Why attribution of North Korea in the Sony case worries me.


Attribution is hard. Out of all the digital forensic disciplines, it is probably the hardest.

Digital forensics is nothing like what you see on TV – on so-called cyber-CSI shows, the investigator types in a few magical keystrokes and evidence comes flooding out of the completely unlocked computer. A few more keystrokes and a magical graphical app “backtraces” the perp all the way to his house switching on his webcam and locking his bedroom door.

The reality is far less sexy.

In the real world, attribution involves sifting through gigabytes of assorted data through hundreds, even thousands, of machines. Each one, a scene of crime in its own right. To make it even more challenging, this is often being done in an environment that is as permanent as footprints on a sandy beach just before the tide comes in. Every fragment of data could be something that tells you who was behind the crime, or it could be a red herring – something that has nothing to do with the crime, or even worse something put there to misdirect or sabotage the investigation.

Attribution is part science, part detective work and is most definitely an art form. Some folks are really good at it, while others just aren’t cut out.  What all the people who are great at it have in common, however, is patience. Attribution is slow, often frustrating, work with many false starts and lots of rabbit holes to get lost down. Sometimes attribution can be accelerated using intelligence, however, when this happens it is important not to confuse the two.

Intelligence is not evidence. Intelligence is collected to a different set of standards to evidence and with a completely different aim in mind.

  • Evidence is collected in a way that meets accepted international standards and is gathered with a specific minimum volume in mind so as to meet acceptable burdens of proof – “a preponderance of evidence”, “probable cause”, “beyond a reasonable doubt”.
  • Intelligence on the other hand is collected in a way that protects the intelligence, its sources and operatives or analysts from exposure or counterattack while aiming to meet the standard of “being actionable”. A lot of intelligence would at best be considered hearsay in court.

However these differences are fine – they are tools for different jobs. CSIs generally don’t have to worry about being assassinated if they get it wrong. Intelligence operatives, on the other hand, face that risk all the time. The problem comes when we mix the two, especially when you are talking to an audience that doesn’t realize the potential differences.

Intelligence that isn’t backed up by hard evidence can also lead to terrible mistakes.

It is clear that there are many folks who have an agenda when it comes to the Sony investigation. We need to make sure that these agendas don’t get in the way of carrying out a thorough and complete investigation. Likewise, we need to be really careful that those agendas don’t damage our intelligence sources, as, let’s face it, if you were really serious about protecting that intelligence, you wouldn’t hint about it in public communications.

I hope that despite the early conclusion of North Korean guilt, we keep investigating this cybercrime.  Right now the “evidence” that has been presented doesn’t give us enough information to make any real conclusions – we can’t rule out North Korean involvement at any stage of the hack, but neither can we conclude that they were behind it. Hopefully with time, more evidence will be brought to light that enables an accurate attribution of whoever carried it out.

This article published by Bruce Berkowitz in 2003 in the Washington Post covers many of my concerns – http://www.rand.org/blog/2003/02/the-big-difference-between-intelligence-and-evidence.html

Why I *still* dont think it’s likely that North Korea hacked Sony.


So the FBI has come out and said it. North Korea was behind the Sony hack. With some pretty strongly worded rhetoric, they lay out exactly why they feel confident enough to lay the blame for this criminal act at the doorstep of a foreign nation.  Finally, they express their deep concern about how these events unfolded, stating that these events pose “one of the gravest national security dangers to the United States”. Pretty strong stuff. World-cyber-war One here we come.

Let’s take a look at the evidence that led the FBI to this conclusion. (At least the evidence that they were willing to share publicly).

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

So what they are saying here is that the malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other “known” malware attacks. Specifically, they are referring to the similarities between the malware found during this attack – Destover, the malware found to be at the heart of the attack against the Saudi based Aramco in 2012 – Shamoon, and the malware found at the heart of the massive cyberattack which brought most of Seoul to its knees in 2013 – Dark Seoul.

Aside from the fact that all three of these were above average cyber attacks which used a piece of malware, what exactly are the links and similarities they are referring to?

First, let’s look at each of these other attacks –

Shamoon: Was modular Windows malware discovered in August 2012 by Seculert, targeting companies in the oil and energy sectors. In particular, Shamoon was found to have infected 30,000 the Saudi arm of the oil and gas giant “Aramco”. While many speculated that Shamoon was the work of a nation state, others were not convinced. Kaspersky in particular carried out an in-depth analysis of Shamoon later that year concluding that the malware was “quick and dirty” and that the code, written by amateurs, was riddled with silly mistakes.  Shamoon was attributed to a group known as “the Cutting Sword of Justice”.

