So a bunch of things have come out in the last week that honestly make further discussion about attribution pointless. Once again, we are dealing with things said at conferences or deliberately leaked to the media, but given the sources, we have to at least take them somewhat seriously.
North Korean Signals Intelligence (SIGINT)
This was always a “wildcard” that couldn’t be discounted. Given what we know of the NSA and PRISM, it’s hardly surprising to hear that their sensors were “in the right place at the right time” to record some or all of the Sony hack. So what exactly did they collect? Allegedly, they saw phishing emails sent from North Korea to Sony sometime in September. Furthermore, in retrospect, they determined that those emails had been successful in compromising the credentials of at least one admin.
It seems pretty solid. There are some things about this that trouble me, however.
- The first is that we are hearing this in the form of bits and pieces of leaked information, passed directly to the media. This seems an unusual strategy for the NSA or the FBI – especially the NSA who have nothing to gain (and everything to lose) from leaking details about classified intelligence operations. Especially now that the White House has accepted their conclusion and taken punitive action. Just who exactly are they trying to convince? Until I hear this from a reliable source who can answer a few technical questions, I am going to continue to be politely skeptical.
- The second is that they are saying they have evidence of North Korea hacking Sony based on intelligence they collected from hacking hacked North Korean systems. These North Korean systems were already owned, most likely, by South Korea, and in most cases already had “implants” which were vulnerable enough that the NSA could either hijack them or share their usage with the original group that planted them. That doesn’t inspire me with a lot of confidence. Who is to say that whoever hacked these North Korean systems in the first place wasn’t messing with them? Who is to say that some other third party came along and also compromised these already compromised North Korean systems?
- Without accurate identification of the Sony hack vector, it is impossible to know for sure what role these connections played in the Sony hack. Maybe they started it. Maybe someone else started it and they followed in their footsteps. Maybe someone else did it and is quietly chuckling to themselves at now naive we all are.
- Finally, are we seriously punishing the North Koreans for hacking our infrastructure based on intelligence we gained from hacking their infrastructure? This does not feel like a righteous position to find ourselves in.
Facebook Connections
This is perhaps the first piece of reasonably solid evidence in the whole affair. Speaking to the press at the International Conference for Cyber Security, Director Comey alleged that while they were logging into Sony’s infrastructure, the attackers slipped up and connected to Sony’s systems directly. Then, while exposed like this, they logged into the GOP Facebook page. This allowed both Sony and Facebook to record their IP address information.
This is the sort of evidence that solid attribution cases are built upon.
However, it’s still possible to knock a few holes into this. For example, without the accurate understanding of the vector, we don’t know if they started this, or if they took over where someone else left off. We also don’t know whether this whole thing was a deliberate decoy. Without knowing what he meant by “North Korean IPs,” it is also impossible to understand how solid this evidence is. For example, if the IPs come from a North Korean machine owned by the South Koreans, the NSA, and the Chinese, my skepticism remains. It’s hard to say that anything coming from a machine that’s been “hacked to pieces” by multiple parties can definitively be attributed to anyone.
So that’s where we are. In my eyes, the preponderance of evidence definitely suggests North Korean involvement or someone trying very hard to make it look like North Korean involvement. However, I remain far from convinced that the North Koreans started this or, indeed, that they played a significant role in this. If only the NSA or FBI would invite me to look over their SIGINT and the non public evidence collected in the case… 🙂
Marc's Security Ramblings 
Well said.
The Facebook slip-up does seem a little far-fetched. Everyone knows it’s being tracked by governments along with other social media.
The FBI/NSA have come back with their latest on the similarity of code fragments for the disk wiping malware. In it, they focus strictly on the similarity of the code which attempts to build a list of the targeted systems and files yet confess the actual disk wiping code differs and is considerably more advanced in the Sony malware.