Who Was Behind the Cyberattack on Sony? [Counterpunch]
December 30, 2014
by GREGORY ELICH
The cyberattack on Sony Pictures unleashed a torrent of alarmist media reports, evoking the image of North Korean perfidy. Within a month, the FBI issued a statement declaring the North Korean [sic] government “responsible for these actions.” Amid the media frenzy, several senators and congresspersons called for tough action. Arizona Senator John McCain blustered, “It’s a new form of warfare that we’re involved in, and we need to react and react vigorously.” President Barack Obama announced his administration planned to review the possibility of placing North Korea on the list of states sponsoring terrorism, a move that would further tighten the already harsh sanctions on North Korea. “They caused a lot of damage, and we will respond,” Obama warned darkly. “We will respond proportionally, and we’ll respond in a place and time and manner that we choose.”
In the rush to judgment, few were asking for evidence, and none was provided. Computer security analysts, however, were vocal in their skepticism.
In its statement, the FBI offered only a few comments to back its attribution of North Korean responsibility. “Technical analysis of the data deletion malware used in the attack revealed links to other malware that the FBI knows North Korean actors previously developed,” it reported, including “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.” The FBI went on to mention that the IP addresses used in the Sony hack were associated with “known North Korean infrastructure.” Tools used in the attack “have similarities to a cyberattack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”
The major problem with the evidence offered by the FBI is that it is self-referential, all of it pointing back to the 2013 attack on South Korean banks and media that was carried out by the DarkSeoul gang. At that time, without supplying any supporting evidence, the United States accused North Korea of being behind DarkSeoul. In effect, the FBI argues that because the U.S. spread the rumor of North Korean involvement in the earlier attack, and some of the code is related, this proves that North Korea is also responsible for the Sony hack. One rumor points to another rumor as ‘proof,’ rendering the argument meaningless.
The logical fallacies are many. To date, no investigation has uncovered the identity of DarkSeoul, and nothing is known about the group. The linking of DarkSeoul to North Korea is purely speculative. “One point that can’t be said enough,” emphasizes Risk Based Security, “is that ‘attribution is hard’ given the nature of computer intrusions and how hard it is to ultimately trace an attack back to a given individual or group. Past attacks on Sony have not been solved, even years later. The idea that a mere two weeks into the investigation and there is positive attribution, enough to call this an act of war, seems dangerous and questionable.”
Consider some of the other flaws in the FBI’s statement. The IP addresses that were hard-coded in the malware used in the Sony hack belonged to servers located in Thailand, Poland, Italy, Bolivia, Singapore, Cypress, and the United States. The FBI implies that only the Democratic People’s Republic of Korea (DPRK – the formal name for North Korea) could have used these servers. The Thai port is a proxy that is commonly used in sending spam and malware. The same is true of the Polish and Italian servers. All of the servers used in the Sony attack have been previously compromised and are among the many computers that are widely known and used by hackers and spam distributors. Anyone with the knowhow can use them.
Whether or not these machines were used is another matter. Hackers often use proxy machines with phony IP addresses to mislead investigators. No hackers use their own computers to launch an attack. Vulnerable systems are hijacked in order to route traffic. For the FBI to point to IP addresses either reveals a fundamental misunderstanding of cybersecurity or a cynical attempt to deliberately mislead the public…
Excerpted; full article link: http://www.counterpunch.org/2014/12/30/who-was-behind-the-cyberattack-on-sony/