GOP Image
Everyone seems to be eager to pin the blame for the Sony hack on North Korea. However, I think it’s unlikely. Here’s why:1. The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English.

2. The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult. I would find the presence of Chinese far more plausible.See here – http://www.nytimes.com/2006/08/30/world/asia/30iht-dialect.2644361.html?_r=0

here – http://www.nknews.org/2014/08/north-korean-dialect-as-a-soviet-russian-translation/

and here – http://www.voanews.com/content/a-13-2009-03-16-voa49-68727402/409810.html

This change in language is also most pronounced when it comes to special words, such as technical terms. That’s possibly because in South Korea, many of these terms are “borrowed” from other languages, including English. For example, the Korean word for “Hellicopter” is: 헬리콥터 or hellikobteo. The North Koreans, on the other hand, use a literal translation of “vehicle that goes straight up after takeoff”. This is because such borrowed words are discouraged, if not outright forbidden, in North Korea – http://pinyin.info/news/2005/ban-loan-words-says-north-korea/

Lets not forget also that it is *trivial* to change the language/locale of a computer before compiling code on it.

3. It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.

4. Whoever did this is in it for revenge. The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down. Just think what they could have done with passwords to all of Sony’s financial accounts? With the competitive intelligence in their business documents? From simple theft, to the sale of intellectual property, or even extortion – the attackers had many ways to become rich. Yet, instead, they chose to dump the data, rendering it useless. Likewise, I find it hard to believe that a “Nation State” which lives by propaganda would be so willing to just throw away such an unprecedented level of access to the beating heart of Hollywood itself.

5. The attackers only latched onto “The Interview” after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK “might be linked” that suddenly it became linked. I think the attackers both saw this as an opportunity for “lulz” and as a way to misdirect everyone into thinking it was a nation state. After all, if everyone believes it’s a nation state, then the criminal investigation will likely die.

Wired has just covered this exact point – http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/

6. Whoever is doing this is VERY net and social media savvy. That, and the sophistication of the operation, do not match with the profile of DPRK up until now.

Grugq did an excellent analysis of this aspect his findings are here – http://0paste.com/6875#md

7. Finally, blaming North Korea is the easy way out for a number of folks, including the security vendors and Sony management who are under the microscope for this. Let’s face it – most of today’s so-called “cutting edge” security defenses are either so specific, or so brittle, that they really don’t offer much meaningful protection against a sophisticated attacker or group of attackers. That doesn’t mean that we should let them off and give up every time someone plays the “APT” or “Sophisticated Attacker” card though. This is a significant area of weakness in the security industry – the truth is we are TERRIBLE at protecting against bespoke, unique attacks, let alone true zero days. There is some promising technology out there, but it’s clear that it just isn’t ready yet.

While we are on the subject, and ignoring the inability of traditional AntiVirus to detect bespoke malware, just how did whatever Data Loss Prevention (DLP) solution that Sony uses miss terabytes of data flying out of their network? How did their sophisticated on-premise perimeter security appliances miss such huge anomalies in network traffic, machine usage or host relationships? How did they miss Sony’s own edge being hijacked and used as public bittorrent servers aiding the exfiltration of their data?

8. It probably also suits a number of political agendas to have something that justifies sabre-rattling at North Korea, which is why I’m not that surprised to see politicians starting to point their fingers at the DPRK also.

9. It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. From plaintext password files, to using “password” as the password in business critical certificates, through to just the shear volume of aging unclassified yet highly sensitive data left out in the open. This isn’t a simple slip-up or a “weak link in the chain” – this is a serious organization-wide failure to implement anything like a reasonable security architecture.

The reality is, as things stand, Sony has little choice but to burn everything down and start again. Every password, every key, every certificate is tainted now and that’s a terrifying place for an organization to find itself. This hack should be used as the definitive lesson in why security matters and just how bad things can get if you don’t take it seriously.

10. Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.

EDIT: This appears (at least in part) to be substantiated by a conversation the Verge had with one of the alleged hackers – http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in

Finally for an EXCELLENT blow by blow analysis of the breach and the events that followed, read the following post by my friends from Risk Based Security – https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack

EDIT: Also make sure you read my good friend Krypt3ia’s post on the hack – http://krypt3ia.wordpress.com/2014/12/18/sony-hack-winners-and-losers/

Join the conversation! 112 Comments

  1. One thing that also stands out is the image. Each country has their own “styleguide” for splash pages that hackers put up. I’ve seen a lot from the Middle East, turkey, china, and even the states. The image and layout are so American, it gives further credence to your idea of it being somebody on the inside.

    Reply
  2. More evidence it was (at least partly) an insider job were statements allegedly made to The Verge very soon after the incident was reported:

    http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in

    If Sony was hacked by a state-sponored North Korean group in retaliation for the film, they would have made a start around last June, giving them only five months to exfiltrate 100TB of data over the Internet. I don’t see how that could work.

    Reply
    • That’s a really interesting point – equally interesting is that the person who replied to the verge also suddenly appears to know English and reasonable use of punctuation. So either the Verge got the wrong email address and are being trolled or someone slipped up:

      “We Want equality [sic]. Sony doesn’t. It’s an upward battle.”

      Reply
      • Honest question – I believe you present very strong evidence of why it is not North Korea, which begs the question, why would our government fuel the fear of North Korea by officially claiming that it is North Korea? Incompetence? I don’t see the motive in covering for Sony in this instance or that is there is anything to be gained from blaming North Korea and making them appear more powerful than they are. If this was 2003 and being used as an excuse to drop bombs on a country, that would be one thing, but as far as I can tell, there are no plans to retaliate. I am not saying that because the government says it is North Korea means that it is, I am just curious about what you think as possible reasons for the FBI pointing the finger at the North Koreans.

      • I don’t know why it took me this long to notice .. but the original post by GoP — the image you have linked to the top of this blog .. you see any broken english in it? In fact, there’s even proper use of a comma after the word “and” … hrm, wonder why they suddenly went from perfectly good english to the broken version. SMH.

