Thursday, July 13, 2017

North Korea didn't hack Sony in 2014. Blaming a nation state in such a case requires evidence solid enough to be admissible and effective in a court of law. It's nowhere near that, despite FBI and Obama admin. claim-Daily Beast, 12/24/2014, LA Times 12/30/2014...(Blaming foreign governments is where the big money in cybersecurity is today. If you don't like that, you make no money-Carr)

"“The only things that pay in the cybersecurity world are claims of attribution,” Mr. Carr said.  Which foreign government attacked you? If you are critical of the attack, you make zero money. CrowdStrike is the poster child for companies that operate like this.”" 7/5/2017
12/24/2014, "No, North Korea Didn’t Hack Sony," Daily Beast, Marc Rogers

"The FBI and the President may claim that the Hermit Kingdom is to blame for the most high-profile network breach in forever. But almost all signs point in another direction."
"So, “The Interview” is to be released after all.

The news that the satirical movie—which revolves around a plot to murder Kim Jong-Un—will have a Christmas Day release as planned, will prompt renewed scrutiny of whether, as the US authorities have officially claimed, the cyber attack on Sony really was the work of an elite group of North Korean government hackers.

All the evidence leads me to believe that the great Sony Pictures hack of 2014 is far more likely to be the work of one disgruntled employee facing a pink slip.

I may be biased, but, as the director of security operations for DEF CON, the world’s largest hacker conference, and the principal security researcher for the world's leading mobile security company, Cloudflare, I think I am worth hearing out.

The FBI was very clear in its press release about who it believed was responsible for the attack: “The FBI now has enough information to conclude that the North Korean government is responsible for these actions,” they said in their December 19 statement, before adding, “the need to protect sensitive sources and methods precludes us from sharing all of this information”.

With that disclaimer in mind, let’s look at the evidence that the FBI are able to tell us about.

The first piece of evidence described in the FBI bulletin refers to the malware found while examining the Sony Picture’s network after the hack.

“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

So, malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other attacks attributed to North Korea.

This may be the case—but it is not remotely plausible evidence that this attack was therefore orchestrated by North Korea.

The FBI is likely referring to two pieces of malware in particular, Shamoon, which targeted companies in the oil and energy sectors and was discovered in August 2012, and DarkSeoul, which on June 25, 2013, hit South Korea (it was the 63rd anniversary of the start of the Korean War).

Even if these prior attacks were co-ordinated by North Korea—and plenty of security experts including me doubt that—the fact that the same piece of malware appeared in the Sony hack is far from being convincing evidence that the same hackers were responsible. The source code for the original “Shamoon” malware is widely known to have leaked. Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator. Increasingly, criminals actually lease their malware from a group that guarantees their malware against detection. Banking malware and certain “crimeware” kits have been using this model for years.

So the first bit of evidence is weak.

But the second bit of evidence given by the FBI is even more flimsy:
“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

What they are saying is that the Internet addresses found after the Sony Picture attack are “known” addresses that had previously been used by North Korea in other cyberattacks.

To cyber security experts, the naivety of this statement beggars belief. Note to the FBI: Just because a system with a particular IP address was used for cybercrime doesn’t mean that from now on every time you see that IP address you can link it to cybercrime. Plus, while sometimes IPs can be “permanent”, at other times IPs last just a few seconds.

It isn’t the IP address that the FBI should be paying attention to. Rather it’s the server or service that’s behind it.

As with much of this investigation our information is somewhat limited. The FBI haven’t released all the evidence, so we have to go by what information is available publicly. Perhaps the most interesting and indeed relevant of this is the C2 (or Command and Control) addresses found in the malware. These addresses were used by whoever carried out the attack to control the malware and can be found in the malware code itself. They are: 


Taking a look at these addresses we find that all but one of them are public proxies. Furthermore, checking online IP reputation services reveals that they have been used by malware operators in the past. This isn’t in the least bit surprising: in order to avoid attribution cybercriminals routinely use things like proxies to conceal their connections. No sign of any North Koreans, just lots of common, or garden, internet cybercriminals.

It is this piece of evidence—freely available to anyone with an enquiring mind and a modicum of cyber security experience—which I believe the FBI is so cryptically referring to when they talk about “additional evidence” they can’t reveal without compromising “national security”.

Essentially, we are being left in a position where we are expected to just take agency promises at face value. In the current climate, that is a big ask.

If we turn the debate around, and look at some evidence that the North Koreans might NOT be behind the Sony hack, the picture looks significantly clearer.

1. First of all, there is the fact that the attackers only brought up the anti-North Korean bias of “The Interview” after the media did—the film was never mentioned by the hackers right at the start of their campaign. In fact, it was only after a few people started speculating in the media that this and the communication from North Korea “might be linked” that suddenly it did get linked. My view is that the attackers saw this as an opportunity for “lulz”, and a way to misdirect everyone. (And wouldn’t you know it? The hackers are now saying it’s okay for Sony to release the movie, after all.) If everyone believes it’s a nation state, then the criminal investigation will likely die. It’s the perfect smokescreen.

2. The hackers dumped the data. Would a state with a keen understanding of the power of propaganda be so willing to just throw away such a trove of information? The mass dump suggests that whoever did this, their primary motivation was to embarrass Sony Pictures. They wanted to humiliate the company, pure and simple.

3. Blaming North Korea offers an easy way out for the many, many people who allowed this debacle to happen; from Sony Pictures management through to the security team that were defending Sony Picture’s network.

4. You don’t need to be a conspiracy theorist to see that blaming North Korea is quite convenient for the FBI and the current U.S. [Obama] administration. It’s the perfect excuse to push through whatever new, strong, cyber-laws they feel are appropriate, safe in the knowledge that an outraged public is fairly likely to support them.

