New Clues In Sony Hack Point To Insiders, Away from DPRK

hackedbygop
Clues from an investigation of the hack of Sony Pictures now point to at least one former employee, according to Norse Security.

A strong counter-narrative to the official account of the hacking of Sony Pictures Entertainment has emerged in recent days, with the visage of the petulant North Korean dictator, Kim Jong Un, replaced by another, more familiar face: former Sony Pictures employees angry over their firing during a recent reorganization at the company.

Researchers from the security firm Norse allege that their investigation of the hack of Sony has uncovered evidence that leads, decisively, away from North Korea as the source of the attack. Instead, the company alleges that a group of six individuals is behind the hack, at least one a former Sony Pictures Entertainment employee who worked in a technical role and had extensive knowledge of the company’s network and operations.

[Read Security Ledger coverage of the hack of Sony Pictures Entertainment.]

If true, the allegations by Norse deal a serious blow to the government’s account of the incident, which placed the blame squarely on hackers affiliated with the government of the Democratic Peoples Republic of Korea, or DPRK. That accusation, first aired last week, has been the source of heated rhetoric from both Washington D.C. and Pyongyang, the North Korean capital.

Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President at Norse, said that his company identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand.  The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.

Stammberger said that Norse’s team of around nine researchers started from the premise that insiders would be the best situated to carry out an attack on the company and steal data. The company analyzed human resources documents leaked in the hack and began researching employees with a likely motive and means to carry out a hack.

That HR data was the “golden nugget” in the investigation, revealing the details of a mass layoff at Sony in the Spring of 2014, including a spreadsheet identifying employees who were fired from Sony Pictures in the April-May time period.

After researching those individuals, Norse said it identified one former employee who he described as having a “very technical background.” Researchers from the company followed that individual online, noting angry posts she mad e on social media about the layoffs and Sony. Through access to IRC (Internet Relay Chat) forums and other sites, they were also able to capture communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia.

According to Stammberger, the Norse investigation was further able to connect an individual directly involved in those online conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.

Stammberger was careful to note that his company’s findings are hardly conclusive, and may just add wrinkles to an already wrinkled picture of what happened at Sony Pictures. He said Norse employees will be briefing the FBI on Monday about their findings.

“They’re the investigators,” Stammberger said. “We’re going to show them our data and where it points us. As far as whether it is proof that would stand up in a court of law? That’s not our job to determine, it is theirs,” he said of the FBI.

At a minimum, the latest theory suggest that official accounts of the hack from U.S. government sources are now just one among many competing theories about the source of motivation behind the attack that are circulating within security circles and in the mainstream media. This, ten days after the Obama Administration pinned the blame for the destructive attack squarely on  hackers affiliated with the reclusive government of the Democratic Peoples Republic of Korea (DPRK).

The sheer amount of information leaked by the hackers has provided plenty of ammunition to fuel alternative narratives about what happened. Initial reports noted that the malware used in the attacks on Sony was created on systems that used Korean language software libraries, and shared similarities with malicious software used in destructive attacks on the Saudi oil firm Saudi Aramco.

But for every clue that seems to point to the involvement of the DPRK, there are others that point in other directions, as well. For example, recent analysis has focused on date and time stamps attached to the leaked Sony data. Researchers have used those time stamps to infer the speed with which the data was transferred off Sony’s network. Reports have suggested that the timestamp data points to a data leak within Sony’s enterprise network, for example: to a USB device or external hard drive.

Other analysis studied clues buried in statements made by the shadowy hacking crew, the Guardians of Peace or GOP, who claimed responsibility for the attacks. Email addresses and other ephemera from the GOP communications with Sony and the outside world have been read to reveal links to everything from Japanese anime and the Mighty Morphin Power Rangers television show to U.S. domestic disputes over politics and gender equality. Further, linguistic analysis of GOP’s online communications suggests they were penned by someone who is a native Russian speaker, not a native Korean (or English) speaker.

