14 DAY TRIAL // The Sony hack from November 2014 has sparked a lot of discussion and generated different opinions regarding the authors and their true motive.
The official stance is that North Korea did it and the reason was to stop the comedy “The Interview” from being released by the studio. FBI director James Comey expressed full confidence in the fact that the bureau’s investigation got it right and Pyongyang orchestrated the attack.
The movie did reach cinemas though, as initially scheduled, on Christmas day; and it was also distributed via online services from Google (Play, YouTube) and Microsoft (Xbox Video). So if this was the plan of the attackers, they failed miserably.
Link to North Korea
The hackers used the name “Guardians of Peace” in all the emails sent to Sony Pictures Entertainment, where they requested the movie not to be released. North Korea had already expressed the same wish, months before the last stage of the attack was carried out.
Moreover, security experts who investigated some samples of the malware used on Sony’s computers discovered that Korean language resource had been used for its creation. On top of this, the modus operandi was similar to the one in an attack on South Korea, believed to have been executed by the North.
Basically, everything pointed to the conclusion that was so quickly embraced by the FBI and made public on December 19: a North Korean threat actor was responsible.
Perps used a different name early on, asked for money
Only things are not as simple as this, or at least they appear to be more complex. In communication before the attack, on November 24, the hackers used a different name, God'sApstls.
The email was sent to Sony Pictures Entertainment (SPE) executives, CEO Michael Lynton and co-chairwoman Amy Pascal among them.
They were informed that highly sensitive internal data had been exfiltrated from the company's network and that it would be leaked unless certain demands were met. Sony bosses did not give in, so confidential corporate info reached the public domain.
The initial requests of the hackers had nothing to do with the movie, as they informed SPE that they wanted monetary compensation in exchange. The email was discovered in one of the data dumps from the attackers.
Hackers made a rookie mistake
Recently, FBI Director James Comey announced that the bureau had solid information that the incident was caused by North Korea, saying that on multiple occasions the hackers failed to hide their IP addresses.
“Several times, either because they forgot or they had a technical problem, they connected directly—and we could see them,” he said at the International Conference on Cyber Security (ICCS) in New York, at Fordham University. “They shut it off very quickly before they realized their mistake, but not before we saw it and knew where it was coming from,” he added.
Intelligence received from the NSA told FBI that the IP addresses used in the Sony hack malware communication were exclusively used by North Korea. The addresses have not been released by the agency.
Identifying culprits is not easy
Attribution of a sophisticated attack is hard to make, specifically because communication between a command and control server and the malware that compromised the victim’s computer is routed through different connections to prevent tracing the author.
Hiding the IP address is a basic rule in a cyber-attack, and this can be achieved by routing the connection through proxies or by relying on compromised devices. Connecting directly from the real IP address would mean that skilled individuals made a rookie mistake, fell victim to a tech issue, or compromised those systems and leaked the IP on purpose, to throw investigators off track.
Catalin Cosoi, Chief Security Strategist at Bitdefender, told us via email that the Sony hack “demonstrates not only skill, but also careful planning and execution. Whether this was a team of skilled hackers or a state-sponsored attack, it’s certain that experts orchestrated this.”
“The volatile information left behind the attack makes it extremely difficult to accurately and indisputably identify attackers, as the information left behind could have been spoofed, distorted or deliberately planted, by sufficiently skilled attackers.”
FBI's conclusion may be right
On the other hand, government agencies have access to a lot more visibility into the traffic flow than private security companies. Cosoi added that the official inquiry likely takes into consideration the attacker’s possibility to hide their trace and that all possible avenues pointing to the real aggressors are pursued.
Whether the FBI got the identity of the perpetrator right or not, the monetary demand initially made by the hackers remains unexplained. If extortion was the real reason of the assault, attempting to follow the money trail could mean a new avenue to pursue in order to identify the attackers.
Trying to stop the release of “The Interview” is still believed to be the goal of the attack, but the comedy did play in cinemas according to schedule and no new Sony leaks have appeared afterwards.
In lack of more information from the FBI, some part of the security community will continue to regard the agency’s conclusion with skepticism.