Mario Anzuoni / Reuters
Cybersecurity experts looking at the FBI’s explanation for why North Korea was behind the Sony hack say the logic keeps coming up short, as they increasingly question whether someone else could be behind one of the worst hacks in U.S. history.
These experts have called into question the timeline of the attack, aspects of the language used, and the capabilities of North Korea’s bandwidth. Some say the FBI was too quick to point the finger without looking further than the most obvious clues in the malware.
“For hackers that’s just brilliant. By blaming North Korea, the hackers have a carte blanche really,” said Jeffrey Carr, founder and CEO of Taia Global, a Seattle-based company that provides cybersecurity consultations to government agencies and private companies. “I’m not aware of this ever being done before. They’ve successfully ripped apart a multinational corporation. They successfully got them to shut down a movie. And to top that off they’ve convinced the FBI and NSA that the North Korean government is responsible. If I was them, I’d be popping Cristal.”
The proof pointing to North Korea’s culpability in the attack was summarized by the FBI in a statement issued last week:
Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
Many leading cybersecurity experts have now challenged that statement, questioning everything from the code in the malware that was used, to the IP evidence and capabilities of North Korean infrastructure.
The FBI spotted similarities between the malware used in the Sony hack and a similar code used in an attack on South Korea last year. Nimrod Kozlovski, a partner in JVP Labs, one of Israel’s leading venture capital firms that invests in cybersecurity companies, said he found that argument “hardly conclusive.” Often after an attack, code gets posted online and shared in hackers’ forums where it is used and reused.
“It can be easily cut and paste from one place to another,” Kozlovski said. “Any hacker could do that.”
As for the IP evidence mentioned by the FBI, Carr of Taia Global told BuzzFeed News that the “conventional wisdom is that North Korea’s internet is a closed environment, so anything tracked to North Korea must be from them. But that is incorrect; there are plenty of ways to get access to North Korea’s internet and launch attacks which appear to be from there.”
In a blog post this weekend, Carr looked at several companies tasked with providing internet services to North Korea and zeroes in on Loxley Pacific, a Thai company that runs a joint venture with the North Korean government to provide fixed telephone lines, mobile phones, internet, and satellite communications to North Korea.
Carr pointed out that the geolocation of the first leak of the Sony data on Dec. 2 was traced to the St. Regis Hotel in Bangkok, just 2.5 miles from the Loxley offices. BuzzFeed News repeatedly tried to reach a Loxley company representative Monday, but was given no comment on the company’s possible involvement.
“One of the easiest ways to compromise the internet of a country is to work through a vendor which supplies to that country. This is what we, in the security world, refer to as a supply chain vector. What it means is that if you can’t attack a company or entity, you attack a supplier and get access that way,” Carr said. “If what I propose is true, this is a supply chain attack using Loxley.”