
“No, North Korea Didn’t Hack Sony” - dnetesn
http://www.thedailybeast.com/articles/2014/12/24/no-north-korea-didn-t-hack-sony.html
======
cyphunk
The most damning argument is, as mentioned in the article, that the NK+The
Interview conclusion was not mentioned by the attackers until the media
started speculating.

That those responsible for investigation have not looked at the relation to
the embarrassing attack on the Playstation network from years ago, that also
resulted in droves of user and likely employee data that could be utilized for
future attacks, is astounding.

This isn't 2002 where the US Gov can make a claim on hidden evidence and have
people believe them, be they the world or its own people. Either put up or
shut up.

~~~
Svip
But the attackers did confuse a lot of people when they threatened with
'9/11-style attacks' should any cinema show the movie in question. So either
someone else is speaking on their behalf, or they are at least partial
sympathetic to the North Korean regime.

Edit: Or perhaps - as the article speculate - they were simply using the
opportunity to threaten threats they couldn't live up to, but it wouldn't have
mattered as their identity remains anonymous and whether or not Sony caved
would be irrelevant to the argument on whether to make the threat.

~~~
cyphunk
I agree the logic of the threats makes no sense. There are very few state
actors that are this detached from objective and logic. In-fact it feels like
the work of a troll, aka anonymous or a reincarnated Lulzsec. The same people
responsible for the last Sony hack and whom some might be still sitting on the
data trove from that attack. Then again, N.K. could claim to be the original
troll.

------
discardorama
Exactly. But NK is a convenient bogeyman for the _real_ aim: CISPA:

[http://www.zdnet.com/article/white-house-wants-congress-
to-r...](http://www.zdnet.com/article/white-house-wants-congress-to-revisit-
controversial-cispa-style-cybersecurity-laws-after-sony-attack/)

~~~
xnull2guest
Interesting. Do you have you have more than this article to go on (I found
it's connection tenuous, but it could be just this report). Has the white
house nudged CISPA specifically? What's quoted in this article is sort of a
blanket "partnership with private sector" statement.

The problem is that there are tons of different ways that national and
military partnership expresses itself and especially in the case of cyber
partnership. For example here's a quote from Richard A. Clarke, previous
National Coordinator for Security, Infrastructure Protection, and Counter-
terrorism for the United States, on the private sector and cybersecurity:
"There are certain circumstances under which private sector companies may be
legally targeted by national militaries both in kinetic and cyber conflict.
Under the law of armed conflict and the principle of distinction, civilian
infrastructure is generally considered to be separate from military objects,
with military installations always targettable during international conflict
and civilian infrastructure off limits from direct attack. However, even in
the physical realm, there is often ambiguity about what constitutes civilian
infrastructure...

Without extensive private sector involvement, governments would not be able to
devise international cyber norms that would work or be accepted. Beyond the
need for their expertise, private sector cyber corporations also have equities
in the conduct of governments in cyberspace. Private actors must participate
in the development of international norms related to cyber war if for no other
reason than they are potential targets for attack."

------
saretired
I remain agnostic and can't think of a basis for arguing one side to the
exclusion of the other. On the one hand, it's not unthinkable that NK had a
mole at Sony, or that the attack succeed beyond expectation owing to Sony's
abysmal security practices, using vectors that have supposedly been known to
black hats for a while. And of course it's possible that the U.S. has hard
evidence that can't be revealed. On the other hand, there's the "trust me"
problem with the US Govt, the constant push for a free hand from the agencies
(and the contractors who supply them and the politicians who enjoy their
campaign contributions), and the embarrassment to a Hollywood that
overwhelmingly supports the President and his party. Finally, there's the
curious statement by Obama last Sunday that this isn't "an act of war," but
rather "an act of cyber vandalism"\--odd way to characterize actions by a
hostile state if he knows that to be the case.

------
patcheudor
"Taking a look at these addresses we find that all but one of them are public
proxies."

I think this is a very key point for another reason. If this was perpetrated
by North Korea, why would they use an anonymizing proxy in the first place?
What would be the point? Have we ever known North Korea to not crave media
attention? If they were behind the attack wouldn't they want the world to
know? If it was North Korea then why are they suddenly trying to stay out of a
spotlight they've never avoided before? Retribution? Doubtful.

