Two Step: FBI Says North Korea Acted Alone, Had Help

Investigation maze concept

The official line on perhaps the biggest security story of the year shifted noticeably this week following a report by the security firm Norse Corp. that cast doubt on the official explanation of the devastating November hack: that it was a state-sponsored operation carried out by hackers working for the government of the Democratic Peoples Republic of Korea, or DPRK.

Two reports in recent days – both citing officials close to the Sony hack investigation – suggest that the FBI believes – simultaneously – that the DPRK did not act alone and that it was the only actor responsible for the attack on Sony Pictures Entertainment.

As reported by The Security Ledger on Sunday, Norse research of the Sony hack suggested that a group of six hackers was behind the incident- including one former Sony Pictures employee. Among other things, Norse said it identified one former SPE employee with a “very technical background” and were able to capture communications between that individual and other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia.

[Read more Security Ledger coverage of the hack of Sony Pictures Entertainment.]

Norse Vice President Kurt Stammberger said his company was further able to connect an individual directly involved in those online conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014. Norse experts briefed the FBI on their findings on Monday.

That same day, an FBI narrative on the Sony hack began to change. A source “close to the investigation” told Reuters that the DPRK may have “had help” with the attack – the first time the government has suggested that North Korea did not act alone.

“As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, U.S. investigators are looking at the possibility that Pyongyang ‘contracted out’ some of the cyber work,” the official told Reuters’ Mark Hosenball and Jim Finkle.

Still, the FBI stood firm by prior statements that Pyongyang was the prime author of the attack against the Sony Corp unit.

Then, on Tuesday, Politico ran a story citing U.S. law enforcement officials throwing cold water on a competing theory of the hack put forward by Norse Security. The government official, who requested anonymity, said that the “insider” theory of the Sony hack “doesn’t add up.”

“The three-hour meeting with FBI investigators yesterday by cyber intelligence firm Norse ‘did not improve the knowledge of the investigation,’ according to the U.S. official,” Politico reported.

The official went on to say that “investigators are open to new information brought forth by researchers…but it became clear in the meeting yesterday that Norse’s evidence was ‘narrow’ and not an accurate analysis of the information.”

In a message to The Security Ledger, Norse Vice President Kurt Stammberger said the Monday briefing with the FBI “went well,” but clarified that Norse has not yet shared its “dataset” on the Sony hack with the FBI.

In a statement, the FBI said that it “has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment” and that “there is no credible information to indicate that any other individual is responsible for this cyber incident.” The FBI is basing its conclusion on “intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector.”

Neither the FBI statement nor the Politico story made mention of the government’s contention that the government of North Korea may have worked with outsiders to carry out the attack, and it is still unclear what kind of help the government of the DPRK may have obtained, or from whom.

In the meantime, a report by the BBC gave support to the picture of the Sony hackers being part of the global cyber criminal underground. In that report, a member of the hacking crew known as the Lizard Squad said that “his group knew people who were part of GoP” and “‘handed over some Sony employee logins’ that were used by GoP to get its initial attack underway.”

An expert with knowledge of the Lizard Squad investigation dismissed that claim out of hand. However, the confusion about attribution for the attack underscores the muddy ground that the investigation has stumbled into.

More than a month in, the cyber attack on Sony has turned from an isolated act of vandalism into an international incident. U.S. President Barack Obama has promised, publicly, that the U.S. will mete out a “proportional response” to the DPRK for the attack.

But nagging questions about the real origin of the hack could complicate both the government’s willingness to strike back and the public’s confidence that the government ‘got its man.’

“What’s the distinction between the statement ‘it was the DPRK, but the DPRK had help’ and ‘it wasn’t the DPRK but the DPRK helped out’? said Mark Rasch, a former federal prosecutor and a principal at Rasch Technology and Cyberlaw.

A month in, the biggest question facing the government isn’t ‘who hacked Sony,’ but  ‘who is running the show for the government?’  “Is this an FBI criminal investigation or CIA cyber intelligence operation or an NSA intercept operation, or a DoD cyber command military operation,” Rasch asked.

If the Sony hack is a criminal case, Rasch notes, the FBI will be expected to file criminal charges and name defendants. It will need to have a trial and present evidence. In the case of the Norse evidence, it won’t be enough to say that the evidence is wrong – the government would need to provide counter evidence that proves Norse and others are wrong. So far, that has not happened.

However, if the matter is now a military operation run by cyber command, the goal will be to protect sources and methods and the truth about the government’s case against the DPRK will likely never be known, Rasch said.

Comments are closed.