      • @seleonard310 Because thats how Empire works. It has to constantly prop up new boogeymen as false threats in order to justify its own oppressive and draconian policies and actions. Fear, xenophobia, and outrage can get the masses to agree to anything.

      • We are talking about a country that has authorized and carried out kidnappings of foreign nationals, right? Is it outside the realm of possibility that an English speaker did this?

        Also, Hacker culture (that is, the illegal kind of hacker) thumbs its nose at authority and might use English as a way of saying that they are above any restrictions imposed by the government.

        Third: would not the training of government hackers include tactics like making it look like someone else really did it??

        Fourth: It would be just like a dictator to use an “incident” like this to threaten the US — particularly with President Obama calling the shots.

      • @seleonard310: The US has probably latched onto this story as a (weapons) sales pitch to South Korea and Japan.

  3. it is really unclear.

    Reply
  4. Just my 2 cents – Money talks.

    At first, “Hackers” saw a chance to get money from Sony by threatening to publish secret information.

    Then they may have been payed instead by North Korea if they agreed to change demands.

    Reply
    • That’s always a possibility. Another possibility is that where one hacker got in more than one hacker now has gotten in. Multiple actors could explain what appears to be multiple different agendas.

      Reply
  5. what if whoever was behind intentionally wanted to make it look like it was not korean/chinese?

    Reply
  6. the picture is created with american english. “we’ve already warned you, and this is just the beginning”. notice the we’ve. ferners dont use shortcuts. and the ‘,’. ferners dont do that.

    FOLLOW THE MONEY! like las vegas, the big biz in hollywood were paramount, universal, warner, and who knows. then, SONY comes to town. Big corporate giant and crushes the old schoolers. My guess? Old schoolers got mad and could hardly wait for an opp to fight back. All they needed was a plausible story that they could kick and stick.

    so old schoolers friends and family in the media rush to put this out QUICK!

    it’s a LOAD OF CRAP!. When you take a close look at what happened and the entire operating environment, a few things stand out; technical expertise, knowledge of sony networking, motivation, desparation, the laffability that kim would even blink, and unkown to the general public… attacks from the ukraine and a few other places have since mysteriously stopped.

    this whole scherade seems very scripted- a lot like that foto ready crap the security people at indonesia airport put out when MH317 dissappeared.

    my smell test is this- whenever you get a flood of stuff to the media and its all the same and the NAMES of the origins of fact are neither mentioned nor interviewed, AND someone stands to make or lose a lot of money….. IT’S A CON JOB.

    Reply
    • “ferners dont use shortcuts. and the ‘,’. ferners dont do that.” But I’m a ferner (had to look that word up) from the UK, and I use apostrophes, including in “we’ve”. That sentence doesn’t look American to me at all. Besides, do you think North Koreans speak British English? I’d say American is more likely.

      Reply
  7. Point 4 seems questionable. The whole narrative is that it is an act of state sponsored terrorism by North Korea, in response to ‘The Interview’; surely they are less likely to be financially motivated than a private hacking group in the U.S. or elsewhere.

    I’m not informed on the specifics of the industry, but isn’t the argument that it was carried out by hackers in China (Korean or otherwise) at the behest of North Korea? China seems to have a good track record in hacking. If this is the case, doesn’t it dispense with any issues over North Korea’s technical capacities?

    Reply
  8. Reblogged this on Michael Musgrove and commented:
    I tend to believe N. Korea didn’t have anything to do with it either. North Korea doesn’t have a huge base of technological masterminds. Even if Sony’s security was crummy, I can’t see N. Korea spying on a private company like Sony, then carrying out all the things that would have had to have happened for the story to be true as portrayed.

    Reply
  9. Standard Oil of New York

    Reply
  10. NSA-CIA-DHS are too busy spying on American Citizens to know about ISIS that incubated for years or hackers that did this ………

    Reply
  11. These comments are all the comments of DPRK hackers, trust nothing.

    Reply
    • You’re right. Ya got us. Our only mistake was that we let the intern who took 2 ESL classes write the note. Because, as you see, most of us can write grammatically fluent English. Good job, Sherlock. We are at the mercy of your deductive prowess.

      Reply
  12. It’s been six years since I worked at Sony Pictures, so I can’t say much to the current security culture. But when I was there, the studio internet access system required us to change our passwords every six months. And you couldn’t repeat a password. It wouldn’t surprise me if people did continue with variations of “password” in spite of the system telling them not to do so. But the mechanism was in place, so they weren’t entirely security lax.

    As for the rest, given the known attitudes and interests of the North Korean leader, I wouldn’t find it surprising if NK were indeed behind the hack. On the news this morning, the government has apparently determined that NK hired the hackers, which would negate the initial objections you raised – those factors wouldn’t matter. I’ll just wait to see how the rest of the investigation plays out.

    Reply
    • Obviously being an insider you will have better perspective than me, but everything I have seen so far screams “tickbox security” to me. By this I mean Sony clearly went through the effort of getting certified against some sort of security standard but only to get a qualification, not to make the security better.

      Why do I say this? Well it takes *a lot* more than changing your password every 6 months. That’s not even a hygiene requirement. What password complexity was required? Wheres the data classification policy (none of the documents I have seen so far have been classified or watermarked)? Where the architecture that should have prevented access to these systems? wheres the monitoring that should have picked all this up?

      As far as I can tell someone did the bare minimum to make Sony secure and not a lot more.

      Reply
      • Like I said, it’s been a while since I’ve been there. I was on staff at Jeopardy – and we maintained our own internal security (to protect the game materials). We didn’t rely on Studio security for that. But our outbound communications and internet access were part of the studio’s system. Still there were plenty of occasions of misdirected emails landing in my box, because someone didn’t pay attention to the auto-fill component of the studio email directory. That doesn’t make for great security.

