Most of those I've spoken to (and I) think there isn't strong enough evidence to link it to anyone. Many think the FBI have seen evidence we haven't: I concur, but I don't think that's any more conclusive either, and that they chose who they wanted to link it to and then cherry-picked evidence to support that. They've had trouble there.
My own analysis was that this malware is entirely unspectacular and is easily within the reach of a single, relatively-unskilled, lone VXer or a small criminal group (which would fit better with the extortion for money that started this - I've never seen a nation-state do that, but plenty of criminals). It's built with other people's code. It's kinda lame.
(Edit) In particular: who at McAfee looked at this? The coding style looks quite different between Shamoon and the Sony Wiper malware to me, which indicates probably different authors. (Different VXers could be working for the same people, but that's assuming they're working for anybody at all.) The only thing in common is a JPEG in a broadly similar retro "90s GeoCities h4x0r" style and a (publicly-available!) raw disk driver - which many others have used for many other, including legitimate, purposes.
Of course, that means any nation-state could do it too - maybe that is North Korea's "cyber-army"'s style - in which case, why is anyone so worried? You have to do security as bad as Sony to get nailed by that.
It is, of course, worrying in itself that there's an open question about whether an extortionist attack via malicious software on a huge company has been conducted by a nation-state, an organised crime group, or a bored teenager.
I'm something of an armchair security analyst and non-trivial Korea watcher, and in my view there's really no question it's NK. It's simply that the standard behavior and thinking of the NK regime is too bizarre to be believable by Western sensibilities, that we dismiss it out of hand.
To start with, film is something of a national treasure in NK. Official documents show KJI as being connected with the production of over 11,000 films. That is almost certainly an exaggeration, but enough of his stuff has leaked that you can take a class on it at a film school, so it's not a 'whole-cloth' invention. NK has taken bizarre steps to secure its film heritage, including organized abduction of actors and directors from foreign countries to bolster the regime's cast list.
Meanwhile, the personality cult is strong, in a way not seen even under Stalin. For example, the whole country stopped and celebrated [0] because a random citizen put out a fire near a portrait of one of the leaders. You'll find Western media outlets speculating that of course what really happened is she thwarted an assassination attempt, because the truth is absurd to Western sensibilities.
These two things combine to form a powerful motive. The last time a film depicted a NK leader, they made serious efforts to have it banned in their allied countries, although they were not at all successful. Meanwhile, successfully hacking a US company is of major propaganda value for the regime. The two targets that they have "hacked"--SK and US--are the ones they complain most loudly about internationally. So launching some kind of attack would be very consistent with their political rhetoric.
Since that time, they've developed a much more sophisticated hacking ring. There was a time when they relaxed some of the normal rules so that you could outsource your software projects to NK software developers, and, from what I understand, some large companies did. That was one of the ways they built skills. While they're pretty incompetent by nation-state standards, they seem to have improved a lot in recent years, and of course they're better-funded and better-organized than any common criminal hacking ring. It would be completely within NK's wheelhouse to devote 10% of GDP to this project even while their people starve.
Meanwhile, of course, Sony has a very poor track record on security--between the rootkits, GeoHot, Linux, etc., I don't know a lot of qualified security researchers who would feel good about working there. This has created a bit of a security vacuum and of course they have been hit by common criminals, several times in the last few years. So it's very believable that hitting them is within NK's reach.
Finally, as far as nation-states having an extortion motive again that is very much within NK's wheelhouse. They are a poor country and they are engaged in all kinds of bizarre plots to raise money. Notably, they built up a counterfeiting ring for US currency so sophisticated that we ended up redesigning the bills [1]. NK also runs sort of an industrialized Breaking Bad operation, to the extent that a lot of the country is hooked on their own product [2]. Their MO at this point is very definitely to take common criminal operations and scale them up under the cloak of a nation-state to drive revenue. It's not a leap to electronic extortion. They're basically a super-mafia at this point, and this is a new department.
As far as their being no "DNA, smoking-gun" evidence--that's true. But I think the circumstantial identifying evidence, combined with motive, means, and opportunity, is pretty compelling. The communications from GOP are as bizarre and convoluted as anything the NK regime says, and not what you'd expect from a simple criminal enterprise. If it's not NK, it remains to be explained why the hackers went to some lengths to fool real security analysts at an actually first-class nation-state, but did so in such a bizarre and haphazard way as to target an especially weak US company that does not demonstrate any particular skill beyond what others have done before. That level of convolution demands a geopolitical explanation of some type that goes beyond simple extortion, but it's much more elaborate to explain who would want the US angrier at NK than we already are, and how these shadowy figures would benefit.
Finally, as far as the "inside job" theory--it is completely believable to me that NK would be willing to throw a few tens of thousands of dollars in bribes to get inside. They spent much more than that celebrating putting out the poster-fire. So that idea that Sony had angry employees to me actually strengthens the case for an NK-based theory, as it provides a simple and cheap way for them to get inside.
I work as a security analyst (though not a threat researcher for any major firm or anything like that), and I agree with this completely. Starting on day 1, when possible links to NK were mentioned in the media, all of my coworkers dismissed it and I had to convince them that NK's involvement was definitely feasible.
Even if one assumes that the vast majority of their whole cyberwarfare division is unskilled and incompetent, which could very well be true, you only need a core group of 5-10 good people to pull off attacks like these. It's also possible the people they're working with aren't of NK nationality or aren't living there.
