
The Case for N. Korea’s Role in Sony Hack - ca98am79
http://krebsonsecurity.com/2014/12/the-case-for-n-koreas-role-in-sony-hack/
======
AlyssaRowan
Most of those I've spoken to (and I) think there isn't strong enough evidence
to link it to _anyone_. Many think the FBI have seen evidence we haven't: I
concur, but I don't think that's any more conclusive either, and that they
chose who they wanted to link it to and then cherry-picked evidence to support
that. They've had trouble there.

My own analysis was that this malware is entirely unspectacular and is easily
within the reach of a single, relatively-unskilled, lone VXer or a small
criminal group (which would fit better with the extortion for _money_ that
started this - I've never seen a nation-state do that, but plenty of
criminals). It's built with other people's code. It's kinda lame.

(Edit) In particular: who at McAfee looked at this? The coding style looks
quite _different_ between Shamoon and the Sony Wiper malware to me, which
indicates probably different authors. (Different VXers _could_ be working for
the same people, but that's assuming they're working for anybody at all.) The
only thing in common is a JPEG in a broadly similar retro "90s GeoCities
h4x0r" style and a (publicly-available!) raw disk driver - which many others
have used for many other, including legitimate, purposes.

Of course, that means any nation-state could do it too - maybe that _is_ North
Korea's "cyber-army"'s style - in which case, why is anyone so worried? You
have to do security as bad as _Sony_ to get nailed by that.

It is, of course, worrying in itself that there's an open question about
whether an extortionist attack via malicious software on a huge company has
been conducted by a nation-state, an organised crime group, or a bored
teenager.

~~~
davidw
> Many think the FBI have seen evidence we haven't: I concur, but I don't
> think that's any more conclusive either

Why do you think that about information you aren't privy to?

~~~
happyscrappy
Why do so many commenters desperately wish it to not be North Korea? I don't
understand why it matters. There will be no war, they are already isolated and
are known for strange behavior.

~~~
rmetzler
There were no chemical weapons in Iraq and no babies were killed. There wasn't
any connection with Al Kaida.

The US lied about that and started a war. Why shouldn't they lie about North
Korea?

~~~
kuhhk
There WERE chemical weapons in Iraq as recently reported by the New York Times
[1]. I'm not saying this was justification for war, but informing you of
incorrect facts.

[1]
[http://www.nytimes.com/interactive/2014/10/14/world/middleea...](http://www.nytimes.com/interactive/2014/10/14/world/middleeast/us-
casualties-of-iraq-chemical-weapons.html)

~~~
shrikant
You're technically correct in that chemical weapons were found, but the bigger
picture is that that these were manufactured before 1991. Also, the US
government itself deliberately suppressed knowledge of these findings because
they made the "active WMD programme" basis for going to war look even more
dubious.

All of this is mentioned in the linked article.

------
jhou2
I might be naive but I still don't see a smoking gun. I realize in these
situations it is hard to dig up unassailable evidence one way or the other.
The author seems to be making the assumption that the only party that would be
interested in intelligence on joint US-South Korea military exercises would be
North Korea. I would imagine that China, Russia and Japan might be interested
as well. Disrupting South Korean banks could just as easily be the work of
Chinese or South Korean hackers, right? I see a correlation, but not
necessarily a causation.

~~~
lern_too_spel
Disagree. If it were Chinese government hackers, the connections to the
control servers would bear a similarity to the Aurora hack. Instead, the ROK
and Sony hacks' control signatures look similar to each other and not to other
known state-backed hacks. Additionally, the Korean locale would make no sense
for a Russian hacker.

There's no smoking gun revealed publicly, but the preponderance of available
evidence points to the DPRK.

~~~
AlyssaRowan
Have you analysed the malware? I didn't think they looked that similar,
internally.

The Korean locale is in the (public) rawdisk driver.

------
swordswinger12
>>>This network was designed to camouflage all communications... using RSA
128-bit encryption

So it used RSA that I can break on my TI-83? Is this a typo?

------
junto
I'm skeptikal of NK having done this, so I've been pondering who then did. It
could be a random group that is not affiliated to a nation-state. It could
though be one of the first large false flag cyber operations that we are
witnessing.

We have seen similar non-cyber evidence in order to gain public support for
war, the Iraq Dossier springs to mind. Maybe we ate seeing a CIA/NSA
experiment to see how far they can persuade public opinion into the viability
of attacking NK.

If Facebook are able to run 'mood altering' tests on users, I bet the USG are
interested in similar types of online propaganda campaigns and the kind of
success rates that are possible.

Just me going off in left field...

~~~
pdabbadabba
I can't disagree that any of what you say is possible (see also: orbiting
teapots), but what makes your theory, not just possible, but _more likely_
than North Korea's actually being responsible?

------
joshvm
> “North Korea is one of the few countries that doesn’t have a real animal as
> a national animal,” Alperovitch said. “Which, I think, tells you a lot about
> the country itself.”

Like Scotland and the unicorn? Not entirely sure where that one's going.

------
pearjuice
North Korea didn't do it. It is the easiest way out for all parties to blame
the suspect which is the most easy to frame and the most unlikely to detest.
Truth is they don't have a clue who did it and that is more frightening than
the name-calling which is going on right now.

~~~
debacle
I agree very strongly with you. The FBI doesn't want to seem incapable of
solving this (especially considering how many tools they have at their
disposal), and if the DPRK did do it, they would have been much more loud
about it and likely less sophisticated.

The only possibility that I see of DPRK involvement is that they initiated the
hacking through the third party and that third party did a way better job than
they expected.

------
Trudlyez
LOL, most people on twitter don't agree. Twitter is a cesspool of commentards,
the epitome of a peanut gallery.

LOL, just because SPE is chicken, suddenly the whole USA is chicken? Please.

LOL, asking for more evidence and you don't believe NK did it. So, finger a
perpetrator or STFU. With data.

LOL, hysterical children are the loudest screamers on the internet. Most of us
think and use common sense. Try to figure things out.