      • Well, with any luck they will use this as a chance to start again. It’s not like they are going to have much choice with the material that’s floating around the internet now…

  13. Nice breakdown, thanks Marc Rogers!

    Thoughts on Sony having turned this into a PR stunt to promote The Interview? After all this publicity, and feeding off American patriotism, has this turned the film into a ‘must see’?

    Reply
    • Unlikely. This will cost them hundreds of millions of dollars, if not billions in damages, lost reputation and lost business. If anything they are going to want to move away from this conversation really quickly and focus on damage control. That means dumping anything which has links back to this saga or which might prolong the conversation – such as the film.

      Reply
      • IMO this started out with an unhappy employee, and when Sony realized the damage from leaked emails added to the seriously bad reviews of the movie, they came up with the ‘terrorist’ threat in order to pull from the theaters. Now when they release the movie on DVD they will make more then had they released in the theaters. Because of all the flag waving Americans declaring war against the NK hackers, these fools will run out, buy the DVD to show NK who is boss ! lol

      • Hey Marc, thanks for the response!

        I don’t mean the hack itself, of course that was devastating.

        I was thinking Sony Picture’s response is a bit simpler: framing it as an attack from North Korea, and as a secondary perk, to boost interest in the film. This, if it were a tactic, has a major benefit: it reverses Sony Picture’s position in the news media; instead of being incompetent, they’re now a victim (ugh) – is anyone still talking about how incompetent they were?

        The tie-in with the movie, which you pointed out as having materialized later in the time frame, has made it a ‘martyr’, which many, many more people will want to see now. When Sony releases it, they will inevitably get MANY more ticket sales, and film critics will be completely ignored. It may even be a ‘patriotic duty’ to watch it now. (Take that, North Korea! We’ll waste a couple hours and $15 to spite you!!)

        It could be a ploy to push attention away from their blunder, and turn a box office iffy into a hit. Just some idle speculation. =)

  14. Nice analysis, but keep in mind Sony != Sony Pictures

    Reply
  15. Interesting. For a view from DPRK specialists see http://38north.org/2014/12/jalewis121214/

    Reply
  16. Nice writeup. I was forwarded this from my boss this morning…🙂

    Reply
  17. Yours is an interesting analysis. An insider does not rule out an outside organization. In fact, hiring an insider would be a smart move. I also note that North Korea is so isolated it would have to get help from others, but the most likely candidate is not China but Iran. Finally I would like to let it be known it was revenge, but to cloud the picture so there is always the possibility of “plausible denial.” If this was really clever and a well financed venture, and one that would be sustained for some weeks, then it is possible to conclude it was a NK venture with outside and inside help.

    Reply
  18. Forgive me if I am a little ill informed here but this leaves me slightly perplexed: You state that, “The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea” and then you continue, “Lets not forget also that it is *trivial* to change the language/locale of a computer before compiling code on it.”
    How do we know anything about the code? Does that mean that the source code of this malware has been discovered? Or does it mean that it is evident that the executable was compiled on a PC with Korean Locale and that we are logically *assuming* that the code was also written on the same / similar PC?

    Reply
  19. Thanks for an interesting article. Your points are persuasive, but one question: as others above note, the US government has more or less accused North Korea. Yes, the accusation has come through leaks to the New York Times and other outlets, but the reporters involved (like David Sanger) are unlikely to have been played/duped.

    In other words, if it IS an insider, why would the US government claim otherwise? And presumably the State Department knows more than the most of us..

    Reply
    • Wow, are you new to the US? The US Government has a LONG history of creating events and lying to the American people to forward their own agenda. Every war the US has entered was based on a lie. War is big money and in DC from the President to Congress to DOD, the State Dept ect all have personal investments in the Military Industrial Complex. The more enemies they can create, the more power they acquire, the more money they make. If you expect to learn the facts on any issue from the US MSM, you will forever be in the dark. Here are some links that may help you.
      http://whatreallyhappened.com/WRHARTICLES/lieofthecentury.php#axzz3MMuKSHWv
      http://www.ihr.org/jhr/v13/v13n4p4_Ries.html
      http://whatreallyhappened.com/WRHARTICLES/biowar.html

      Reply
      • Hollywood/MSM and DC are partners in propaganda. While they are screaming about free speech and not allowing a foreign country to dictate what Americans can and can not watch, do not expect to see the documentary above, “The Day Israel Attacked America “, to ever be shown on any US mainstream station. Post it to your congress person’s FB page and watch it disappear within an hour of your posting, post a second time and you will be blocked from your congress person’s FB page.
        The fact is American media, TV, radio, and news is already censored so when I watch what appears to be a major production with the exact same script being read word for word across the entire media, I am convinced this is just more of the same BS propaganda . Demonizing a country or a people is the pattern the war mongers follow in the lead up to an attack.

        BTW Marc, I found your blog researching this issue. You have a new fan. Great article !

    • Are you seriously talking about David Sanger? Member of the Council on Foreign Relations David Sanger? Guy’s been drumming up war so badly he’d almost make McCain blush. He’s a warmonger that only sounds reasonable because he puts a liberal veil over it.

      Reply
      • Guess who else is a member of the Council on Foreign Relations? The CEO of Sony, Michael Lynton. The Interview is, among other things, itself an act of war. Or do you think Sony would have permitted a film of the same theme which depicted the death of the leader of China? If not, why not? Because it would have been offensive to the Chinese, not only the elite leadership, but more widely within the population. And being so, the film would be politically dangerous and a big mistake. Sony’s decision to produce such a film about North Korea shows Hollywood’s tendency to develop its cinematic ideology in line with Washington. Way back when there were German enemies, then Russian, then Arab. Now Islamic terrorists and North Korean enemies are having their “moment”. Perhaps they consult one another on such things around the table at CFR? The whole thing rings of a perfect storm suited to push more national security legislation and increase the influence of the security establishment. When the existence of the image machine (Hollywood) is at the mercy of the power of the agencies, the images produced by that machine will serve the interests of those agencies. “No more Eagle Eye, thank you.”