But the Norse account of the hack does answer some puzzling questions about the incident that are as yet unexplained, according to Mark Rasch, a former federal prosecutor and a principal at Rasch Technology and Cyberlaw. Among those questions: how hackers were able to obtain near-perfect knowledge of Sony Pictures’ network and, then, sneak terabytes of data off of the network without arousing notice.

“It has always been suspicious that it was North Korea,” Rasch said. “Not impossible – but doubtful…It made a lot more sense that it was insiders pretending to be North Korea.”

Rasch noted, as others have, that the attackers initially made no mention of the Sony Pictures film “The Interview” in communications with the company or the outside world. Rasch notes that the hackers also exhibited a somewhat sophisticated knowledge of how Hollywood works – leaking data that was deeply personal and particularly embarrassing to Sony executives.

Stammberger notes the involvement of an insider would explain how the attackers obtained critical information about Sony’s network, including the IP addresses of critical servers and valid credentials to log into them. Even in sophisticated attacks, remote actors might spend days, weeks or months probing a network to which they have gained access to obtain that information: using compromised employee accounts to explore and find sensitive data before stealing it or causing other damage. It is during that “lateral movement,” malicious actors are often spotted, Stammberger said.  In the case of the Sony hack, however, the malware was compiled knowing exactly what assets to attack.

Still, there are many questions that have yet to be answered. Norse’s own analysis has plenty of blank spaces. Stammberger said that a “handful” of former employees may have been involved, though only one was linked directly to the hack. That employee, at some point, joined forces with external actors and more experienced hackers with a grudge against Sony, including individuals involved with sites like the Pirate Bay which offer Hollywood movies for download. “We see evidence for those two groups of people getting together,” Stammberger told The Security Ledger.

135 Comments

  1. Pingback: Obama Sanctions North Korea, Citing Discredited Sony Allegation | Ben Swann Truth In Media

  2. Pingback: Obama Sanctions North Korea, Citing Discredited Sony Allegation

  3. I think that anybody who thinks they know who was responsible for the attack on Sony, be that Obama and the FBI, or inviduals with their own theories who have no expertise in actually carrying out an investigation properly, is simply misguided by their own ill-founded certainty in themselves to somehow ‘know’ instictively. Nobody really ‘knows’ yet, they are all theories until one is proven to be correct or incorrect on the basis of hard concrete evidence.

    Now, I think I ‘know’ who is responsible aswell by the way, in fact I’m so sure that I even intend to place a bet at the bookies if they would lay odds on it. And I’d bet a large amount too! But, despite how sure I am that I ‘know’ I also realise that I actualy do not really ‘know’ yet at all. My notion of ‘knowing’ is really my way of glorifying myself and my phantasy that I’ve got it all worked out because I know something the rest of you schmucks don’t know, or that I just have the ability to look at the bigger picture and know instictively what is really going on in the world. One thing’s for sure, if I’m wrong about it, it sure as hell won#t matter will it, well so what if I was wrong, I can’t be right about everything now can I? But if I’m right, well, I was right all along. I knew it from the start!! I just damned well somehow knew it I did!! You know what, I’m alwys right about these things, remember this other thing i was right about and the other one and all the other things I was ever right about?

    Ok, In general that’s how most people think and react, yet are totally unaware of how little they ever really ‘knew’.

    The U.S governemt does not have evidence enough that Korea are responsible for the attack yet. Yet it is pig headed enough to use this as the ideal opportunity to proceed with measures that they’ve wanted to impose already, upon the country. And please dont attack my argument by saying something along the lines of ‘well, they needed to be imposed on Korea any way at some point sooner or later, just a matter of time’. Yes that may be true for all I or you know, but it is totally irrelevant to this specific situation.