DarkSeoul: On June 25 2013, Korea suffered a series of crippling cyber-attacks that coincided with the 63rd anniversary of the start of the Korean War. The attacks were carried out by multiple actors and ranged from DDoS attacks through to incursion by malware, later identified to be “DarkSeoul”. Analysis of the “DarkSeoul” samples showed that this group had been responsible for several other high profile attacks including the devastating “Jokra” attacks against South Korean Banks and Television Broadcasters, and numerous major attacks against companies in the Korean financial sector in May 2013. Symantec attributed the attacks to a group of South Korean hackers called the “DarkSeoul gang“. They did not believe that it was the work of North Korea but suggested it was possible that The “DarkSeoul Gang” was working to the benefit of North Korea or possibly even on their payroll.

So while North Korea has certainly been hinted at for each of these two hacks, the evidence is flimsy and speculative at best. So, what about the similarities? Well, ignoring the IP addresses, as we will discuss these later, these are the “links”.

From: http://securelist.com/blog/research/67985/destover/

  1. Just like Shamoon, the Destover wiper drivers are commercially available EldoS RawDisk drivers.
  2. Just like Shamoon, the Destover wiper drivers are maintained in the droppers’ resource section.
  3. Just like Shamoon, the DarkSeoul wiper event included vague, encoded pseudo-political messages used to overwrite disk data and the master boot record (MBR).
  4. Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of the attack. This means it is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.
  5. The Shamoon components were compiled in a similarly tight time-frame prior to their deployment. The CompiledOn timestamps all fall within five days of their executables’ detonation. Nearly all were compiled on Aug 10, 2012 (between 00:17:23 and 02:46:22) and set to detonate on Aug 15, 2012. That is a tight window to quietly deploy these binaries considering that tens of thousands of machines were destroyed with this payload.
  6. In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own.  All attempted to disappear following their act, and did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.
  7. Images from the DarkSeoul ‘Whois’ and Destover ‘GOP’ groups included a ‘Hacked by’ claim, accompanied by a “warning” and threats regarding stolen data.  Both threatened that this was only the beginning and that the group will be back. It appears that original skeletal artwork was also included in both.

While some of these similarities certainly strongly hint at a similar operation and a shared DNA between these pieces of malware, it is hardly a smoking gun. Furthermore, the strength of this particular line of analysis weakens when you consider just how much sharing happens in the malware world. Many of these pieces of malware use publicly available tools and libraries. Many of these pieces of malware are based on malware source code that has been sold/released/leaked and is therefore accessible and easy to use. Finally many of these pieces of malware are available for purchase. Indeed, the malware SaaS (software as a service) industry is booming – why write a complex piece of malware that requires specialist skills to write when it is likely to be deprecated as soon as the AntiVirus vendors record its signature. Malware SaaS operations sell wannabe malware hackers new, currently undetectable pieces of malware with a guarantee that, so long as the user pays a service charge, they will rebuild the malware to make it once again undetectable should it ever fall into the hands of the authorities.

While there is insufficient evidence to say that is what’s going on in the case of these three attacks and the malware at the heart of them, I see no effort to prove that it isn’t the case either. Lastly, it’s pretty weak in my books to claim that the newest piece of malware is the act of a nation state because other possible related pieces of malware were *rumored* to be the work of a nation state. Until someone comes up with solid evidence actually attributing one of these pieces of malware to North Korea I consider this evidence to be, at best, speculation.

  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

What the FBI is essentially saying here is that some of the IP addresses found while analyzing the malware samples and the logs of the attack have been used in the past by North Korea. To me, this piece of evidence is perhaps the least convincing of all. IP addresses are often quite nebulous things. They are addresses of machines connected to the Internet. They are neither good, nor bad.

The IP address is never what is interesting. It’s what’s running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate.

For starters, hackers – at least the ones that want to stay out of jail – do NOT use their own machines or websites as staging points for operations. Instead, they hijack other vulnerable systems and route their traffic through them – and often many others – as a way to hide their origin. You know IP addresses such as those belonging to hotels in Thailand for examples.

My good friend Dr Krypt3ia has done some excellent analysis on this in his latest blog:


In it, he looks at the IP addresses reference by the FBI and most importantly the systems behind them. Here is a summary of what he finds (though I urge you to go read his article in full).

  • – Thailand
  • – Poland
  • – Italy
  • – Bolivia
  • – Singapore
  • – Cyprus
  • – USA

With the exception of the US address, which appears to belong to a company based in NY, all of these appear to be addresses of known proxys open to the public. If you check these IP addresses against any of the leading IP reputation services, such as SpamHaus or Project Honeypot, you find that in fact these addresses have been used for both spam and as Command and Control (C2) addresses for malware. No North Koreans: just common garden internet cybercriminals.

The only thing that clearly we can’t examine here is whether or not the FBI has some undisclosed signals intelligence from other agencies implicating these addresses in North Korean spying operations. However, even if that were the case, I would suggest that, because of the fact that these addresses are being used by common cybercriminals as part of their regular operations, even that evidence would be tainted to some extent

  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Wait, what? They are referencing the Shamoon and DarkSeoul attacks again! You can’t use the same piece of evidence as two separate pieces of evidence!

So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.

