Recent reports alleging that the National Security Agency has infiltrated North Korean networks and collected evidence connecting the country’s leadership with the attack on Sony Pictures Entertainment should have settled the question of who was responsible for the brazen breach of the Hollywood studio’s data assets.
Yet, doubts persist.
On Jan. 17, German news magazine Der Spiegel outed more NSA documents from the archive of data leaked by former contractor Edward Snowden, including a classified brief that described some of the NSA’s efforts in infiltrating North Korea’s networks. The next day, The New York Times reported that information from the NSA was the key factor in attributing the attack on Sony Pictures to North Korea.
Despite the conclusion that United States intelligence likely has evidence connecting North Korea to the operation, security researchers continue to point to inconsistencies in the explanation for the attack.
“The pieces don’t add up,” said Tal Klein, vice president of strategy for Internet-security firm Adallom. “I cannot dispute the fact that the NSA hacked the North Koreans, because that is the ultimate trump card—there’s empirical evidence that I will never be able to see. But the attack does not fit the mold of a nation-state attack, but of a revenge-oriented attack.”
In late November, cyber-attackers stole terabytes of information—including e-mail messages and pre-release movies—from Sony Pictures, posting much of the information online. Investigators have concluded that the attackers had infiltrated Sony Pictures’ network in September using stolen credentials belonging to a network administrator. The attack will likely cost Sony Pictures hundreds of millions of dollars in lost intellectual property and reputation damage.
The U.S. government’s reaction has been to invoke sanctions against 10 North Korean nationals.
Hacking groups have focused on Sony in the past. In April 2011, Anonymous-affiliated hackers took down Sony’s Playstation Network for nearly a week and stole the credentials of nearly 77 million PSN users. During Christmas, another group of Internet malcontents, known as Lizard Squad, caused disruptions at both Sony’s and Microsoft’s gaming networks.
The breach of Sony Pictures resembled those attacks. Ransom demands did not initially mention the coming release of The Interview, a movie about an implausible Central Intelligence Agency assassination plot against North Korea’s dictator Kim-Jong-un. In addition, a linguistic analysis of the English used by the attackers suggested that native Russian, not Korean, speakers were more likely the source of the writings.
Security researcher and blogger Robert Graham points out the inherent paradox in the reports that the NSA’s spying revealed that North Korea was the source of the attack.
“If this were true, then we hacked first, and the Sony hack is retaliation–meaning we had no justification for Obama’s sanctions,” he wrote in a Jan. 20 blog post. “But, if the story is false, then again sanctions against North Korea aren’t justified, because we don’t have the proof our government claims. True or false, this story means the U.S. sanctions against North Korea aren’t justified.”
Graham notes that The New York Times story uses anonymous sources in the same way that the paper used anonymous sources to make a case that weapons of mass destruction (WMDs) were present in Iraq leading up to the U.S. invasion of that country. Those reports were later proved false.
There is another facet to this story as well: While the report that the NSA has focused cyber-operations on North Korea’s estimated 6,000 hackers for more than decade may be true, the fact remains that the NSA either missed signs of a significant attack or failed to warn Sony about the impending assault.