    • I mean, seriously, DAVID SANGER?

      Reply
  20. SUPERB article.

    Another thing point I’d like to mention is that North Korea is investing a lot of money to create a market for tourism, and to turn around and suddenly make 9-11 related threats is ludicrous. It’s like Tim Cook releasing the iPhone 6 and then running around personally firebombing Apple Stores the next day. North Korea’s MO has always been to boast about their attacks, which many experts (ACTUAL experts) believe is more for the benefit of its own citizens, to assert that there is a foreign threat out to get them, and that’s why the status quo is necessary. North Korea had nothing to gain and everything to lose from this. This, for them, was worse propaganda than any movie could ever be.

    Reply
  21. SUPERB article. Another thing point I’d like to mention is that North Korea is investing a lot of money to create a market for tourism, and to turn around and suddenly make 9-11 related threats is ludicrous. It’s like Tim Cook releasing the iPhone 6 and then running around personally firebombing Apple Stores the next day. North Korea’s MO has always been to boast about their attacks, which many experts (ACTUAL experts) believe is more for the benefit of its own citizens, to affirm that there is a foreign threat out to get them, and that’s why the status quo is necessary. North Korea had nothing to gain and everything to lose from this. This, for them, was worse propaganda than any movie could ever be.

    Reply
  22. Occam’s razor. Sorry its North Korea.

    Reply
  23. Agree with most of your points, and the evidence does seem to suggest this didn’t come from NK and instead was from a disgruntled employee.

    However, your second point is misleading. None of the sources you have linked state that “traditional Korean” is banned in the North. Although the two languages have evolved in different ways, it’s the language in the South that is the furthest away form “traditional Korean”. Your sources even back this up.
    Further, in what way does this make the presence of China seem more plausible? China has an extensive population of North Koreans, especially in the (increasingly porous) border region. If China instigated the hack on behalf of NK, they would never have mistakenly used the southern dialect.

    However, your point about the use of English loanwords is valid.

    Reply
    • If this was instigated by China, it would be more likely that the involved party, whether government or private, is from a region that is more technically advanced than the border regions. It’s reasonable to say that there are more South Koreans than North Koreans in these areas.

      Regardless, the point is that the group of hackers was from Korea, either North or South, they would understood the difference in dialects. Scratch that, anybody that speaks Korean should have been aware, and since whoever it is that’s responsible fits in that category, this just seems like an oversight.

      Also, it’s difficult to say which version of Korean is ‘traditional’, but I get your point. Technically, the North Korean dialect is more ‘pure’.

      Reply
  24. Something that caught my eye… in the riskbased link, I noted that some Sony Japan client data (AXN / Sky Japan) was ensnared in the leak. If this is indeed true, Japan’s aggressive data privacy protection laws could kick in. You may see the Japanese government go after Sony for fines (this is where I would guess the J gov would limit their actions at) and Sony executives criminally (a stretch IMO, but you never know).

    http://asia.nikkei.com/Politics-Economy/Policy-Politics/Japan-to-stiffen-penalties-for-leaks

    Reply
  25. I’m one of the last people that wants to portray the North Korean regime as more nefarious than they are already, but I find the comments you posted from Marc Rogers unconvincing. Not just as a Korea researcher, but also as an ESL teacher, I can give my opinion that the English errors made in that . for instance: the use of the simple present “continue” instead of the correct “will continue” for something that could refer to both the present and future. Also: the improper use of the be verb “be” instead of the correct “is” is an understandable mistake, considering that it is part of a clause starting with “until.” The fourth sentence “If you don’t obey us……” seems like poor English, but it’s only really missing the definite article “the” before “the data,” and if I had a dollar every time ESL students had trouble knowing when was the appropriate times to put “till/until” vs. “by,” I wouldn’t be rich, but at least I’d have some extra cash.

    I can assuredly tell you that that message was written by a nonnative speaker of English, and the mistakes nonnative English makes are generally fairly similar no matter what the student’s linguistic background (although there are a few mistakes that are more common for one language speaker than another). It was only fake if it was written by someone who has spent years looking at common mistakes of nonnative English speakers.

    Reply
    • Interesting point, but it’s reasonable to assume that if a nation state were to make such a bold statement, it would at least have a linguistics expert proof-read it. I know that in news articles and even political papers written by Koreans the English can be awkward, but they’re not often grammatically incorrect. This still seems deliberate to me.

      Reply
      • Important point to raise, but I would counter by saying that the top secret nature of the operation might make them slightly reluctant to hire a native English speaker as a proofreader. Most of the errors there are fairly complex and would be difficult to replicate even by someone like me who has taught ESL for 5 years. Whoever wrote it was probably working with a deadline.

        But I didn’t really say that the North Korean government is directly responsible, only that a nonnative English speaker did it.

      • I understand, but some of these errors are simply egregious, particularly in the latest statement.

        (Now we want you never let the movie released, distributed or leaked in any form of, for instance, DVD or piracy,”

        I myself am not a native English speaker, and it seems even a moderately experienced writer could have avoided this grammatical atrocity.

        But again, I see your point.

  26. I wouldn’t put it past the North Koreans or someone friendly/sympathetic to North Korea to be the source of the hacking. Someone (friendly or sympathetic to North Korea if not someone from North Korea) hacked into my twitter account multiple times almost certainly because of some of the articles that I wrote on nknews.org. One of my articles was actually deleted from nknews.org although it was brought back up by the editors.

    But whoever it is, I don’t think they have any intention of carrying out terrorism outside of the web. I think the film was in poor taste to begin with, but it’s unfortunate now that we’re letting the fake terrorists win.