Thanks, drewcrawford, meowface, for an interesting alternative perspective; I'm not particularly familiar with DPRK as a country. It is feasible that they could be involved in some way - some of the rhetoric sounds plausibly bizarre enough, but I just don't see much - if any - technical evidence that they actually are.
I think you may be highballing a budget estimate on this particular attack. 5-10 good people could likely pull off something like this at a larger company with relatively competent security, but I reckon this could have been done by one or two moderately unskilled hackers over several months - Sony Pictures' security was just that awful, and the malware's style is remarkably amateurish - it isn't even packed, for heaven's sake.
Here you'll find no 0days, no factored signing keys, no memory-resident non-persistent "CRIT" agents - compare and contrast it with, say, the so-called "DarkHotel" malware (very probably from the Republic of Korea) and it's just night and day.
Literally anyone can afford that kind of budget: impoverished (or otherwise) nation-state; disgruntled employee; random hacker; or any combination thereof. I'd say many readers of this comment could feasibly have done it themselves, if they'd felt so inclined.
If you find that a bit concerning, so do I, because (as I'm sure you're well aware) Sony Pictures is far from the only company in the world with dreadful security practices, and they just make movies. Imagine if it was something actually important.
The God'sApstls "extortion email" is just a poorly translated threat of monetary damage if their request isn't met. They aren't actually asking for money. All subsequent communications are about Sony threatening the peace and about how the hackers are guardians of peace.
The script-kiddie nature of the attack doesn't seem like a good argument against DPRK attribution. Only a select few are even allowed on the internet in that technological backwater, so I wouldn't expect mind-blowing 0-days.
Yes, it's been through a translator a couple times. (What ransom demand hasn't? It's the digital equivalent of cut-up newspapers.)
So, the 'request' was...? Nothing mentions The Interview until after the media did.
Being fair, I am not a geopolitical expert but do admit that if a nation-state were to extort companies for bagfuls of dollar cash money, DPRK (and its awful, cash-only external trade economy?) might be a good fit. But I've never seen it before. I doubt DPRK (or their trade partners) accept bitcoin; and the pickup is the riskiest part of an extortion op.
I doubt that. Sony are not smart, but not that dumb or stupid, to leak some fairly disruptive corporate secrets to the public and their competitors just to promote a crappy Seth Rogan comedy.
(They may however reasonably be trying to make lemons out of lemonade now. What else could they do - try to unleak it? - oh wait, they're trying that too.)
I can't see the answers, but I can reasonably fill in the blanks on what questions they'd have asked.
If they have HUMINT they're risking their source with any public statement of attribution at all: it's obviously not worth burning a source just over making this public.
Useful SIGINT will primarily be historic metadata lookups of contact with relevant proxies - which unfortunately has a huge false positive rate, useful really only for tentatively ruling actors out. Ignore that and you could point the finger at just about anyone.
Why do so many commenters desperately wish it to not be North Korea? I don't understand why it matters. There will be no war, they are already isolated and are known for strange behavior.
I think you're misreading skepticism. Most of the world lacks any background or education to be able to look at and analyze the attack, and will accept whatever their told about the source and nature.
People that run in more technical or security-related fields might be privy to more tools in the analytical toolbox.
It's probably also quite likely that trust in US defense intel is not at an all-time high, exacerbating said skepticism.
Personally I think the FBI is probably correct in their assessment, but I can understand the public's skepticism when you look at the Iraq WMD debacle.
There WERE chemical weapons in Iraq as recently reported by the New York Times [1]. I'm not saying this was justification for war, but informing you of incorrect facts.
You're technically correct in that chemical weapons were found, but the bigger picture is that that these were manufactured before 1991. Also, the US government itself deliberately suppressed knowledge of these findings because they made the "active WMD programme" basis for going to war look even more dubious.
I would actually be somewhat happy if it were; at least it'd peg the DPRK's malware capability at "rank amateur", only a threat to actors with extremely negligent security…
…if 'happy' is the right word to use about nation-states of any size sabre-rattling with malware, and I'm not sure that it is! But it's clear whoever did this probably isn't a highly technically competent threat (or, at least, are pretending not to be).
I don't think it was a bored teenager, because they'd have to have access to 100tb of storage, which runs a few thousand dollars. It also seems beyond the capabilities of a single person. A group of bored teenagers, possibly.
My own analysis was that this malware is entirely unspectacular and is easily within the reach of a single, relatively-unskilled, lone VXer or a small criminal group (which would fit better with the extortion for money that started this - I've never seen a nation-state do that, but plenty of criminals). It's built with other people's code. It's kinda lame.
(Edit) In particular: who at McAfee looked at this? The coding style looks quite different between Shamoon and the Sony Wiper malware to me, which indicates probably different authors. (Different VXers could be working for the same people, but that's assuming they're working for anybody at all.) The only thing in common is a JPEG in a broadly similar retro "90s GeoCities h4x0r" style and a (publicly-available!) raw disk driver - which many others have used for many other, including legitimate, purposes.
Of course, that means any nation-state could do it too - maybe that is North Korea's "cyber-army"'s style - in which case, why is anyone so worried? You have to do security as bad as Sony to get nailed by that.
It is, of course, worrying in itself that there's an open question about whether an extortionist attack via malicious software on a huge company has been conducted by a nation-state, an organised crime group, or a bored teenager.