    So ther isn’t much evidence to support any one particular theory any more than another (of the ones offered by credible security investigation agencies). If there was more evidence to suggest that then it does make sense that both privzte and government investigation agencies would generally come to a similar conclusion, that is that there is evidence so far that gives us reason to suspect certain individuals or organisations (inluding governments of other countries). But that the evidence so far does not weigh heavily enough for any yet to warrant an accusation, worse yet, sanctions, on a country which, conveniently so, the government has wanted to to crush and thwart for a good while, so the U.S. government and the the U.S people are certainly getting what they want or think they need, out of this descision. The government gets it’s way whilst easily pulling the wool over the eyes of the ovewhelming majority of it’s population, by making them believe that they have benefited from it. In this particular case i doubt most people will really care, it seems beneficial to everybody all ovcer the world that these sanctions be imposed on North Korea. And it may well have been. But this sneaky way of doing it is morally wrong. To accuse a nation of something that (not just in my opinion, but also in the opinion of independant security investigation firms)and to take action against them for it is wrong. It is unethical and goes against everything which our culture stands for. To resort to such tactics to get your own way, even if you WERE justified perhaps in thinking it would be for the best beforehand, you have shown yourselves really to be no better. Because right now, their is not enough evidence to support your claim. And might I add there is actualy some pretty weighty pieces of evidence, supporting one theory in particular, which simultaneously acts as evidence to disprove the theory that the Korean government are responsible. Yet I can think of no evidence (yet, yes I know something may come up later, or i may have failed to notice something right now, i’ll admit that) which supports the theory of N. Korea being responsible AND which simultaneously disproves this other theory or indeed any other theory (although the ludicrousness of most is enough to disprove them imo!).

    To quote the gentleman earlier, as his words were stament applies to a message I’d like to send out to governaments who think they can carry on getting away with things indefinitely.

    “You can fool some of the people some of the time, but you can’t fool all of us all of the time.” Although I would use the word ‘most’ in place of the word ‘some’.

    I find the issue of how communications have all been found to be penned by a native russian speaker abit of an odd one. Why would Korea bother to make it look that way? Which I think they would have to have done if they were the attackers. What purpose would it serve to make the communications appear to be any language other than fluent English U.S. as are the intended recipents of it who will read it. Might as well put in theirs rather than anyone elses. And if it’s a government run operation then they’re bound to have someone Japanese working for them who is fluent in English, such as spies are in order to not be discovered. So it’s not like they couldn’t make it read as though it was written by a U.S. citizen so to speak. And there’s no reason to make it appear any other way, becase all governments must know that all the other governments know that each of them could make it communications appear to be written by someone from any country they want. And if everyone knows that then we all know nobody else is going to bother making it look like it might be Russian, to throw us off the scent (and if they did, well it certainly didn’t work did it!) cos we all know we’re capable of doing that quite easily, so we are therefore not going to use how communications are ‘penned’ to help us verify which, if any, countries government may be responsible. Korea would have known this and logically decided on English fluent. I mean, if they’re thiking that tactic’s going to throw anyone off the scent (which it hasn’t, because it never would, therefore they would never do it), then better to send it over in Korean! Let Sony sweat a little trying to find someone in the company who can speak Korean to decode it, why the hell not ay, and if it’s a tactic that might have worked, then then no one would ever suspect them if they do that, because who’d be daft enough to execute a cyber attack on another country and intentionally communicate in their own language, or ‘Native Korean English’ for good effect, in order to somehow not bring attention to themselves..!? Nobody would, because it wouldn’t make a difference to whether or not they’re given the blame once U.S. government has decided they’re going to use this incident to really sink their teeth into N. Korea once and for all, fuck things up for them as much as possible, all in the name of standing up for ‘freedom of speech’ so that they actually get thanked by most of the world for doing it aswell. It is ruthless. And I cannot believe that the world just standd by and allows Oboma to do this, when anyone, if they think about what is rreally happening right now, know’s that it’s wrong to for them to point the finger at N. Korea so openly and on such little evidence to begin with. But then again, who is really going to do anything about it other than voice their opinion on internet forums or in a comment on an article such I am right now. Well, I know it aint me and that’s may reaction to it is pretty much the same as anyone elses reaction, who happens to have a similar view point.