    Reply
  27. Perhaps this may be one reason or the reason Sony got hacked: http://goo.gl/wtgV6S

    Reply
  28. Err, I guess argument 5 has some problems with arguments 1 and 2; if the culprits only hatched onto “The Interview” and the DPRK after the fact, why would they use bad English and set a computer to a Korean locale? Of course, even without the movie North Korea has something of a reputation, so it might make sense for a hacker to use it as a scapegoat and for the lulz, thankfully they didn’t use Iran or Cuba or something. With “The Interview” only added as an afterthought. Still, this indicates the DPRK angle was not just in the media.

    Mind you, I agree it’s quite unlikely North Korea is really behind this, if this is not some prank by an ex-employee, IIRC there were similar incidents in the past, and there were ideas of the hackers being Chinese or Koreans in Japan, both of which might also feel somewhat personally linked to the issue…

    Reply
  29. If if wasn’t a North Korean proxy, then who was it? This is the problem some of us have with the experts. They blithely talk up inside jobs without offering a shred of hard evidence for what would be an unprecedented admin-gone-bad attack.

    Reply
    • The point (and indeed the title) of the article is that ‘it wasn’t North Korea’, not ‘it was somebody else’. It’s a ‘proof of burden’ kind of deal, where the accuser, which in this case is the American media and government, has to provide appropriate evidence to defend their case and counter the contradictions presented by this article. It’s the same as how you can prove that a person committed a theft, but you can never prove that a person never committed a threat. Simply countering the author’s argument by asking ‘well, then prove that they DIDN’T do it’ or ‘well, prove that SOMEONE ELSE did it’ is a critical fallacy that, in and of itself, means absolutely nothing.

      Reply
  30. Nice piece of threat analysis. Unfortunately there is still a lot of speculation of who is behind the cause of data breaches because it is often not possible to find who to attribute the attack to unless there is a FBI prosecution in court or the hacker themselves take credit. Also too easy to fault Sony as I know some security managers that work for Sony mobile devision are not less capable and qualified than most of security managers I know of. Ultimately large organisations like Sony that are under attacks today (it is not a matter of IF by WHEN you find it) should take a realistic view of cyber-security from business impact perspective and invest in people, process and last and not the least technology. From technology perspective being able to detect is today more important than being able to protect from cyber attacks. You can assume that incidents like the one at Sony happen and then the question is which detective and preventive control can detect kill chain events before data is exfiltrated.

    Reply
  31. CNN still claiming it’s North Korea. FFS. I’ve tried to redirect anyone I know to this article. The more idiotic we can show the MSM to be the sooner it might actually change from being a State Department mouthpiece.

    Reply
  32. One thing no one is mentioning is the genuine hatred nearly every Korean person has towards the Japanese, after the 1910-1945(?) subjugation and colonization of peninsula, as well as other previous invasions and wars…I’m sure you’ve heard of the “comfort girls” thing where many young Korean women were turned into sex toys for Japanese soldiers…well anyways seeing how recent that was, most Koreans aren’t over it, and some of those sex toys still survive now. I seriously doubt ANY Korean people are exactly sad to see any Japanese interests suffering. Not only that, I’m fairly certain Japan is considered an enemy of both Russia and China.

    Doesn’t prove anything but it is something. Many South Koreans won’t eat Japanese food, even, and at one point across the nation millions of cherry trees were cut down, since they were said to be from Japan…later, when someone found a native cherry tree on a remote island, all of a sudden they were ok again. This kind of fanaticism says quite a bit!

    Reply
    • As a Korean, I must disagree with everything you said. I don’t feel any animosity towards Japan. Me and my friends, in fact my entire generation and two after ours, grew up on Japanese comic books. Just look at the sheer number of Sushi restaurants in downtown Seoul. I personally befriended many Japanese students in school, none of which claimed to have been victims of extreme racism. There is an anti-Japanese that flares up now and then due to media bias, but that’s mostly towards the Japanese government, not Japanese people in general, and certainly not towards Japanese corporations. I don’t think anti-Japanese sentiment had anything to do with this.

      I understand how you could think this, though, as it is a common misconception.

      Reply
  33. Ut oh. Looks like the hacker kids have realized the joke went a little too far. Hackers send new email to Sony this morning: http://www.usatoday.com/story/news/2014/12/19/sony-the-interview-hackers-gop/20635449/

    Reply
  34. I believe the U.S Government is behind it, they have displayed their propaganda through the mainstream media that “The North Korean Government has class rooms full of children they have taught to hack” two days after the initial report the media is running with this story.SONY drops their interview movie, Americans run scared looking for the Government to give them a solution since major entities have been “hacked” already and millions of consumers have been affected (Target), now another attack? and with the boogie man north Korea scaring the SHIT out of us with all their outlandish displays running through the media constantly, Americans are sure to adhere to the U.S Government wants . the U.S Government is looking for any reason through scare tactics to reel the internet into their control, after the failure of sopa and pipa, the U.S wants a Chinese style of state control internet and system overall, anything that could make Americans less “free”.

    Reply
  35. A note about localization: It seems to me very plausible that a North Korean actor would use a PC with Korean localization because, even though the language divide between North and South is pronounced (pun intended), they are still written *using the same character set*. Obviously, the use of native character sets is the primary reason why people localize their PCs in the first place.

    Reply
  36. Reblogged this on The Insomniac Libertarian and commented:
    My SONY epistemological question – in a secrecy surveillance state, with no transparency about what the intelligence agencies are doing, how do we know the NSA didn’t hack SONY to prove that government surveillance is needed?

    Reply
  37. Hacker’s twitter account suddenly became active, minutes after the FBI announcement.

    https://twitter.com/GuardiansGOP

    Prior to that it had been empty.

    Reply
  38. 1. Disbelieving the bad English is an opinion, not a fact. Any good extortionist/blackmailer will purposefully garble their language to avoid identification.

    2. “The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea.” This is not true. The fact that the code was written on a PC with Korean locale & language makes it likely to have been the work of a Korean — maybe a South Korean, or maybe a North Korean security expert who spends a lot of time masquerading on South Korean forums, or maybe a Korean American; who knows. If you’re going to invoke Occam’s Razor, it still sounds more plausible for the code to have been the work of a Korean, North or South, funded by North Korea, perhaps even lavishly so. Can you imagine a South Korean hacker dude being willing to accept a fantastic sum of money in exchange for pulling off a fantastical hack? I can.

    3. The involvement of an insider does not exclude the involvement of an outsider. The likelihood of any insider, no matter how malevolent and revenge-soiled, having the skills to pull off every aspect of this caper is essentially zero. Again, if you’re invoking Occam’s Razor, it’s more likely the work of an insider and a hacker, both handsomely rewarded for their crimes.

    4. “Whoever did this is in it for revenge.” This doesn’t exclude North Korea.

    5. Yes, “The Interview” wasn’t mentioned initially. If the hacker’s first action had been the demand that made today, to wipe the film from our collective history, then it would have looked transparently like the work of North Korea. You can’t blame them for being coy when we would have blamed them for being obvious.

    Maybe North Korea isn’t ultimately behind the hack, though that isn’t where the evidence is pointing, with or without Occam’s Razor.

    Reply
    • All good points, but none of these point towards North Korea as a suspect, they merely leave the door open a crack for that possibility. The article’s intent was to show that there is NO evidence (and I use that word in the strictest terms) to suggest that North Korea is any more responsible for this hack than disgruntled employees or simple extortionists.

      And given the political atmosphere, I think it’s very unlikely that North Korea was the culprit. The country is spending a substantial amount of its limited resources to become a tourist attraction, and to suddenly turn around to make 9-11 related threats (in poor English) is very contradictory. It’s a worse publicity move than any movie could ever be.

      NK’s MO has always been to boast about its attacks (which, technically, can be defended as retaliations). This does not fit the country’s agenda, which is self preservation, not “world domination”. Besides, there have been plenty of satire against NK in the form of movies/video games and other media that were much just as offensive.

      On the other hand, given the Sony layoffs, a disgruntled employee does seem to have more motive and incentive (not to mention opportunity).

      Reply
      • I don’t see how my points failed to point towards North Korea as a suspect, though if you’d like some more:

        • In June, North Korea announced that they would take the film’s release as an act of war. That’s a hard statement to walk back from.

        • The FBI claims that the sophisticated malware used in the attack reached out to IP addresses known to be under North Korea’s control.

        • The FBI further claims that they have a great deal of other evidence that they don’t yet want to disclose, likely due to the investigation being ongoing, but that important chunks of the malware are identical to code used in malware previously associated with North Korea.

        • The hackers who claim responsibility are praising Sony’s wise decision to pull the film, and are now demanding that Sony agree never to distribute the film and to pull from circulation all evidence of the film’s existence. That’s not revenge. That’s extortion.

        All the evidence points toward North Korea’s involvement. Who all else was involved, we don’t know. It seems wholly plausible — almost necessary — that a malicious nation-state generously funded a disgruntled employee’s epic internal burn. But it seems a bit silly at this point to deny the clear evidence pointing toward a nation state, and that the nation state being implicated is North Korea.

      • Hi, here’s my response to your comment.

        1. North Korea makes similar statements about the smallest things every other week, 99% of which aren’t carried out. They made similar statements about ‘Team America’ from 2004. Besides, if NK made a movie about assassinating Obama, wouldn’t the US do the same? NK threats are as abundant as they are for show.

        2. The IP can be set up in a way that points to NK by anyone moderately experienced. This is circumstantial evidence at best, that means next to nothing, just like the locale.

        3. Malware attack codes are bought and shared online regularly. A malware code from China can end up being used by a kid in Europe. Saying that ‘chunks’ of Malware (allegedly) similar to the coding style of NK makes it responsible is a stretch. Many cyber security experts lament the lack of evidence that links NK from a technical aspect. Among many, here’s an article, (although I usually dislike simply pointing people to articles this one sums it up nicely, I think) http://gotnews.com/breaking-exclusive-top-fbi-connected-cyber-crime-fighter-doubts-northkorea-behind-sonyhack/

        4. The hackers latched onto the movie AFTER the media did. It’s clear from the timeline. If NK was responsible it’s reasonable to expect that they would lead with this, for purpose of effect.

        Furthermore, simply from a political standpoint the NK has nothing to gain from this. Like I’ve said, the country has been spending a critical amount of its limited resources to promote tourism. To turn around and make 9-11 related threats is highly contradictory. This only makes sense if you believe that NK is indeed a band of irrational, fanatical, ideologically driven band of cartoon villains. This is far from the case. What North Korea is, is a failed regime whose one and only purpose is self preservation. All that sabre rattling, all that secrecy and self isolation is for that one purpose, (besides the fact that every other person they let in turns out to be a spy) to convince its own people that the status quo is necessary to protect them against various ‘foreign threats’. It’s a house of cards trying to sustain itself, not a cartoon band of villains bent on world domination.

      • Basically, all there is is that NK made threats for a movie about assassinating its leader, which is something any nation state would do. The FBI has offered nothing but circumstantial evidence. The hackers latched onto the film AFTER the media did. And none of this can possibly benefit NK in any way. Only a moron wouldn’t be able to see that this is worse propaganda than any movie could ever be, and the people in charge in NK aren’t morons.

      • I just noticed that you mentioned the fact that the media latched on after the fact. But still, the scenario you mention is highly speculative and hypothetical, just as hypothetical as to believe that the leadership of NK, people with decades of military and political experience under their belt, really thought that such a threat could ‘wipe the movie out of the world’s collective history. Like your theory about NK working with an insider, it’s only a scenario, one out of countless many.

  39. So you don’t believe it was about The Interview because they didn’t mention the film until the media raised it as a possible reason yet you’re happy to believe it’s disgruntled workers after equality despite them not mentioning equality until after some leaked emails raised issues with the subject?

    Personally I believe it’s not N. Korea or an employee but a similar bunch to the ones who hacked PSN a few years ago for the ‘Lulz’. Hackers have been after Sony for years since they took legal action against the guy who jailbroke the PS3.

    Reply
  40. You people are incredibly bright. I have been intensely mesmerized by this string.

    Reply
    • I completely agree, Brian! All I do is post to Facebook, Instagram and Twitter – that’s about as tech as I get (though I am a journalism student) – yet I’m enthralled in this thread!

      Reply
  41. I can answer the question, why if your smart you do not use the intelligence to gain financial reward. That is because whilst you are running a bot fire and forget and its not handshaking your computer what you are doing is almost untraceable if you do other smart things, despite what the various intelligence agencies rant about. Most of their advice comes from mathmetician intellectuals who have blind spots.

    Reply
  42. It’s interesting to speculate that this is an inside job. That doesn’t make it not North Korean. We see today plenty of Americans travelling to Syria and Iraq to fight for ISIS. Could well be there are hackers who are sympathetic to North Korea or any enemy of what they perceive to be the corporate status quo.

    If I worked for Homeland Security I’d be investigating this angle but I’d still be looking at the threat to theaters as terrorism. Any hacker involved in this could look forward to a one-way trip to Guantanamo.

    Reply
  43. Marc Rogers is a DPRK agent. He has a picture of Kim Jong-un on his wall. Trust nothing he posts.

    Reply
    • He’s not asking to take everything he says by faith. He’s asking for anyone to believe is the logic of the case he represents. Your tag name suggests that you’re one of those people that simply WANT to believe that North Korea is some sort of band of cartoon villains, that you enjoy the rush of anger and queer sense of satisfaction from believing that there really are a bumbling band of idiots bent on world domination. If this is the case, please reconsider your world view. It is simply offensive.

      Reply
  44. Is it completely crazy to think this is all for show and could be a publicity stunt? Now everyone wants to see it…

    Reply
  45. Interesting and good points. But we are talking about crazy regime who have done crazy things in the past? This is country who finally admitted they secretly kidnapped ordinary Japanese citizens for decades even after it was suspected for years. Also, forced one of them to marry/mate with an American deserter Charles Jenkins, so they can train his kids as super spies… Not to mention the dozen or so north Korean spies. Including the 2008 one who tried to having sex military officers for irrelevant information. Its hard for me to think about what North Korea could or couldn’t do.

    Reply
  46. Reblogged this on Ruth Nestvold – Indie Adventures and commented:
    This has nothing to do with Indie publishing, but it does have to do with the dangers creativity is faced with in a digital age — an besides, it’s a fascinating analysis, with all kinds of food for thought, and maybe fiction.

    Reply
  47. I doubt North Korean hacker’s have the skill. But I just as easily believe that North Korea can hire Chinese or even Russian hackers.

    Reply
  48. Too bad this is to be obama’s wmd moment. Insider or not, nk gets nuked over this.

    Reply
  49. One more point to add is that one of the first things leaked is the death scene of Kim Jong Un in “The Interview”. Now why would a country so bent on keeping this movie away from the public leak the most controversial scene in the whole movie? To me it just doesn’t add up to be NK. I assume the hackers just rolled with it once they realized that they can point the blame at a country that no one is willing to mess with…

    Reply
  50. I don’t ever post here, but this was well written, easy to understand, and the reference and citation links are outstanding. -layman

    Reply
  51. You misspelled “sheer”.

    Reply
  52. There is the North Korean community in every Western world.
    In Japan, North Korean killed landowners and built a schools.
    They are always alerted for brainwashing education.
    And it is sure that there is always China behind North Korea.

    Reply
  53. @GuardiansGOP released new tweet this morning, featuring photo of Julian Assange. I know there have been some who have discredited this twitter feed, but I’m inclined to believe it’s the real deal. And the message in the tweet makes way more sense than any North Korea tie.

    Reply
  54. Good post. And to an informed American, (like my use of commas!) the FBI is starting to look like n00bs. But I want to point out the simple reason I “knew” it was an inside job the moment I saw the hack image and before I read ANY of the endless speculation that has spewed forth since:

    Guardians of Peace or “GOP”. In the industry, GOP is a technical term that stands for Group of Pictures. Now, I am sure there are many among Sony’s legions of employees, including Amy Pascal, who have no idea what a GOP is. However, to those who have any connection to the post-production process of a film (i.e. the lion-share of Sony’s employees; it’s where all the heavy lifting takes place) GOP is a very well known term.

    So here is the thought analysis: Sony gets hacked -> the hackers call themselves Guardians of Peace -> they reveal themselves in a personal way to the employees at Sony -> Sony employees shows up at work and see the hack on their PCs -> They instantly recognize the “clever” construction of the backronym GOP.

    IOW, pure insider job.

    Reply
    • Of course, the only thing this accomplishes now is to lead us down the rabbit-hole of why would the FBI lie and say it was the DPRK? One possibility: Sony. Sony stands to benefit immensely by the sabre-rattling. Look at what is happening. At first Sony looked terrible. But then Sony cancels releasing The Interview and suddenly they have everyone from the POTUS crying cyber-terrorism to journalists crying censorship. Sony doesn’t look so bad now.

      I am afraid it is not the FBI that are n00bs but us for believing the pack of lies.

      Reply
      • Or it could be something as simple as they don’t really know. Their “experts” are tracking all the information back to North Korea because that information was planted within the file and that’s what they believe and are reporting to Obama.

        But it’s not like they’ve been completely wrong in the past: http://www.theregister.co.uk/2001/06/15/solar_sunrise_hacker_analyzer_escapes/

        At best, this is completely irresponsible. At worst, it is intentional.

        The bluster coming from Kim Jong Un isn’t helping matters with the average American who doesn’t get that this kind of crazy is “normal” for him. And that’s what makes it even more compelling — the reaction coming from North Korea is what you’d expect from them had they initiated this hack from the get-go — lots of crowing with false pride, making threats, spewing dogma .. and we had none of that coming out of NK until after Obama issued the direct response.

