Did North Korea Really Hack Sony?

kim jong unNot for the first time, official law enforcement is at odds with certain sections of the information security industry on the attribution of a particularly high profile cyber attack.

The case, of course, is the destructive hit on Sony Pictures Entertainment which not only forced the movie giant to close its entire network for over a week, but also led to embarrassing internal documents and communications leaking online.

Oh, and the movie which is said to have started it all – The Interview – was virtually withdrawn from North American cinemas after distributors feared for the safety of movie-goers.

On one side it’s the Feds, who believe North Korea was responsible for the attack. On the other, industry players who believe a disgruntled insider – possibly with help from others – was to blame.

FBI director James Comey this week claimed that the hackers in question got “sloppy” a few times and forgot to use proxy servers to hide their true location, revealing IP addresses used “exclusively” by North Korea.

“They shut it off very quickly once they saw the mistake,” he added, according to Wired. “But not before we saw where it was coming from.”

The agency’s “behavioural analysis unit” has also been studying the Guardians of Peace – the group claiming responsibility – and deduced that it displays many of the psychological characteristics of North Korean operatives, he added.

The Feds have already claimed that some of the code in the malware used in this attack had been previously developed by Pyongyang, and that some of the tools used were also deployed in the DarkSeoul attacks of 2013.

So far so clear? Well, not quite according to security consultant and Europol special advisor, Brian Honan.

“What was interesting is director Comey also stated they have not yet identified the original attack vector. So this makes it even more difficult to attribute who is behind the attack and makes it more important that the FBI and Sony provide assurances regarding their attribution, particularly given that this attack is resulting in diplomatic action impacting international relations,” he told me.

“It would also be useful for many other companies to have sight of the IP addresses that were used in this attack so they can add them to their own defensive measures to prevent attacks from those IP addresses against their networks and systems.”

This scepticism has been echoed throughout sections of the information security sector – with experts claiming that attribution is tricky at the best of times and that the Feds would be wise to hold fire until a detailed forensic examination has been undertaken.

US security vendor Norse, for example, claimed last week that any evidence linking North Korea to the attacks was purely circumstantial and that an investigation it undertook pointed to the involvement of a former employee.

Part of its reasoning is that the names of corporate servers and passwords were programmed into the malware fired at Sony, which would indicate an insider’s involvement.

Another sticking point is the motivation of North Korea. If it did carry out the attack in retaliation for The Interview, which lampoons the Kim Jong-un regime, the Guardians of Peace online missives didn’t even mention the movie until the media began pegging it as the cause.

It certainly wasn’t mentioned when the group were trying to extort a ransom for the stolen data online.

In the end, we’ll have to assume the Feds have more up their sleeves than they’ve admitted to right now if we’re to be convinced about the link to Pyongyang.

“Such information need not be shared with others as it would expose valuable intelligence sources, however knowing that is what is reinforcing the FBI’s claims would help those of us in the industry to accept those claims,” said Honan.

“The FBI do have very skilled technical individuals on the case which are no doubt supplemented by Sony’s own staff and any of the private computer security companies engaged by Sony. However, analysing log data and forensics takes a very long time so I would not be surprised to see additional details come out at a later stage.”

North Korea: business as usual for IT supply chain

kim jong unThere’s a great deal of ambulance chasing that goes on in the IT press. Spot any major geopolitical news event and some vendor will try and shoehorn in a thinly veiled sales pitch for their products and services in the most blatant way possible.

There are certain events which do bear closer analysis, though, and I think the situation in North Korea is one of them. Given the impact of the earthquake and tsunami in Japan 2011 and the Thai floods of that same year, on the ICT supply chain, it’s clear that major events in Asia can have knock-on effects.

The major impact of a possible conflict in Korea would be on Samsung, which is the world’s largest supplier of LCD panels, Flash and DRAM and a major producer of lithium-ion batteries and chips. However, if China were brought into the conflict, this may also spread risk to the huge number of tech manufacturers in the People’s Republic.

So are suppliers getting twitchy? Are staff and assets being moved around to minimise risk? Are customers spending their money on cans of tinned food and bomb shelters rather than Galaxy Notes?

Well, as I reported in The Reg, none of that so far actually. The main message has been one of “business as usual”, with a caveat of continued monitoring of the situation.

“We didn’t observe any significant drop in consumer sentiment so far and don’t expect any major changes unless North Korea really launches a missile. There has been no big changes in Korea’s import, export and sales activity but tourism and foreign capital inflow could be impacted,” IDC analyst YoungSo Lee told me.

“The tension in Korea won’t ease that quickly and there are people who have started stocking up on daily necessities and even pulled out some money from the banks. There is talk of some foreign vendors making plans to send senior executives back to their home countries but there is no concrete evidence of that yet. All of the above are sensible precautions in response to continued uncertainty over how the crisis might develop.”

That said, just because there is widespread public apathy towards the kinds of threats being uttered daily by Pyongyang doesn’t mean nothing will happen – it only takes one piece of military or political misjudgement to spark a full-on confrontation which could impact IT channels.

“There are low expectations of anything serious happening, perhaps only a minor skirmish in disputed seas between the North and South,” Canalys APAC MD Rachel Lashford told me. “But of course low expectations does not mean that the risk is definitely zero.”

So, long story short – no panic yet, but worth keeping an eye on for future developments. One thing North Korea is not known for is it’s predictability.