So where does that leave us? Well essentially it leaves us exactly where we were when we started. We don’t have any solid evidence that implicates North Korea, while at the same time we don’t have enough evidence to rule North Korea out. However, when you take into consideration the fact that the attackers, GOP, have now released a message saying that Sony can show “the Interview” after all, I find myself returning to my earlier instincts – this is the work of someone or someones with a grudge against Sony and the whole “Interview” angle was just a mixture of opportunity and “lulz”.

I am no fan of the North Korean regime. However I believe that calling out a foreign nation over a cybercrime of this magnitude – something serious enough to go to war over – should not be taken lightly. The evidence used to attribute a nation state in such a case should be solid enough that it would be both admissible and effective in a court of law. As it stands, I do not believe we are anywhere close to meeting that standard.

Why the Sony hack is unlikely to be the work of North Korea.

GOP Image
Everyone seems to be eager to pin the blame for the Sony hack on North Korea. However, I think it’s unlikely. Here’s why:1. The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English.

2. The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult. I would find the presence of Chinese far more plausible.See here – http://www.nytimes.com/2006/08/30/world/asia/30iht-dialect.2644361.html?_r=0

here – http://www.nknews.org/2014/08/north-korean-dialect-as-a-soviet-russian-translation/

and here – http://www.voanews.com/content/a-13-2009-03-16-voa49-68727402/409810.html

This change in language is also most pronounced when it comes to special words, such as technical terms. That’s possibly because in South Korea, many of these terms are “borrowed” from other languages, including English. For example, the Korean word for “Hellicopter” is: 헬리콥터 or hellikobteo. The North Koreans, on the other hand, use a literal translation of “vehicle that goes straight up after takeoff”. This is because such borrowed words are discouraged, if not outright forbidden, in North Korea – http://pinyin.info/news/2005/ban-loan-words-says-north-korea/

Lets not forget also that it is *trivial* to change the language/locale of a computer before compiling code on it.

3. It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.

4. Whoever did this is in it for revenge. The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down. Just think what they could have done with passwords to all of Sony’s financial accounts? With the competitive intelligence in their business documents? From simple theft, to the sale of intellectual property, or even extortion – the attackers had many ways to become rich. Yet, instead, they chose to dump the data, rendering it useless. Likewise, I find it hard to believe that a “Nation State” which lives by propaganda would be so willing to just throw away such an unprecedented level of access to the beating heart of Hollywood itself.

5. The attackers only latched onto “The Interview” after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK “might be linked” that suddenly it became linked. I think the attackers both saw this as an opportunity for “lulz” and as a way to misdirect everyone into thinking it was a nation state. After all, if everyone believes it’s a nation state, then the criminal investigation will likely die.

Wired has just covered this exact point – http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/

6. Whoever is doing this is VERY net and social media savvy. That, and the sophistication of the operation, do not match with the profile of DPRK up until now.

Grugq did an excellent analysis of this aspect his findings are here – http://0paste.com/6875#md

7. Finally, blaming North Korea is the easy way out for a number of folks, including the security vendors and Sony management who are under the microscope for this. Let’s face it – most of today’s so-called “cutting edge” security defenses are either so specific, or so brittle, that they really don’t offer much meaningful protection against a sophisticated attacker or group of attackers. That doesn’t mean that we should let them off and give up every time someone plays the “APT” or “Sophisticated Attacker” card though. This is a significant area of weakness in the security industry – the truth is we are TERRIBLE at protecting against bespoke, unique attacks, let alone true zero days. There is some promising technology out there, but it’s clear that it just isn’t ready yet.

While we are on the subject, and ignoring the inability of traditional AntiVirus to detect bespoke malware, just how did whatever Data Loss Prevention (DLP) solution that Sony uses miss terabytes of data flying out of their network? How did their sophisticated on-premise perimeter security appliances miss such huge anomalies in network traffic, machine usage or host relationships? How did they miss Sony’s own edge being hijacked and used as public bittorrent servers aiding the exfiltration of their data?

8. It probably also suits a number of political agendas to have something that justifies sabre-rattling at North Korea, which is why I’m not that surprised to see politicians starting to point their fingers at the DPRK also.

9. It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. From plaintext password files, to using “password” as the password in business critical certificates, through to just the shear volume of aging unclassified yet highly sensitive data left out in the open. This isn’t a simple slip-up or a “weak link in the chain” – this is a serious organization-wide failure to implement anything like a reasonable security architecture.

The reality is, as things stand, Sony has little choice but to burn everything down and start again. Every password, every key, every certificate is tainted now and that’s a terrifying place for an organization to find itself. This hack should be used as the definitive lesson in why security matters and just how bad things can get if you don’t take it seriously.

10. Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.

EDIT: This appears (at least in part) to be substantiated by a conversation the Verge had with one of the alleged hackers – http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in

Finally for an EXCELLENT blow by blow analysis of the breach and the events that followed, read the following post by my friends from Risk Based Security – https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack

EDIT: Also make sure you read my good friend Krypt3ia’s post on the hack – http://krypt3ia.wordpress.com/2014/12/18/sony-hack-winners-and-losers/