Skip to main content

North Korea Hacked Sony? Don't Believe It, Experts Say

American comedian Randall Park as Kim Jong Un in 'The Interview.' Credit: Columbia Pictures

(Image credit: American comedian Randall Park as Kim Jong Un in 'The Interview.' Credit: Columbia Pictures)

UPDATE 2:45 pm ET Friday: "The FBI announced today, and we can confirm, that North Korea engaged in this attack" against Sony Pictures Entertainment, President Barack Obama said Friday (Dec. 19) in a televised national address.

However, the evidence the FBI cited in its press statement — that some of the malware, and some of the network infrastructure, used to hit Sony Pictures resembled those used in previous suspected North Korean attacks — was not enough to convince skeptical experts.

"All of the evidence [the] FBI cites would be trivial things to do if a hacker was trying to misdirect attention to DPRK," tweeted Brett Thomas, chief technology officer of Redwood City, California-based online-services company Vindicia, referring to North Korea by the acronym of its formal name, the Democratic People's Republic of Korea.

"The U.S. security-intelligence complex is running amok once again," Sean Sullivan, a security adviser at Finnish antivirus firm F-Secure, tweeted. "Washington, D.C., is incapable of saying 'we don't know.'"

"It's complete nonsense," wrote Rob Graham, CEO of Atlanta-based Errata Security, on his blog. "It sounds like they've decided on a conclusion and are trying to make the evidence fit."

"While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack," widely respected independent security blogger Brian Krebs posted following the FBI statement, "skeptics could be forgiven for having misgivings about this conclusion."

The FBI did mention that "the need to protect sensitive sources and methods precludes us from sharing all of [the] information" it had providing evidence of North Korea's involvement.

Our original story follows, without alteration.

Many computer-security experts doubt the validity of the claim that North Korea is behind the Sony Pictures Entertainment hack, citing a lack of strong evidence and the possibility of alternate scenarios.

"There's no direct, hard evidence that implicates North Korea," Sean Sullivan, a security adviser at Finnish security firm F-Secure, told Tom's Guide. "There is evidence of extortion (the Nov. 21 email [to Sony executives which demanded money]) and the hackers only mentioned [the movie] The Interview after it was brought up in the press, which they then used to their advantage."

"There's no evidence pointing to North Korea, not even the barest of hints," Robert Graham, CEO of Atlanta-based Errata Security, told Tom's Guide. "Some bit of code was compiled in Korea — but that's South Korean (banned in North Korea, [which] uses Chinese settings). Sure, they used threats to cancel The Interview — but after the FBI said they might."

"Is North Korea responsible for the Sony breach?" wrote Jeffrey Carr, founder and CEO of Seattle cybersecurity consulting firm Taia Global. "I can't imagine a more unlikely scenario."

MORE: 12 Computer-Security Mistakes You're Probably Making

Rather than an international incident of "cyberwar," the Sony hack looks like an inside job, several skeptics say.

"My money is on a disgruntled (possibly ex) employee of Sony," Marc W. Rogers, a security researcher at San Francisco-based Web-traffic optimizer CloudFlare, wrote on his personal blog. "Whoever did this is in it for revenge. The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down."

For the most part, the doubters are undeterred by newspaper and television reports yesterday (Dec. 17) that a U.S. government agency, so far unnamed, would present its evidence for a North Korean connection today (Dec. 18). Kim Zetter, a longtime security reporter for Wired, posted a piece picking apart the Pyongyang hypothesis just before the leaks broke, yet continued to stand by her story.

"At risk of launching another Tweet storm, I'll point out that intel[ligence] sources also claimed Brazilian blackouts were caused by hacker extortion," Zetter tweeted yesterday, referring to a since-debunked allegation that was aired on CBS News' "60 Minutes" a few years ago.

Skeptics pointed out that the hackers seem very familiar both with Sony Pictures' internal network and with American news media — two things that would be unlikely in hackers operating from North Korea.

"To handle this sophisticated media/Internet campaign so well would require a handler with strong English skills, deep knowledge of the Internet and Western culture," wrote the pseudonymous vulnerability broker The Grugq. "I can't see DPRK [the Democratic People's Republic of Korea] putting this sort of valuable resource onto what is essentially a petty attack against a company that has no strategic value."

Even the few tidbits of evidence pointing to North Korea — malware with Korean encoding, and a server in Bolivia, that had been previously used in North Korean attacks — don't convince seasoned cybersecurity experts.

"It just doesn't feel right," wrote independent British security blogger Graham Cluley. "Trying to determine the location of Internet hackers can be as hard as nailing jelly to the ceiling. It's not uncommon at all for attackers to use compromised computers in other countries as part of their attack to throw investigators off the scent."

"So far, the information that's come out has pointed the finger at North Korean proxy groups, but it's been context-based," political scientist Peter W. Singer, a senior fellow at the Washington, D.C.-based think-tank the New America Foundation, told the tech blog Motherboard yesterday. "It wouldn't meet the level needed in a court of law."

A detail from the theatrical poster of the unreleased film 'The Interview.' Credit: Columbia Pictures

(Image credit: A detail from the theatrical poster of the unreleased film 'The Interview.' Credit: Columbia Pictures)

To Singer, it certainly doesn't warrant the dramatic reaction by Sony Pictures, which canceled the release of the James Franco / Seth Rogen caper The Interview yesterday after an online posting attributed to the hackers obliquely threatened attacks on theaters that showed the movie.

