The FBI has officially named North Korea as the aggressor behind the Sony Pictures attack.
Despite many members of the information security community now believing that North Korea was not responsible for the attack, including Marc Rogers from Cloudflare, whose blog listed ten reasons why North Korea was not to blame, saying “my money is on a disgruntled (possibly ex) employee of Sony”, an FBI statement concluded that there are three reasons why North Korea is responsible.
Its conclusion is based on the following:
- Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. These included similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
- The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity that the US Government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
- Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
The FBI said: “We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on Sony Pictures reaffirms that cyber threats pose one of the gravest national security dangers to the United States.
“Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a US business and suppress the right of American citizens to express themselves.”
It went on to say that acts of intimidation “fall outside the bounds of acceptable state behaviour and it takes any attempt seriously”.
Ken Westin, security analyst at Tripwire, said that there had been a great deal of “cyber rattling” in response to ongoing speculation of North Korea being connected to the attack.
He said: “Some have called for the US to initiate a ‘strong response’ to North Korea if there is a connection, such as sanctions, a counter-cyber-attack of worse. This type of talk is concerning, due to the lack of knowledge related to attack attribution by those clamouring for retaliation.
“Although I still believe it is unlikely North Korea is behind the attack directly, it could likely be a group who are sympathisers of the hermit kingdom. Another possibility is that of a false flag. The fact that parts of the malware had Korean language settings, and possibly connected to an IP in North Korea (as well as several other countries) would be an amateurish mistake for an APT level attack. However, if the artifacts pointing to North Korea were implemented on purpose, it could be a sign of sophisticati
on in an attempt to divert attention from the real attackers.”
Gavin Millard, EMEA technical director for Tenable Network Security, said: “The size and scale of the Sony hack is unprecedented, but unfortunately not unexpected. Many organisations have been fighting to control their ever-expanding attack surface and holes can be easily missed.
“With overburdened security teams trying to close down many avenues of entry, and hackers only needing one flaw to expand their reach, the probability of an attack of this nature occurring will always be high, especially if an attacker is motivated.”