    Can you just imagine what the repurcussions would be for any nation/s who dared to stand up to America and say ‘Actually, we can see what you doing, in fact we always have been able to see what you’re really getting up to because it’s pretty damn abvious in all fairness. Only reason why we haven’t said anything about it before is because we’ve all been too scared of what will happen to us if we do. But we =’ve finally plucked up the courage to stand up for what is right (you know, a few nations united in standing together) because there’s no way any one nation on it’s own could ever really do that. And how do you co-ordinate something like that between several nations without the U.S. catching wind of it and setting things in motion to thwart any attempt at toppling their manopoly over the world (which is how they’d see it) before you could even get started on a plan to carry it out.

    That’s it. I’ve said as much I’ve got time for today. Just remember that it’s only an opinion and some parts of it may have holes and flaws in it and indeed (and I know many people will certainly believe so already) i could be talking absolute rubbish. Yes I could be completely wrong about absolutely everything from my theories on what i think has really gone on in the past, what’s going on right now, and will coninue to go on in the future, to my theory about whether or not Korea is responsible for this cyber attack and any other theory I might have about anything else. That so many people don’t seem to grasp that you simply cannot claim to truly know something when all the knowledge is based on is our own natural desire to stroke our own ego’s into elevating ourselves and the belief that our own opinions are more significant than the reality, which is that the majority of what most of us may think we know is based primarily on our egotistically reinforced speculations. Reinforced by how rewarding it is every time we are right and how utterly unoticeable it is when we are wrong. Therefore we all think we’re right and that we know it, but really none of us know until eventually someone is proved right, and everyone else is wrong.

    It’s exactly the same with the U.S. government right now. I’m sure they all think they know it was Korea (I’m also sure they think they know it because that what they want to think as well). So by their actions against N. Korea they have affirmed their absolute certainty that they are right about their allegations. Whether they turn out to be remains to be seen, and whether they will ever admit they were wrong if/when it is proven that Korea were not responsible is an even bigger question to me. Personally I think they are wrong in their allegations, and that they are deliberately blaming it on them without sufficient evidence because they know they can get away with it, despite how very right under everyones noses it is that they’re doing it. I mean, they cant really go back on what theve said now can they. Theyve acused and sanctioned another country which suggests ‘certainty’ nehind their claims. The reality is that the only certainty to it is once it is done, there is no way of going back from it. At best it would be very embarrassing for them to ever accept that they might have been wrong about it and ofoourse they know that and they hav eno intention of admitting it and every intention of making sure that the word believes what they want them to believe, because they certainly didnt make such a ruthless decision now only to miraculously turn over a new leaf in a couple months or years and say ‘you know what what, we did actually blame the koreans for are own selfish political gains and we did try and make out a bit of evidence against them to be of more significance and affirming than it really was just because, you know, we’re politicians and we’re all good at telling things to you in such a way that we are saying words that in effect are true, but saying them to you all so that it sounds like we’ve actually said something else altogether different to what you think that we we’re actualy saying. (simpler version, we take a fact about something and tell it to you in such a way that makes you believe it means something that we want you to think it means, but we’re so clever about how we do it that we never actually explicitly lied to you about it, we just told you the stuff we knew you wanted to hear and you suckers fall it for every time. However we have all had a sudden epiphany about ourslves and the things we have been doing all our lives that realy we ought to be and are now ashamed of. We have seen the error of our ways and we want to change. So as embarassing (and humbling!) as it is to tell you all this we are still doing it because it is the right thing to do.’

    ‘Oh and by the way, you’re going to need to create a new government to replace us, because you really do not want any of us running the country after what I’ve just told you (and all the rest of it I haven’t mentioned yet, yeh it’s gonna take several years before we’ve confessed everything). Yes, it is true we have miraculously changed for the better all at once, but an even bigger miracle would be if we didn’t fall back into the same rotten ways once again, if you allowed u to keep running the country for you, just by the nature of sheer habit. Now hop to it people, you better be quick because a country without a government is vulnerable to attack from all those nasty evil horrors in the world we also lead you to believe were real threats too. Yeh that was all a load of bolux as well by the way. Yeeeh shifty buggers aren’t we, you haven’t heard the half of it yet!’

