Security experts: FBI report light on evidence linking North Korea to Sony hack

The FBI statement that linked the Sony hack to North Korea relied on previously released and inconclusive evidence, said many cybersecurity insiders.

Even after the Federal Bureau of Investigation's official statement that North Korea was behind the Sony attack, many cybersecurity experts are still skeptical the hermit nation is truly the culprit, citing a lack of new and more convincing evidence. 

“It’s mostly a repeat of information that has been in the public before,” Rob Graham, chief executive officer of research firm Errata Security, said of the FBI's statement issued Friday. 

Many prominent names in the field, Graham and others, took to Twitter to express their concern. "I'm completely underwhelmed by the FBI's 'proof' attributing Sony attack to North Korea," Graham tweeted from his @ErrataRob account.  

The FBI points to three key factors that "in part" lead to its conclusion — and all three had already been disclosed to the public by Simon Choi, a virus researcher from Seoul's Hauri Inc.

The statement mentions the similarities between deletion malware used in the Sony hack to deletion malware previously by North Korean hackers; it refers to tools used in the Sony attack that were similar to ones deployed in a North Korean attack on South Korean media and banks; and the agency pointed out that infrastructure hardcoded into the malware (including IP addresses) matched infrastructure identified as North Korean in the past.

Even with this information, many in the cybersecurity industry see these links as tenuous at best. All of the technical watermarks can and frequently be falsified or mimicked by hackers. 

“We know that hackers share malware on forums. Every hacker in the world has all the source code available,” says Mr. Graham.

“I think you have to go back to the original ransom note,” says Graham Cluley, a former antivirus software programmer and security consultant who currently writes about the industry for grahamcluley.com, a security blog.

“It didn’t ask for 'The Interview' to not be released, it asked for money," he says. "In Dark Seoul, there were no demands. They just wiped everything. We’re not even entirely sure that North Korea did that attack. We think they did, but it hasn’t been proven.”

Mr. Cluley told Passcode on Thursday that he was skeptical of then-anonymous reports of government agencies identifying North Korea as culprit. The FBI report has done nothing to change his mind.

Cluley says that investigations into data breaches are nearly impossible to conduct from a digital perspective without (at minimum) investigating the computer used to perpetrate the crime, and are rarely done in the type of timeframe that the FBI has blamed North Korea for Sony. 

The lack of convincing detail in the report would imply the accusation must be based on “human or signals” intelligence, says Rick Holland, principal analyst serving security and risk professionals at Forrester Research. Basing the accusations on the detail released to the public would be rash, he says.

The NSA has a long history of monitoring hackers to copy their tactics, says Mr. Holland, "There’s no reason to assume anyone considering an attack wouldn’t do the same thing." 

Ideally, says Holland, the government would release more information to back up its claims. But he isn’t holding his breath for more detailed technical information coming out of the government.

“The United States has a long history of declassifying imaging data to justify an accusation — we did that, for example, to show Russian tanks had crossed into the Russian border. But for this, there’s no equivalent of a photo of Russian tanks. With digital investigations, there’s nothing quite as definitive.”

Graham, of Errata Security, who would like to the code used by the hackers released, takes a more cynical view. “They’re worried we’ll prove them wrong," he says.

The FBI report is not without believers. Thomas Rid of Kings College London and Richard Bejtlich of FireEye immediately tweeted each other the evidence was "as good as it gets" -- when Rid's recent research partner and co-author of the well-read "OMGCyber" paper, Robert M. Lee, interrupted.

Lee, an Air Force cyber operations tweeted, "[A] lot of what is attributed is based on their previous knowledge of infrastructure. How do we know its good?"