they (very logically) cancelled their showings.
As a result Sony was forced to pull the film's theater release.

------
xnull2guest
This is the new normal. The US government does this, the French do this, the
Chinese do this, Syria does this, North Korea does this... etc.

As with other new frontiers of geopolitical leverage there will be a painful
learning and a growing period for the internet. There's so many ways it could
turn out and I fluctuate between being hopeful and pessimistic and what I will
temporarily think is 'realistic'.

~~~
gizmo686
I must have missed alot, what are other instances of attacks like this? We are
not talking about espionage or theft, the Sony attack was plain malice. The
only prior examples I can think of are private activists (eg Anonomous) or
major tactical targets (eg nuclear centrifuges).

~~~
xnull2guest
We differ in that I would group this action together with espionage and
sabotage, but if you are looking for other examples of nation state sponsored
'malice' attacks the Syrian Electronic Army's ("state-supported") attack of
Ebay, Paypal, Ferrari, Walmart, media organizations, security companies,
government twitter accounts, and Microsoft (and others) are examples of
attacks that are meant to hurt reputation and cause chaos more than they were
about data or finance.

------
anw
The problem with assuming...

[http://www.wired.com/2014/12/north-korea-did-not-hack-
sony-p...](http://www.wired.com/2014/12/north-korea-did-not-hack-sony-probs/)

I find it funny how fast pop-media news jumps on top of a bandwagon without
actual investigation.

Earlier we were being told "North Korea is definitely behind this". Right now
everyone is saying "North Korea is probably not behind this".

Why bother with networks that just regurgitate information from other people?
Don't push a point of view, just lay out actual facts and let the readers come
to their conclusions as more information is made available.

~~~
higherpurpose
It's sad that most of mainstream media considers "getting semi-official
government leaks" as "investigating" now, as if the government could never lie
or anything. When your sources come from Joe Biden's right hand (just an
example), you should be very suspicious.

~~~
anw
I wouldn't even limit it to semi-official government leaks.

For instance, New Gingrich said:

> No one should kid themselves. With the Sony collapse America has lost its
> first cyberwar. This is a very very dangerous precedent.[1]

> @RobLowe it wasn't the hackers who won, it was the terrorists and almost
> certainly the North Korean dictatorship, this was an act of war [2]

So now we have uninformed rhetoric coming out from people
who—unfortunately—may have their opinions viewed as credible due to their past
as an elected official. This was a candidate for presidency in 2012.

[1]
[https://twitter.com/newtgingrich/status/545339074975109122](https://twitter.com/newtgingrich/status/545339074975109122)

[2]
[https://twitter.com/newtgingrich/status/545339504803196928](https://twitter.com/newtgingrich/status/545339504803196928)

------
mpyne
There are interesting "free speech" implications to this too. E.g. North Korea
seems to have succeeded in scaring off all the major theater chains from
showing "The Interview" in theaters.

------
jobu
_" Much of North Korea’s hacking is done from China."_

If the hack was indeed state sponsored as this article claims (based on
comments from unnamed intelligence officials), then it seems much more likely
that the hack was done by Chinese hackers than North Korean.

~~~
xienze
Right. I can certainly buy a joint China/NK venture with China providing the
talent and resources, but I can't imagine NK has the ability to pull of any
decent hacks.

~~~
Donzo
Why not? They are a military first nation.

You don't think that they would have a cyberwar unit?

~~~
xienze
Sure, I bet they do have one. But it's probably not nearly as good as they
think it is.

------
jmeekr
The implications of a US response to this hack are limited by how much
evidence the intelligence agencies are willing to provide - it's unlikely that
they would want to divulge the details around their own penetration to North
Korean networks.

------
tokenadult
Amnesty International is fairly well known for encouraging private citizens
like you and like me to write letters to government officials of governments
that hold "prisoners of conscience." I have done this before, and I should do
this more often. When I lived in Taiwan in the early 1980s, under the former
dictatorship there, I actually spoke in public at a speech contest for foreign
students on the occasion of Sun Yat-sen's birthday on how much Taiwan then
didn't live up to the ideals of the 1911 revolution in China as proclaimed by
Sun.

I have got to look up how to join more direct communication to the reclusive
government of north Korea, in my own name, recording my own return address,
and making clear that I will not be pushed around by a regime of thugs. I have
recently been following the suggestion of another Hacker News participant and
have read the three-volume history of the Nazi regime by Richard Evans, the
_Third Reich_ trilogy. Evans notes in various places in his books that even
the Nazis were responsive to international opinion on some issues. In the
early period of the Nazi regime, Hitler used to receive personal letters from
American eugenicists and segregationists who praised the policies of his
regime. I don't want my not saying anything at all to be construed as consent
or as fear of indicating disagreement with a dictator. I will have to openly
and frequently express my disagreement with the world's remaining dictators
until they all fall.

The North Korea Now website

[http://www.northkoreanow.org/take-action-now/get-your-
voice-...](http://www.northkoreanow.org/take-action-now/get-your-voice-heard/)

provides advice on how to write letters that may have influence on the regime
there. Sure enough, one part of the advice is to write to China, the country
that does the most to prop up Kim Jung-un's regime. A letter to be broadcast
by Free North Korea Radio

[http://www.northkoreanow.org/now-accepting-letters-from-
amer...](http://www.northkoreanow.org/now-accepting-letters-from-america-a-
special-program-for-u-s-americans/)

might also help. A Washington Post editorial from October 2014

[http://www.washingtonpost.com/opinions/north-koreas-
leaders-...](http://www.washingtonpost.com/opinions/north-koreas-leaders-must-
be-held-to-account-for-human-rights-
abuses/2014/10/30/7e6026d4-603f-11e4-9f3a-7e28799e0549_story.html)

lists other steps to take to express disagreement with the regime in north
Korea.

