The hack of Sony Pictures Entertainment, which first came to light on November 24th, devolved this week into a chaotic international “whodunnit” with conflicting reports attributing the incident to everything from the government of North Korea to the government of China to global hacktivist group Anonymous to disgruntled Sony employees.
For sure: those attributing the attack to hacking crews within the military of the Democratic Peoples Republic of Korea (DPRK) had their argument bolstered by reports in the New York Times and elsewhere claiming that the U.S. government now believes that the DPRK, under the leadership of Kim Jong Un, was responsible for the devastating hack.
Officials at Sony Pictures Entertainment clearly believe the connection is credible, ordering the cancellation of the release of the Sony Pictures film The Interview following threats of violence on theaters showing the film. That acceded to a key demand of the hackers, who have used the moniker “The Guardians of Peace” in communications with the outside world. By late Thursday, the news was about the U.S. Government preparing a ‘proportional response’ to the incident.
But just the opposite conclusion seems to hold sway within much of the information security community, where there’s appreciation for the difficulty of attributing cyber attacks, and where the list of possible explanations for any incident runs much longer than in DC policy circles or the news rooms of mainstream publications.
Articles in Wired and other prominent publications note that the attack doesn’t fit the description of stealthy, nation-state hacks. A noted security expert I interviewed noted that the Sony hack had a very different look and feel from the one other incident that clearly has the DPRK’s fingerprint on it: an attack on South Korean media outlets known as “Dark Seoul.”
Those who back the idea that it was a North Korean operation have found themselves on the receiving end of charges that they’re naive or – worse – fear mongering. One is David Aitel, of the security firm Immunity, who has consistently backed the idea that North Korea was responsible for the attack on Sony. Interviewed by The Security Ledger, Aitel said that the DPRK’s involvement is “cut and dry” and that he finds the hand wringing over attribution within the information security community “ridiculous.”
“North Korea has a massive interest in having everyone realize their power,” he said. “This is like firing a missile or launching an air craft carrier,” Aitel said. “In the 21st century, this is the equivalent of North Korea saying ‘We have a blue water navy. Here it is. Look at it.'” That message was likely received loud and clear by North Korea’s intended audience: policy makers and military leaders in Washington D.C., Seoul, Tokyo and elsewhere – especially when coupled with classified human or signals intelligence, Aitel said.
The problem for the rest of us is that connecting a cyber attack or even a cyber weapon back to a specific actor isn’t as simple as identifying the flag on an aircraft carrier or destroyer. These days, threat “attribution” of the kind that fills the reports of companies like Mandiant and Crowdstrike often come down to a preponderance of what threat intelligence firms call “tactics, techniques and procedures” (or TTP) – everything from what techniques the hackers use to get in, to how they steal data, to what time of day they tend to be active. Together, these constitute a kind of hacker “fingerprint,” or so we like to think.
Many security experts who have looked at the Sony incident think the TTP used by the Sony hackers don’t look like Dark Seoul, or what we’d expect from a hacking crew that had the financial and material backing of a nation state. The wiper code was too sloppy, others have noted. The attack was too noisy and obvious – not stealthy, like nation state attacks are supposed to be.
But any technique that is obvious enough to be noted is easy enough to fake, says Mario Vuksan of the firm Reversing Labs in Boston. “Any sophisticated force will, of course, try to cover their tracks,” he said. Even in classic forensics of the kind used by law enforcement, reconstructing and incident, a timeline and motive are difficult tasks. In the context of online incidents, any attribution is “very speculative and tenuous,” Vuksan argues. “You can make a couple parallels and – you know – look for the usual suspects,” he said. “You may be right. But, really, how can you tell?”
To the extent that there is evidence left behind, its rarely conclusive, he says. The kinds of data left over in the wake of an incident like the Sony breach – malware samples and logs – are often “noisy,” he said. Malware samples collected may have similarities with other malicious programs, but the provenance of the code is difficult to determine, let alone how samples of code may have migrated between different threat actors and groups,” he said.
In the case of the Sony hack, for example, the malware used bore some basic resemblance to the software used to attack the Saudi oil company Saudi Aramco, an attack that was attributed to state-sponsored hackers in Iran. But even sophisticated cyber attackers will re-use components when it suits them – especially if they already have access and can be assured they will work in their target environment, Aitel noted.
In other words, similarities that seem suggestive might add up to nothing – or add even more wrinkles to an already wrinkled portrait of whatever happened. And that’s the dynamic that has played out time and again in attempts by private sector firms to attribute the Sony attack one way or the other: each new explanation simply poses more questions than it answers.
And that speculation can beget a dangerous escalation, when ‘hacktivism’ and cyber ‘vandalism’ start to look like something pretty close to a pretext for cyber war. At least one noted expert on the subject thinks that’s a really bad idea.
In the end, there’s just one salient message from all the theorizing and proclamations about the source of the destructive hack on Sony in recent weeks. And it is this: we stink at cyber attribution. Period. And by “we” I mean the information security community and the technology press and the mainstream media. We’re terrible. Our track record – collectively – is dismal. Or maybe our record is great. We don’t even know enough about the truth of any major cyber incident to even grade our accuracy. And that, if nothing else, should convince us to just cut it out. The cost of being wrong is simply too high.