The prevailing narrative for the recent devastating cyber-attack against entertainment giant Sony sounds like a script: a small country angry about a movie about to be released sends a group of elite hackers to stop the film release. But some experts don’t believe that’s what happened.
Was the attack the work of a disgruntled ex-employee at Sony? Or were the attackers actually from a completely different country? Another plausible explanation is much more economic: attackers demanded a ransom; Sony refused to pay and suffered the consequences. This attack was most likely a “sophisticated ransom threat made for monetary gain,” Jeff Schilling, the CSO of Firehost and a retired U.S. Army colonel, told SecurityWeek.
Ransom attacks, where attackers unleash denial of service attacks or similar threats if the victim doesn’t pay, are on the rise, Schilling said. Ransomware, malware capable of locking up computers and destroying the data if the victim does not pay, is also gaining popularity. When considered against the case of Sony, the ransom was likely significant since the potential damage—to the network and the brand—would be in the “millions of dollars, if not billions,” he said. When Sony refused to pay—because they didn’t believe the threat or underestimated the extent of the damage—the attackers dumped the documents.
The leaked document and the resulting fallout also has a ripple effect that goes beyond Sony, warned Schilling. The next time a major corporation receives a ransom threat, it is more likely to comply with the demand in order to avoid Sony’s fate.
It’s difficult to attribute an attack just by looking at the tools used because clever attackers outsource different steps of the cyber-kill-chain and reuse tools from other sources, Schilling said. Understanding the motives help identify what the attackers were after, and in this case, an economic motive seems more likely than a political one.
“The information released so far doesn’t make the case” for attributing the attack to North Korea, Schilling said. It’s possible the FBI is holding back the evidence, which points a definitive finger at the country as part of its ongoing investigation since it’s unlikely the U.S. government would make such a statement without proof. However, based on the information currently released and available, Schilling remains skeptical.
“There is not enough evidence to say it [the attackers] is North Korean,” Schilling said.
The Case For “Not North Korea”
Attribution is always a challenge in these cyber-attacks, because much of the evidence—such as the language of the source code and IP addresses used—wind up being circumstantial. Anyone can use IP addresses in other countries, and any cyber-adversary with a modicum of skill knows how to bounce around various IP addresses and to rent compromised servers in other countries to obscure their location. The same goes for time zones.
The language of the source code or compiler is also not very definitive because the malware code could have been purchased or shared among multiple groups. It’s pretty well-documented that cyber-adversaries collaborate and sell tricks and exploits among themselves. “Bad guys share code and are notoriously lazy. They will use whatever it takes to get the job done. As such, code is borrowed from other attackers, purchased in underground markets, etc.,” wrote Andrew Hay, the senior security research lead and evangelist at OpenDNS.
In fact, a sophisticated enough actor can plant these pieces to lead investigators down this path of conjecture to obfuscate who they really are, Schilling said.
It’s also worth noting that the attackers didn’t seem to understand what kind of data they had obtained, and there is evidence they had access to the network long before the movie, Seth Rogen’s The Interview, was even discussed, Schilling said.
“Remember, the hackers didn’t start talking about The Interview until the press did,” Bruce Schneier, CTO of Co3 Systems, wrote on his blog.
Schenier also speculated it was possible the attack was the work of North Korean individuals acting on their own and not under orders, but Schilling thought that was unlikely, due to the rigid control the dictatorship has over its citizenry.
Another proof that the attack against Sony was the work the North Koreans was the fact that the message used to deface Sony’s website was similar to the messages used against South Korean victims (which was also blamed on North Korea). Robert Graham of Errata Security argues the exact opposite, that the similarities are proof the North Korean government was not involved.
“North Korean hackers are trained as professional, nation state hackers,” and are unlikely to be part of the underground community of attackers sharing tools, techniques, and processes, Graham wrote in a blog post. “North Korean may certainly recruit foreign hackers into their teams, or contract out tasks to foreign groups, but it’s unlikely their own cyber-soldiers would behave in this way,” he said.
In the end, it boils down to the fact that the attackers did not act the way North Korean actors have acted in the past, Schilling said. “At the end of the day, you don’t change your strategy on how you behave during attacks,” he said.