"The attackers wonderfully understand the American psyche," Singer added. "This was a hack, but call it 'cyber' and 'terrorism,' and we lose our [stuff]. There's no other way to put it."

Even the language used by the hackers seems to contain tongue-in-cheek references. The group's self-determined name, Guardians of Peace, may be both a dig at the Republican Party and a nod to the summer hit Guardians of the Galaxy.

Cinema owners were scared by the threat to "remember the 11th of September," but that sounds like an allusion to "remember, remember the fifth of November" from the 2006 movie V for Vendetta, which spawned the craze for Guy Fawkes masks among supporters of the hacktivist movement Anonymous.

Unless North Korean leader Kim Jong Un declares that his minions did, indeed, carry out the attack, we may never know exactly who did it. Until then, it's best to take all claims with a grain of salt.

"My advice to journalists, business executives, policymakers and the general public is to challenge everything that you hear or read about the attribution of cyberattacks," Carr wrote. "Demand to see the evidence .... Be aware that the FBI, Secret Service, NSA, CIA and DHS rarely agree with each other, that commercial cybersecurity companies are in the business of competing with each other and that 'cyber intelligence' is frequently the world's biggest oxymoron."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Agree? Disagree? Was it North Korea, or three kids sitting in a basement in Duluth? Let us have it in the comments below.

  • A_Goat
    Just more crap to take our attention away from innocent people getting slaughtered overseas.
    Write some articles on the stuff the media is ignoring, not what the media wants you to "worry" about.
    Reply
  • Maxwell Williams
    Absolutely agree, this was not looking like a N. Korean attack right from the start, and had all the makings of an inside job, when Sony's systems had slowed and issues arose, Sony immeadiately blamed 'incompetent' IT employees for the network problems, so their had to be hostilities with staff growing before this 'hacking' claim arose. And it became more ridiclous when the 'threatening' letter looked more like an amatuer attempt to appear 'lost in translation', as if hackers had converted their native Korean language to English using Google translator online. This highly-sophisticated hacker group doesn't even know basic english?
    Reply
  • HEXiT
    most likely corporate espionage from an american corporation wanting to weaken sony's market share. some american corporations seem to think there allowed to do, say anything since citizens united.

    i think the adage for this argument for North Korean involvement is a case of "he who smelt it, dealt it"
    Reply
  • Heenan73
    Much more likely that the SOUTH Korean 'Pro North' party did it; we know South Korea is a digitally-savvy nation; we know that North Korea is a sea of mud, ignorance and starvation at the hands of a candy-addicted sloth.
    Reply
  • chrisban35
    Not true, not true at all... The routing fingerprints alone are very tell tale. Anyone who is close to this issue knows that the government's division that is hot on this trail is absolutely sure of what they're doing.. After all, this is the same group that helped leak a virus into Iran's nuclear facility's computers.

    Many people will have their "opinions" about such things, but the evidence in this case is very much like a fingerprint, and all roads DO lead to Rome(North Korea).

    Reply
  • Heenan73
    14862695 said:
    the evidence in this case is very much like a fingerprint

    Except that you don't have any evidence. None. You're just assuming the gummint's guess is right.

    Reply
  • chrisban35
    14863293 said:
    14862695 said:
    the evidence in this case is very much like a fingerprint

    Except that you don't have any evidence. None. You're just assuming the gummint's guess is right.

    LOL, you wouldn't know what I'm basing my statement off of. You have no clue who I am, what I do, or why I am making that statement. Anyone who has the slightest bit of knowledge about computer forensics knows that the government entity tasked with this project did their due diligence and did it well. Computer fingerprints are as accurate if not more so than DNA left at a crime scene. If you know what you're looking for and what that data means.

    The government made speculative gestures at first based on small clues that hinted it was North Korea. Now, they have the solid facts proving it was them. The government is SMART in not revealing its secrets about how it can be sure that it was North Korea.

    What I would suggest, so that in the near future your statements here don't look foolish, is give it time.. If you think America is just going to make those accusations boldly without evidence or proof, you're wrong.. It just means there's other trails that need secured first.. But I assure you, they got their evidence!
    Reply
  • chrisban35
    14858797 said:
    Much more likely that the SOUTH Korean 'Pro North' party did it; we know South Korea is a digitally-savvy nation; we know that North Korea is a sea of mud, ignorance and starvation at the hands of a candy-addicted sloth.

    Really? So the North Korean Government don't know anything about technology, or computers, etc?? Except they have a special division of the government which filters out the entire outside world. Makes sure that all the communication both in and out of North Korea is filtered. This isn't their first rodeo either... Maybe instead of just making comments, you might want to research your subject of topic as they certainly have capabilities as is stated in this article by the New York Post - http://nypost.com/2014/12/18/an-inside-look-at-north-koreas-cyberwar-capabilities/

    I was stationed in South Korea in the Army and I can tell you, they're as advanced as any other country within their government infrastructure. Its the people themselves who suffer, not the government!
    Reply
  • Heenan73
    You have no clue who I am, what I do, or why I am making that statement.
    Trust me, that lack of clue makes me very happy,
    But I do know that you have no evidence. You are clinging to your faith, which is sweet.
    But it isn't evidence, is it?
    Unsubstantiated claims =/= evidence. Get over it.
    Reply