~~~
ievans
I found your comment to be very thought-provoking. There's a lot to make fun
of with regards to North Korea (as "The Interview" obviously does) but the
regime's human rights abuses are well-documented and horrifying. I hadn't
considered that there might be something I could do personally, and I
appreciated your historical example of how even the smallest individual
expressions is not necessarily completely insignificant. It's certainly
something I hope my ancestors would have done. Brings to mind Tolkein's letter
to a publishing house in Germany:
[http://en.wikipedia.org/wiki/J._R._R._Tolkien#Politics_and_r...](http://en.wikipedia.org/wiki/J._R._R._Tolkien#Politics_and_race)

So I'll write a letter--now seems like an excellent time, honestly.

------
jonah
I've been getting a kick out of North Korea's response: "Nah, we didn't do it,
but who ever did, righton! <thumbsup>"

~~~
MichaelGG
That's a lot of people's response. Sony Pictures does bad things, so while I
have to say "this kinda thing shouldn't be done", at least it happened to a
deserving company.

~~~
jonah
Remember, Sony Pictures is a different entity than Sony Music Entertainment.

~~~
CamperBob2
Sorry, not a valid point. Both entities use the name "Sony" for a reason: the
goodwill associated with it. They have to accept the bad press along with the
good.

------
meritt
Sony should use this opportunity to capitalize on a digital distribution model
since they aren't going to release the film to theaters.

------
jqm
Contrary to many posters, I think it's indeed very likely N. Korea was the
origin of the attack.

Disclaimer: I'm not pro war and generally not pro- US foreign policy. The
events in Iraq were shameful. Our involvement in Libya and the so called Arab
spring was shameful. Our involvement in Ukraine and general treatment of
Russia has been deplorable and painful to watch. I think we should stop saber
rattling at Iran who I believe would join the modern world much more quickly
if they weren't being constantly threatened and undermined by a power that has
done them some serious wrong in the past. The US's seemingly unconditional
support of Israel, Saudi Arabia and the Gulf states is unconscionable in my
estimation.

That being said, I feel differently about North Korea. I believe this country
truly is dangerous and steps should be taken sooner vs. later to dis-empower
it. I am genuinely worried worried about what might come from there in the
next decade or two if things continue as they are.

Just my opinions.

------
aba_sababa
I really don't buy this. Attribution of anyone is incredibly difficult. It's
easy for the US to officially point fingers and turn it into a geopolitical
play. There is every incentive to do so: it's plausible, the media buys it,
and it buys major points in the Us vs. Them narrative.

~~~
higherpurpose
Get ready for the "we need to pass new cyber-laws to protect you" speeches.
They're coming.

~~~
memonkey
This sends shivers down my spine. We already have net neutrality to worry
about, no doubt the far right will be using this event to fear monger that
kind of legislation.

------
coding4all
A long article with no evidence. Literally, there is no evidence in this
article.

I truly hope people still aren't this naive after an entire decade of this
kind of "journalism".

------
rtpg
The counterpoint to this is presented in [http://www.wired.com/2014/12/north-
korea-did-not-hack-sony-p...](http://www.wired.com/2014/12/north-korea-did-
not-hack-sony-probs/)

Namely that the attackers don't even mention the movie, but instead seem to be
on an ant-Sony crusade. Mentions of the movie by the "attackers" only seem to
start happening when people started saying it could be NK.

------
barce
The last time a communist country did a hack like this was during the Cold
War. The hackers were coke addicted West Berliners paid off by the KGB to
infiltrate high value and key .mil servers. My guess is that this time it is
no different. Read Stoll's The Cuckoo's Egg and you'll see how very little for
geopolitics of these attacks have changed.

------
mkhalil
If it was possible, I'd place a bet that the NSA know's who's responsible but
likes to sit back and watch chaos unfold between the media and politicians.

------
Shivetya
and North Korea likely has the means to reach out and get the actors too

------
logn
When can we expect legislation mandating that the NSA secure all corporate
networks?

------
addedlovely
And there I was, thinking it was all for the lolz.

------
revelation
This article is glorious. A real goldmine for satire.

 _The sudden urgency inside the administration over the Sony issue came after
a new threat was delivered this week to desktop computers at Sony’s offices
that if “The Interview” was released on Dec. 25, “the world will be full of
fear.” It continued: “Remember the 11th of September 2001. We recommend you to
keep yourself distant from the places at that time.”_

Won't anyone think of .. national security?