5. Hard-coded paths and passwords in the malware make it clear that whoever wrote the code had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s (just) plausible that a North Korean elite cyber unit could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of a pissed-off insider. Combine that with the details of several layoffs that Sony was planning and you don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all. 

I am no fan of the North Korean regime. However I believe that calling out a foreign nation over a cybercrime of this magnitude should never have been undertaken on such weak evidence.

The evidence used to attribute a nation state in such a case should be solid enough that it would be both admissible and effective in a court of law. As it stands, I do not believe we are anywhere close to meeting that standard."


Second source, LA Times, 12/30/2014: 

12/30/2014, "Sony insider--not North Korea--likely involved in hack, experts say," LA Times, and

"Federal authorities insist that the North Korean government is behind the cyberattack on Sony Pictures Entertainment.

Cybersecurity experts? Many are not convinced.

From the time the hack became public Nov. 24, many of these experts have voiced their suspicions that a disgruntled Sony Pictures insider was involved.

Respected voices in the online security and anti-hacking community say the evidence presented publicly by the FBI is not enough to draw firm conclusions.

They argue that the connections between the Sony hack and the North Korean government amount to circumstantial evidence. Further, they say the level of the breach indicates an intimate knowledge of Sony's computer systems that could have come from someone on the inside.

This week, prominent San Mateo, Calif., cybersecurity firm Norse Corp.--whose clients include government agencies, financial institutions and technology companies--briefed law enforcement officials on evidence it collected that pointed toward an inside job.

"We can't find any indication that North Korea either ordered, masterminded or funded this attack," Kurt Stammberger, a senior vice president at Norse, said in an interview with The Times. Although conceding that his findings were not conclusive, Stammberger added: "Nobody has been able to find a credible connection to the North Korean government." 

Stammberger said a team of nine analysts dug through data including Norse's worldwide network of millions of Web sensors, internal Sony documents and underground hacker chat rooms. Leads suggesting North Korea as the culprit turned out to be red herrings and dead ends, he said.

Moreover, names of company servers and passwords were programmed into the malware that infiltrated the studio's network, suggesting hackers had inside knowledge of the studio's systems, Stammberger said.

Instead, the data pointed to a former employee who may have collaborated with outside hackers. The employee, who left the studio in a May restructuring, had the qualifications and access necessary to carry out the crime, according to Stammberger.

The FBI, which first accused North Korea on Dec. 19, has stood by its conclusion, saying in a statement there is "no credible information to indicate that any other individual is responsible for this cyber incident."

Sony Pictures declined to comment.

President Obama this month said North Korea was behind the Sony attack and pledged a "proportional" response. North Korea's Internet suffered outages in the days following the announcement

The U.S. hasn't taken responsibility for the outages, but North Korea has blamed Obama.

Federal investigators have cited several findings to support their conclusion.

Analysis of the malware used in the attack revealed links to destructive software previously used by those working on behalf of the rogue state, and the FBI found "significant overlap" with the cyberactivity previously linked to North Korea. Additionally, the tools used against Sony bore similarities to those used in an attack carried out by North Korea against South Korean banks and media outlets last year, the agency said.

But analysts said attribution in cyberattacks is difficult, and hackers are skilled in obfuscation and misdirection to avoid getting caught. 

Also, software-wiping technology used by the so-called Guardians of Peace group against Sony is widely available to hackers and can be easily purchased. Many were surprised that the FBI made its announcement so quickly.

"You don't want to jump to conclusions in a cyberattack," said Rob Sloan, head of cybercontent and data at Dow Jones. 

"Attributing attacks is really a non-scientific art."

Then there's the question of "The Interview." The Sony comedy thought to be at the center of the attack depicts a fictional assassination attempt on Kim Jong Un, the leader of North Korea.

Although North Korea has denied involvement in the attack, it condemned the movie as an "act of war" as early as June.
Sony halted its planned Christmas Day wide release of "The Interview" after the majority of theater owners opted against showing it in the face of threats of physical violence from hackers.

The studio later allowed it to screen in more than 300 independent theaters and released it online for rental and purchase.

But analysts said the connection to "The Interview" is tenuous. The hackers didn't begin to mention the Seth Rogen-James Franco farce in their public messages until media outlets had already reported that the movie was the catalyst for the attack, said Ralph Echemendia, chief executive of the Los Angeles-based digital security consulting firm Red-e Digital.

Echemendia said Guardians of Peace may have latched onto the notion of "The Interview" as their motivation after attempts to use the stolen data for ransom failed.

"If a hacker group can't figure out how to monetize data, they sit on it and sit on it, and then it becomes trolling," he said, referring to the practice of provocative online activity. "This is probably the biggest troll I've ever seen. Their attitude became 'Let's have some fun with this.'"

One cybersecurity firm using linguistic analysis of the hackers' messages even suggested that the attackers were Russian rather than Korean.

Shlomo Argamon, chief scientist at Seattle cybersecurity consulting firm Taia Global, said he and other researchers examined 20 phrases "that are not normally used in English and conducted word-for-word translations" in Korean, Mandarin Chinese, Russian and German. Of the 20 phrases, 15 matched Russian phrases, and nine matched Korean phrases.

"I don't think we have a clear picture, but there's certainly reason to doubt the total attribution of this to North Korea," Argamon said.

The FBI said it could not provide additional information on the case, but said its attribution to North Korea is "based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector."

Even skeptics who doubt the attack was state-sponsored said the FBI may have more convincing evidence that it has chosen to keep secret.

"Being in the intelligence community, I trust the FBI has some information that I do not have," said Tom Chapman, a former U.S. Navy intelligence officer and director of the cyberoperations group at Edgewave."



No comments: