Interview-facebook

So the FBI has come out and said it. North Korea was behind the Sony hack. With some pretty strongly worded rhetoric, they lay out exactly why they feel confident enough to lay the blame for this criminal act at the doorstep of a foreign nation.  Finally, they express their deep concern about how these events unfolded, stating that these events pose “one of the gravest national security dangers to the United States”. Pretty strong stuff. World-cyber-war One here we come.

Let’s take a look at the evidence that led the FBI to this conclusion. (At least the evidence that they were willing to share publicly).

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

So what they are saying here is that the malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other “known” malware attacks. Specifically, they are referring to the similarities between the malware found during this attack – Destover, the malware found to be at the heart of the attack against the Saudi based Aramco in 2012 – Shamoon, and the malware found at the heart of the massive cyberattack which brought most of Seoul to its knees in 2013 – Dark Seoul.

Aside from the fact that all three of these were above average cyber attacks which used a piece of malware, what exactly are the links and similarities they are referring to?

First, let’s look at each of these other attacks –

Shamoon: Was modular Windows malware discovered in August 2012 by Seculert, targeting companies in the oil and energy sectors. In particular, Shamoon was found to have infected 30,000 the Saudi arm of the oil and gas giant “Aramco”. While many speculated that Shamoon was the work of a nation state, others were not convinced. Kaspersky in particular carried out an in-depth analysis of Shamoon later that year concluding that the malware was “quick and dirty” and that the code, written by amateurs, was riddled with silly mistakes.  Shamoon was attributed to a group known as “the Cutting Sword of Justice”.

DarkSeoul: On June 25 2013, Korea suffered a series of crippling cyber-attacks that coincided with the 63rd anniversary of the start of the Korean War. The attacks were carried out by multiple actors and ranged from DDoS attacks through to incursion by malware, later identified to be “DarkSeoul”. Analysis of the “DarkSeoul” samples showed that this group had been responsible for several other high profile attacks including the devastating “Jokra” attacks against South Korean Banks and Television Broadcasters, and numerous major attacks against companies in the Korean financial sector in May 2013. Symantec attributed the attacks to a group of South Korean hackers called the “DarkSeoul gang“. They did not believe that it was the work of North Korea but suggested it was possible that The “DarkSeoul Gang” was working to the benefit of North Korea or possibly even on their payroll.

So while North Korea has certainly been hinted at for each of these two hacks, the evidence is flimsy and speculative at best. So, what about the similarities? Well, ignoring the IP addresses, as we will discuss these later, these are the “links”.

From: http://securelist.com/blog/research/67985/destover/

  1. Just like Shamoon, the Destover wiper drivers are commercially available EldoS RawDisk drivers.
  2. Just like Shamoon, the Destover wiper drivers are maintained in the droppers’ resource section.
  3. Just like Shamoon, the DarkSeoul wiper event included vague, encoded pseudo-political messages used to overwrite disk data and the master boot record (MBR).
  4. Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of the attack. This means it is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.
  5. The Shamoon components were compiled in a similarly tight time-frame prior to their deployment. The CompiledOn timestamps all fall within five days of their executables’ detonation. Nearly all were compiled on Aug 10, 2012 (between 00:17:23 and 02:46:22) and set to detonate on Aug 15, 2012. That is a tight window to quietly deploy these binaries considering that tens of thousands of machines were destroyed with this payload.
  6. In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own.  All attempted to disappear following their act, and did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.
  7. Images from the DarkSeoul ‘Whois’ and Destover ‘GOP’ groups included a ‘Hacked by’ claim, accompanied by a “warning” and threats regarding stolen data.  Both threatened that this was only the beginning and that the group will be back. It appears that original skeletal artwork was also included in both.

While some of these similarities certainly strongly hint at a similar operation and a shared DNA between these pieces of malware, it is hardly a smoking gun. Furthermore, the strength of this particular line of analysis weakens when you consider just how much sharing happens in the malware world. Many of these pieces of malware use publicly available tools and libraries. Many of these pieces of malware are based on malware source code that has been sold/released/leaked and is therefore accessible and easy to use. Finally many of these pieces of malware are available for purchase. Indeed, the malware SaaS (software as a service) industry is booming – why write a complex piece of malware that requires specialist skills to write when it is likely to be deprecated as soon as the AntiVirus vendors record its signature. Malware SaaS operations sell wannabe malware hackers new, currently undetectable pieces of malware with a guarantee that, so long as the user pays a service charge, they will rebuild the malware to make it once again undetectable should it ever fall into the hands of the authorities.

While there is insufficient evidence to say that is what’s going on in the case of these three attacks and the malware at the heart of them, I see no effort to prove that it isn’t the case either. Lastly, it’s pretty weak in my books to claim that the newest piece of malware is the act of a nation state because other possible related pieces of malware were *rumored* to be the work of a nation state. Until someone comes up with solid evidence actually attributing one of these pieces of malware to North Korea I consider this evidence to be, at best, speculation.

  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

What the FBI is essentially saying here is that some of the IP addresses found while analyzing the malware samples and the logs of the attack have been used in the past by North Korea. To me, this piece of evidence is perhaps the least convincing of all. IP addresses are often quite nebulous things. They are addresses of machines connected to the Internet. They are neither good, nor bad.

The IP address is never what is interesting. It’s what’s running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate.

For starters, hackers – at least the ones that want to stay out of jail – do NOT use their own machines or websites as staging points for operations. Instead, they hijack other vulnerable systems and route their traffic through them – and often many others – as a way to hide their origin. You know IP addresses such as those belonging to hotels in Thailand for examples.

My good friend Dr Krypt3ia has done some excellent analysis on this in his latest blog:

http://krypt3ia.wordpress.com/2014/12/20/fauxtribution/

In it, he looks at the IP addresses reference by the FBI and most importantly the systems behind them. Here is a summary of what he finds (though I urge you to go read his article in full).

  • 202.131.222.102 – Thailand
  • 217.96.33.164 – Poland
  • 88.53.215.64 – Italy
  • 200.87.126.116 – Bolivia
  • 58.185.154.99 – Singapore
  • 212.31.102.100 – Cyprus
  • 208.105.226.235 – USA

With the exception of the US address, which appears to belong to a company based in NY, all of these appear to be addresses of known proxys open to the public. If you check these IP addresses against any of the leading IP reputation services, such as SpamHaus or Project Honeypot, you find that in fact these addresses have been used for both spam and as Command and Control (C2) addresses for malware. No North Koreans: just common garden internet cybercriminals.

The only thing that clearly we can’t examine here is whether or not the FBI has some undisclosed signals intelligence from other agencies implicating these addresses in North Korean spying operations. However, even if that were the case, I would suggest that, because of the fact that these addresses are being used by common cybercriminals as part of their regular operations, even that evidence would be tainted to some extent

  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Wait, what? They are referencing the Shamoon and DarkSeoul attacks again! You can’t use the same piece of evidence as two separate pieces of evidence!

So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.

So where does that leave us? Well essentially it leaves us exactly where we were when we started. We don’t have any solid evidence that implicates North Korea, while at the same time we don’t have enough evidence to rule North Korea out. However, when you take into consideration the fact that the attackers, GOP, have now released a message saying that Sony can show “the Interview” after all, I find myself returning to my earlier instincts – this is the work of someone or someones with a grudge against Sony and the whole “Interview” angle was just a mixture of opportunity and “lulz”.

I am no fan of the North Korean regime. However I believe that calling out a foreign nation over a cybercrime of this magnitude – something serious enough to go to war over – should not be taken lightly. The evidence used to attribute a nation state in such a case should be solid enough that it would be both admissible and effective in a court of law. As it stands, I do not believe we are anywhere close to meeting that standard.

Join the conversation! 19 Comments

  1. You seem to be one of the very few analysts providing a comprehensive analysis of the attack instead of jumping in the “new axis of evil” wagon. In my opinion, the biggest threat about this accusation comes not from North Korea’s response, but from those who cracked into Sony, took whatever they wanted and left without any consequence. We can expect hundreds of these attacks with our “very capable” authorities.

    Reply
    • One angle which I think is particularly interesting yet have seen absent in the collective analysis is the concept of ‘Force Majeure’ (http://en.wikipedia.org/wiki/Force_majeure) .. a clause commonly written into contracts which shields parties from liabilities and obligations in the case of extraordinary circumstances such as “acts of war”.

      What’s the cumulative net liability to Sony after all is said and done if the official story is determined to be ‘act of war’ vs simply ‘disgruntled employee’? I think it’s an interesting question and one I’d like to see explored more.

      Reply
      • Yes, that small yet all-encompassing phrase “force majeure”…or “act of God”…which, of course, if you were an agnostic, you could argue that since you don’t subscribe to that belief structure, the clause is invalid…? Anyway, it’s a neat little paragraph that just means, “Hey, you can’t file a claim against us for any weird stuff we can’t explain…” and there’s an increasing amount of things that would fit that bill.

  2. When explained, the put forward evidence does sound quite flimsy. Maybe the FBI are lulling the true perpetrators into a false sense of security and letting their guard down.

    Reply
  3. Why aren’t FBI and Interpol cracking down on the Malware SaaS industry? That’s what Obama should be announcing: a campaign to go after them.

    If these hackers are clumsy, what about the better trained ones like say the Chinese or Russians. A small US or European company wouldn’t even know what hit them.

    Reply
  4. I agree on all counts – there’s not enough to finger N Korea, it’s pretty dumb to pick on someone who may not even be involved, and the rhetoric coming from our government is troubling.

    I am also no fan of the baby-fat-faced maniac, but who in their right mind makes a movie about killing a sitting head of state? They did that to Bush years ago, but those doofs were not in their right minds.

    And finally, I find it hard to believe that we can’t find out who did this. Why doesn’t Anonymous grow a set and find out – or are they not good enough?

    Reply
    • If Anonymous decided to truly track the hackers and locate the real deal, it would forever change the layman’s perception of the group. It would give them quite a global voice.

      This is a massive story that fits their politics. Seek the truth, no matter where it leads.

      Reply
  5. Look, I get the intention of this stuff and I am as big a fan of critical thinking as the next person and it’s important to stay alert and aware of what is going on in the government on multiple levels. It’s a confusing time and what happened was terrible and everyone is being respective combinations of unforgivable and tactless. Whether or not it was North Korea, the issue needs to remain about cyber terrorism at it needs to stay clear and articles like this are borderline irresponsible. I get that you’re confused and I am by no means pleased or supportive of the sketchy selfish madness America exhibits and engages, but it was North Korea. It was. Your supposed strongest point about the IP addresses was pretty weak. It’s a level of investigation that feels shallow and ends shallow. It’s like those sketchy documentaries that clip interviews of famous scientists to make it look like they’re global warming deniers or something. It’s just a lot of mental dancing that gets you further from a complete idea and further into paranoid conjecture. I mean at one point you even pull the whole “but they didn’t try to prove it WASN’T them.” I hope I don’t have to point out why that is rhetorically insane when it comes to trying to prove a point. If they had all the info they needed they aren’t going to waste time transparently proving that to a nation of loud paranoid people while revealing their security systems. Nobody wins.

    Reply
    • Really? You KNOW it was NOrth Korea based on…what? You seem awfully certain of something that I’m sure you have basically ZERO evidence to support. At least the author laid out reasonable arguments to his conclusions and never at any point asserts that he KNOWS for sure who did or did not do it.

      Reply
    • Occam’s Razor, friend. The hackers don’t talk like North Koreans. They talk like they are having a laugh.

      Reply
    • That was a fairly well done try at casting doubt on Mr. Rogers’ competent reporting. The attempt to tie his story into the ‘climate deniers’ was an especially nice touch in its appeal to the generally liberal bent of this blog’s readers. Still transparent though. Shill somewhere else.

      Reply
  6. Excellent work. This piece makes sense – whereas just about no other report I’ve read really does. And you’ve shown just how inadequate the work of technically-naive reporters can be, in the case of a story like this. The white-collar crime beat, after all, is covered by people capable of parsing the structures, means, etc under consideration; so why are cybercrime stories (there is some overlap with white-collar crime, of course) glossed by English majors?

    Reply
  7. We need to bring the discussion of this hack back to earth. Sonehow I’m thinking that North Korea’s Bureau 21 probably wasn’t all into goofing around with “God’sApstls,” the GOP [!], Salted Hash, and the Stephen King of children’s books. I’m going with Marc Rogers in thinking that the whole Interview/North Korea meme is best understood as a “lulzy” Red Herring—or, more appropriately in the context, a McGuffin.

    See: Goosebumps: A Scary Sony Story

    Reply
  8. One point that people are missing is how close Sony and the State Department were on this movie. It was the State Department that convinced Sony to leave in the actual death scene. Sony even screened a rough cut version of the movie for the State Department. Sony’s CEO sits on the board of the Rand Corporation, whose associate Bruce Bennett, a known hawk on North Korea, argued for the assassination scene and consulted on the movie. Sony’s CIO used to work for the DoD.

    All of this is beginning to trigger my “false flag” Spidey-sense. While it seems unlikely that Sony would finance a movie solely for the purpose of pulling it (and they now say they haven’t, just “delayed release”), once Sony was seriously hacked and went into panic mode, it seems clear that the FBI jumped on the North Korea connection on its own and then convinced Sony execs to go along with it because a “state-sponsered terrorist attack” would absole them of responsibility for their lousy security. It would also provide an impetus to get Congress to pass the stalled Cybersecurity bill. It would also give Obama a chance to ratchet up tensions with North Korea – and since Russia, the current “Big Bad” for Obama after Putin outmaneuvered him on the Syrian chemical attacks, has begun re-activating its connection with North Korea, this would also give Obama a chance to tie Russia to a state accused of “terrorism”.

    I suspect that the original hackers were some “lulz” sort of group, possibly including Sony insiders, motivated by dislike of Sony for various reasons. But once the FBI and Sony began talking up North Korea, the group jumped on it as a way to divert suspicion from them. It’s even possible that they were the ones who DDoS’d North Korea’s Internet on Monday.

    There’s a lot more to this story, I suspect, than just the hack.

    Reply
    • Ah just realized this came from the king of specious journalism’s site.

      Ignore the article. The images are compelling enough.

      Reply
  9. Reblogged this on Soldato Kowalsky and commented:
    Dubbi sull’attacco hacker che sarebbe stato portato dalla Corea del Nord alla Sony.
    Certo, dare la colpa alla Corea del Nord fa comodo a tutti.
    Fa comodo agli USA, per i motivi evidenti.
    Fa comodo alla Corea del Sud che può continuare a mantenere l’attenzione internazionale sul pittoresco governo di Pyongyang, e continuare a mettere fuori legge i partiti d’opposizione e in galera i sindacalisti senza che nessuno fiati.
    Fa comodo alla Sony che è stata più volte vittima di attacchi hacker e, buttandola sul “terrorismo di stato nordcoreano” eviterebbe di finire ancora una volta in tribunale con chi (dipendenti, clienti etc etc) è stato danneggiato dall’attacco.

    Reply
  10. Um the person who you are hinting at with the “lulz” comment is not really the type to hack Sony and do damage. He is more or less the kind of guy that wants things to be free and open. I’d say he’s whitehat, these freaks who hacked Sony are government paid hackers, probably from eastern europe. The asian folk are more interested in leaving backdoors than harassing people.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Marc Rogers

Marc has been a hacker since the 80's and has worked in the security industry for almost 20 years. Some of Marc's professional highlights include a decade managing security in the operator Vodafone plc, and 5 years as working as the CSO for a real estate and asset management conglomerate in South Korea. Known as "Cyberjunky", "Cjunky" or just "CJ" in the hacker community Marc is the Head of Security and part of the CFP review board for DEF CON, the worlds largest hacker conference. After spending more than 15 years wrangling hackers, criminals and spooks Marc has seen it all. Sometimes several times at once. Professionally Marc uses his skills as a whitehat hacker and security evangelist to bring a positive outlook on security to today's global organizations. It's this outlook that Marc used when he helped put together the award winning BBC series "The Real Hustle". Today Marc works as the Principal Security Researcher for Lookout Mobile Security.

Category

Uncategorized