~~~
tsotha
>I think this is a very key point for another reason. If this was perpetrated
by North Korea, why would they use an anonymizing proxy in the first place?
What would be the point? Have we ever known North Korea to not crave media
attention?

Yes. When they do something provocative they try to maintain plausible
deniability, because otherwise the target of the provocation would have to
_do_ something. The best example is the sinking of the _Cheonan_. Everyone
knew it was the Norks, but they played coy because otherwise South Korea would
have been forced to respond. Probably by sinking the North Korean navy.

Also, if the cyber attack was DPRK, it was likely carried out by the unit that
does espionage, and for a unit like that proxies are just standard procedure.

All that said, I'm skeptical that it actually was North Korea. They do have
this kind of capability, but they tend to use it for more concrete gains, like
uncovering spies and stealing technology. A big in-your-face attack on a
company like this is out of character for a regime that wants to retain its
cyberwar capability for clandestine uses.

------
azakai
> It is this piece of evidence—freely available to anyone with an enquiring
> mind and a modicum of cyber security experience—which I believe that the FBI
> is so cryptically referring to when they talk about “additional evidence”
> they can’t reveal without compromising “national security”.

The evidence mentioned here are the addresses of the Command and Control
servers. But the author does not give any reason for why he or she thinks
_this_ is the thing the FBI is being cryptic about?

First of all, there might be several things to be cryptic about. Second, the
article gives nothing that I can see to connect that bit of information to
being something that FBI would hold back on. Third, the author just revealed
it, so if it _were_ what the FBI was keeping secret, that seems silly.

Did I miss something?

~~~
jhou2
I believe it's implied that the FBI can trace past the proxy servers (not much
of a stretch). Naturally, the FBI does not want to give up information on how
it does that to avoid cybercriminals counteracting that method of tracing.
Just a guess.

~~~
peterwwillis
The FBI doesn't have any special ability to trace connections, especially not
outside the US. The NSA might, but it's questionable that they would tip their
hand and release classified covert intel just because one company got hacked.
China has been hacking our corporations for over a decade but you never hear
this much about it in the press.

Edit: then again, China doesn't threaten to bomb our theaters. Could be NK
just goofed. But the whole thing is too ridiculous to be plausible.

~~~
uxp
> But the whole thing is too ridiculous to be plausible.

This is my take as well. State sponsored attacks, or at least the attacks that
have allegedly been state sponsored up until now, have been quiet little
things that go on for months or years so far under the radar that they only
get revealed months afterwards by accident. They aren't filled with green-on-
black text and pixelated skeleton images. Something just doesn't feel right
about blaming North Korea for this. Maybe it came from the DPRK, but if so it
had about as much to do with them as 9/11 did with the Saudis.

Does anyone also feel that the media is the only one that really linked the
DPRK to this? I don't recall hearing about North Korea until after the
"whodunnit" questions started coming out and speculation between the DPRK's
denouncement months ago about The Interview and the very weak correlation
between Chinese IPs being frequently involved in attacks and the DPRK's
relationship with China, and the recycled malware that has some loose ties to
Korea were thrown in a pot and mixed together. Once that started rolling, it
seemed that the hackers started playing the Korean card, more for lulz than
anything tangible. And now, long after the media has shifted from Poor Sony to
Damned Korea (with even the President stepping in with his opinions), we're
really heard very little from the attackers. It honestly feels like a bunch of
guys in a basement collectively said to themselves "Oh shit, the President of
the United States is talking about shit I did, time to cool off". From what
I've read about the abysmal security at SPE, it wouldn't be surprising in the
least that it didn't take a state sponsored group to do as much damage as they
did. Blaming the DPRK only helps Sony sound less like a failure.

The only facts I can be sure of is that Sony did everything wrong in response.
Every CIO should learn from this as what _not_ to do when hacked.

------
tessierashpool
Obama signed five new cybersecurity bills into law on the 18th. The FBI
announcement was Dec 19th.

------
sroerick
I have been looking for close to a week for Infosec professionals who believe
DPRK was responsible for attacks.

So far I have found two.

One is @daveaitel, who sells security solutions to governments.

The other is @thegrugq, who believes that everything we've heard from FBI is a
lie, and the NSA simply told them who it was.

Neither is particularly convincing. Does anyone know of any others?

