FBI briefed on alternate Sony hack theory
FBI agents investigating the Sony
Pictures hack were briefed Monday by a security firm that says its research
points to laid-off Sony staff, not North Korea, as the perpetrator — another
example of the continuing whodunit blame game around the devastating attack.
Even the unprecedented decision to
release details of an ongoing FBI investigation and President Barack Obama
publicly blaming the hermit authoritarian regime hasn’t quieted a chorus of
well-qualified skeptics who say the evidence just doesn’t add up.
Researchers from the cyber
intelligence company Norse have said their own investigation into the data on
the Sony attack doesn’t point to North Korea at all and instead indicates some
combination of a disgruntled employee and hackers for piracy groups is at
fault.
The FBI says it is standing by its
conclusions, but the security community says they’ve been open and receptive to
help from the private sector throughout the Sony investigation.
Norse, one of the world’s leading
cyber intelligence firms, has been researching the hack since it was made
public just before Thanksgiving.
Norse’s senior vice president of
market development said that just the quickness of the FBI’s conclusion that
North Korea was responsible was a red flag.
“When the FBI made the announcement
so soon after the initial hack was unveiled, everyone in the [cyber]
intelligence community kind of raised their eyebrows at it, because it’s really
hard to pin this on anyone within days of the attack,” Kurt Stammberger said in
an interview as his company briefed FBI investigators Monday afternoon.
He said the briefing was set up
after his company approached the agency with its findings.
Stammberger said after the meeting
the FBI was “very open and grateful for our data and assistance” but didn’t
share any of its data with Norse, although that was what the company expected.
The FBI said Monday it is standing
behind its assessment, adding that evidence doesn’t support any other
explanations.
“The FBI has concluded the
Government of North Korea is responsible for the theft and destruction of data
on the network of Sony Pictures Entertainment. Attribution to North Korea is
based on intelligence from the FBI, the U.S. intelligence community, DHS,
foreign partners and the private sector,” a spokeswoman said in a statement.
“There is no credible information to indicate that any other individual is
responsible for this cyber incident.”
The spokeswoman had no comment on
further inquiries about the briefing and whether the FBI found Norse’s case
convincing.
A source who had been briefed on the
FBI’s investigation said the agency had considered an insider as a possible
explanation for the attack, but it wasn’t supported by the evidence.
The FBI won’t comment further on an
open investigation, referring questions to the initial update on the investigation the agency released 10 days ago. That
unusual release cited similarities between the malware and infrastructure
behind the Sony attack and previous attacks attributed to North Korea as well
as technical links to known North Korean-developed malware.
But many security researchers have
found that evidence to be thin and unconvincing.
In addition to Norse’s analysis of
Internet forums where perpetrators may have communicated and compiled dates
within the malware used, a report from firm Taia Global said a linguistic analysis of the purported hacker messages points to Russian speakers
rather than Korean.
Security expert Bruce Schneier called the evidence “circumstantial at best” and considered a
number of other possible explanations. CloudFlare principal researcher and
DefCon official Marc Rogers wrote that the FBI’s indicators seem to rely on malware that is
widely available for purchase and IP addresses easily hijacked by any bad guy.
Errata Security’s Robert Graham also noted the hacker underground shares plenty of code, calling the
FBI’s evidence “nonsense.”
But the doubters leave open the
possibility that the government has other intelligence supporting the idea that
it’s North Korea that they don’t have access to, and a U.S. official told
POLITICO it is likely the U.S. has access to information it is choosing to not
release.
The official said law enforcement is
still treating the incident as an “active criminal investigation” but that may
or may not lead to a prosecution built on evidence that goes beyond a
reasonable doubt.
“I think the intent was to release
the information because this is the new normal, not to tuck away information
and hide it as we have in the past,” the official said, calling the quick
preliminary release “unprecedented.”
Stammberger said that if there is
more information out there, it should be released to companies like his and
others that are also investigating the attack.
“Whenever we see some indicators or
leads that North Korea may be involved, when we follow those leads, they turn
out to be dead ends,” Stammberger said. “Do I think it’s likely that
[officials] have a smoking gun? … We think that we would have seen key
indicators by now in our investigation that would point to the North Koreans:
We don’t see those data points. So if they’ve got them, they should share some
of them at least with the community and make a more convincing case.”
No comments:
Post a Comment