      • “Or it could be something as simple as they don’t really know.”

        I never said the FBI DOES know. I just think the FBI is lying when they say the DPRK was responsible. Although, the possibility exists that the FBI DOES know who the hacker is and it isn’t the DPRK. But that is not likely.

        Either way, Sony still benefits immensely from the sabre-rattling as I stated above. Also, I am still flabbergasted that Obama commented on this. Is he going to comment on every company that has poor opsec now? If you ask me, he is just taunting the legions of cyber-criminals across the world in hard to reach places like the FSU.

        Everyone needs to calm down. This is not a matter of national security. And let’s face it, Sony has made its share of enemies.

  55. Mr. Rodgers I personally think you have no idea what you are talking about.
    If North Korea didn’t hack Sony then who did? If they didn’t do it themselves then still paid hackers to do it for them so either way they were involved.

    Reply
  56. Point #2 has some problems with it. The issue revolves around two guillemets that appear in the readme.txt accompanying the initial data dump. Here’s what the line in question is supposed to look like:

    Anyone who needs the data, send an email titled 《To the Guardians of Peace》 to the following email addresses.

    Under most encodings, however, the guillemets will display as garbage text, or not at all. They only display correctly under GBK (Simplified Chinese) or EUC-KR (Korean). Simplified Chinese uses guillemets for certain purposes, but English-style double quotes would normally be used for the title of an email. Guillemets are rare and non-standard in south Korean, which would also use English-style quotes for this purpose. North Korean doesn’t use English-style quotes at all—guillemets serve as quote marks instead. In other words, the use of guillemets here points to someone who is either a native speaker of northern-style Korean, or who is familiar with its orthographic practices (such as the use of guillemets as quotation marks).

    Before moving on, I should note here that the differences between north and south Korean don’t extend to their script. Both dialects use the exact same alphabet and any encoding that can handle south Korean can also handle north Korean. (Jason L. Cook pointed this out in his post several days ago.) North Korea has its own encoding called KPS, but it’s not supported by basically anything developed outside of the country. Despite the existence of KPS, North Korea includes support for EUC-KR in domestically-developed software such as word processors, and North Korean websites have also used it (nowadays they use Unicode). This asserts that EUC-KR is more common in North Korea than KPS, which is perfectly believable. EUC-KR is based on a South Korean standard, but the effort required to add KPS support to every piece of software used in North Korea (much of which is derived from foreign open-source code) is hardly worth it, given that EUC-KR is already widely supported and can handle north Korean writing just fine.

    But you’re correct that all this can be faked quite easily, both the use of guillemots and of EUC-KR encoding (if it’s actually supposed to be EUC-KR and not GBK). Still, if it was faked, whoever did so knew what they were doing and went out of their way to suggest a North Korean writer.

    Reply
  57. The day it happened I posted about the school for hacking North Korea has, and that they operate out of hotel in China. So when people say the Chinese could be behind it that does not take North Korea out of the picture. Could the hack have been done by a disgruntled worker seeking money, who then sold the hack to North Korea thus explaining why they went from demanding money to all about the movie? Yes. But that still doesn’t remove North Korea from the picture. The reason the net went out in North Korea is most likely North Korea. First off their internet is controlled by China ( I believe the company is called Unicorn). There has been no outage in China, and North Korea’s second internet for the party is still operating. So we didn’t do it. My guess is North Korea does not want the film being shown, etc, to be known by the public.

    Reply
  58. from the first second, it was absolutely obvious that North Korea wasn’t the culprit. the very fact mainstream media focused so much upon the accusations illustrates rush to judgement, which means propaganda.. look for the immediate government actions, and look at the agenda woven behind it.. it’s clear this is another false flag event.. that said, I know from insiders that Sony was quite ruffled by this hack, it wasn’t their intent.. so we are witnessing a clash but it’s not from NK.. it’s something entirely beyond that.. personally I think it’s about restricting IP’s by force.. and this is the incident to force broader policing of the internet, and piracy sites.. it starts with good intent, maybe, and ends up making the internet less free. corporate interests will benefit, the people will lose.

    Reply
  59. Finally…the evidence is starting to come out that this was an inside job. Not sure what took so long. Definitely makes the FBI look like n00bs. It will be fun to watch how the FBI responds given all the sabre-rattling that has occurred. Obama really stuck his foot in his mouth on this one. Way to go, prez. I have already popped some popcorn!

    https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/

    I think the most telling quote from the article is: “Rasch notes that the hackers also exhibited a somewhat sophisticated knowledge of how Hollywood works”. The hackers may have been sophisticated in planting clues to point to the DPRK, but not sophisticated enough to erase every trace of their inside knowledge of the industry. Unfortunately, for Hollywood outsiders, i.e. the FBI and the Obama admin, these clues are non-existent.

    Plus, only an insider would know exactly where the pressure points are in SPE to force them to cancel something like a movie release. A DPRK hack would have looked entirely different, i.e. more random. This was a very surgical hack and has pointed to an inside job from the very start.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Marc Rogers

Marc has been a hacker since the 80's and has worked in the security industry for almost 20 years. Some of Marc's professional highlights include a decade managing security in the operator Vodafone plc, and 5 years as working as the CSO for a real estate and asset management conglomerate in South Korea. Known as "Cyberjunky", "Cjunky" or just "CJ" in the hacker community Marc is the Head of Security and part of the CFP review board for DEF CON, the worlds largest hacker conference. After spending more than 15 years wrangling hackers, criminals and spooks Marc has seen it all. Sometimes several times at once. Professionally Marc uses his skills as a whitehat hacker and security evangelist to bring a positive outlook on security to today's global organizations. It's this outlook that Marc used when he helped put together the award winning BBC series "The Real Hustle". Today Marc works as the Principal Security Researcher for Lookout Mobile Security.

Category

Uncategorized