~~~
korethr
Does Brian Krebs count? [http://krebsonsecurity.com/2014/12/the-case-for-n-
koreas-rol...](http://krebsonsecurity.com/2014/12/the-case-for-n-koreas-role-
in-sony-hack/)

~~~
tessierashpool
Krebs absolutely counts, but if Krebs says yes and Schneier says no, which he
did, then it's a very open question.

------
chatmasta
Is it possible the FBI/NSA/XXX agency is suppressing evidence in order to
protect an informant?

Example scenario: US intel has agent or informant in NK, working high in cyber
command. That person shows US intel code used to hack sony, and/or simply
tells them that yes, NK did it. Consequently, FBI is confident NK did it, but
cannot reveal reason for confidence without jeopardizing safety of informant.

~~~
rifung
Yes, it is, and this point is actually addressed in the article. The problem
is that it's grown more and more difficult to just allow the government to
hide behind the veil of confidentiality when they've shown they abuse this
power.

------
billions
North Korea does not have the sophistication to carry out this attack.
[https://www.youtube.com/watch?v=5hUegMTSh0U#t=59](https://www.youtube.com/watch?v=5hUegMTSh0U#t=59)

~~~
DanBC
NK has nukes. NK sends its elite citizens to western university. NK has its
own linux distro.

Most of NK would have no clue how to perform this hack - but you could say the
same of America. Give a computer to an illiterate Appalacian and see how far
they get. NK will carefully train some elites. Those people will have access
to the wider Internet and will uave the knowledge to pull off this relatively
simple hack.

That's not to say that NK actually did it - just that saying NK is
unsophisticated and thus couldn't have done it misses the point.

~~~
billions
The linux distro is probably unpatched to every linux vulnerability discovered
in the last 10 years-easy to get a shell and start an attack.

You assume NK people think like Americans. Every scientist is working out of
fear and therefore is doing the minimal amount possible to not be scolded. I
lived in a communist country and the same way the economy was in the hole, so
was scientific advancement. A good analogy is Cuba- they have one of the most
rigorous schools for becoming a doctor, but they wouldn't know how to operate
an MRI since none exist in the country. An NK citizen may have taken security
class at an university, but may not have the talent, like a logical anarchist,
required to become a great hacker. The number of skilled, motivated hackers
outside NK is greater than those inside. Look at the video-how do you find the
10x programmer in that computer lab?

NK's way of keeping 24M people from protesting is by controlling INFORMATION.
To have a hacker untraceable and talented enough to enter SONY, they must be
read on the latest trends. This same hacker, if informed, would be smart
enough to google his way out of the horrible living conditions in NK. The nuke
scientists copied 1950's tech.

To me this sounds like the WMD's of the early 2000's. If NK doesn't have any
credibility they will be easily blamed for political leverage with no
evidence.

I welcome the FBI to open source the malware, traffic and trace logs for
community analysis.

Come back and read this comment when hackers acquire this data themselves and
provide technical proof of NK NOT being at fault.

~~~
lotsofmangos
_A good analogy is Cuba- they have one of the most rigorous schools for
becoming a doctor, but they wouldn 't know how to operate an MRI since none
exist in the country._

A report here from 2006 says otherwise:

 _Cuba spends ∼16% of its GNP directly on the health system, roughly $320 per
year per person. As would be expected, tertiary medical facilities lack both
the amenities and the technology found in industrialized countries. A recent
modernization campaign, however, has brought interventional cardiology and
MRI, for example, to the 48 referral hospitals and ultrasound and endoscopy to
polyclinics._

[http://ije.oxfordjournals.org/content/35/4/817.full](http://ije.oxfordjournals.org/content/35/4/817.full)