    Right ok so perhaps i went a little over board with my emphasis on the absurdity of it all. There really is no way to undo what has been done.

    Maybe I’m wrong. I guess we’ll all see eventually.

  4. The accusation of North Korean responsibility for this hack–now become an assumption of mainstream media discourse–was always somewhat ridiculous, and has been pretty thoroughly discredited by cyber experts like Marc Rogers. The hackers were goofing around with “God’sApstls,” the GOP [!], Salted Hash, and the Stephen King of children’s books, before the media brought up the North Korea/Interview angle.

    Sony had been criticized by its own auditors for its egregious cybersecurity, and it had an interest in covering its own ass by making this into the work of an international evil genius­, against whose wiles no mere mortal international media-technology conglomerate could possibly have defended itself. And of course, the USG has an interest in further pumping up the image of Kim as a comic-book villain.

    We should also be aware that The Interview was a government-vetted cultural production and a tool to promote assassination. The nastiest version of the scene where Kim Jong-un is killed by blowing up his head was explicitly lauded by American intelligence professionals because it might inspire Kim’s actual assassination.

    It’s also another example of close Hollywood-intelligence-government cooperation in film production, the likes of which we have seen recently in Zero Dark Thirty and Argo—“just” entertainment that just happens to reinforce, through accidentally-on-purpose cooperation, the dominant US government narrative about who’s crazy and what’s funny.

    See:the analysis at: Goosebumps: A Scary Sony Story
    http://www.thepolemicist.net/2014/12/goosebumps-scary-sony-story.html

  5. The accusation of North Korean responsibility for this hack–now become an assumption of mainstream media discourse–was always somewhat ridiculous, and has been pretty thoroughly discredited by cyber experts like Marc Rogers. The hackers were goofing around with “God’sApstls,” the GOP [!], Salted Hash, and the Stephen King of children’s books, before the media brought up the North Korea/Interview angle.

    Sony had been criticized by its own auditors for its egregious cybersecurity, and it had an interest in covering its own ass by making this into the work of an international evil genius­, against whose wiles no mere mortal international media-technology conglomerate could possibly have defended itself. And of course, the USG has an interest in further pumping up the image of Kim as a comic-book villain.

    We should also be aware that The Interview was a government-vetted cultural production and a tool to promote assassination. The nastiest version of the scene where Kim Jong-un is killed by blowing up his head was explicitly lauded by American intelligence professionals because it might inspire Kim’s actual assassination.

    It’s also another example of close Hollywood-intelligence-government cooperation in film production, the likes of which we have seen recently in Zero Dark Thirty and Argo—“just” entertainment that just happens to reinforce, through accidentally-on-purpose cooperation, the dominant US government narrative about who’s crazy and what’s funny.

    See:the analysis at: Goosebumps: A Scary Sony Story
    http://www.thepolemicist.net/2014/12/goosebumps-scary-sony-story.html

  6. Pingback: The 4th Media » Washington Propaganda Over North Korea Exploits Fear

  7. Pingback: The Sony Hack Fraud | Eslkevin's Blog

  8. Pingback: Rieder: Maybe North Korea wasn't behind Sony hack - Bain Daily

  9. Pingback: This Site Randomly Generates Someone to Blame for the Sony Hacks - Trendingnewsz.com

  10. Pingback: Why do hackers keep targeting Sony? - Fortune

  11. Pingback: Proof that State Department was involved in the filming of "The Interview", and why North Korea is probably not behind the Sony hack AnonHQ

  12. Pingback: Chaos of Sony Hack Births New Cyber Agency | The Security Ledger

  13. Pingback: No Theaters? No Problem! ‘The Interview’ is Sony’s Top Grossing Online Movie Ever | technology news

  14. Pingback: Sony Pictures’ hack could have been an inside job, security firm reveals | Latest Tech News, Video & Photo Reviews at BGR India

  15. Pingback: Sony Hack: New Evidence Points to Inside Job, Security Experts Say | TECH IN AMERICA