FBI faces skepticism over claim that N. Korea hacked Sony
{{#rendered}} {{/rendered}}
It's been a week since the U.S. government blamed North Korea for the cyber-attack against Sony Pictures Entertainment -- and many security experts still aren't convinced Kim Jong-un is the culprit.
The FBI's announcement, rather than settling the debate, has only fueled widespread speculation over the source of the attack.
Skeptics claim the evidence the FBI cited is flimsy and inconclusive. They question whether Pyongyang really had the motive, or the ability, to scramble Sony's systems.
{{#rendered}} {{/rendered}}
And they're pushing a range of alternative theories.
Could it have been a disgruntled former Sony employee? Another, more technologically savvy, foreign government? A private band of hackers?
"I think we definitely jumped the gun," David Kennedy, CEO of information security firm TrustedSec, told FoxNews.com on Friday. "A lot of [the evidence is] very circumstantial."
{{#rendered}} {{/rendered}}
Kennedy, who testified on Capitol Hill last year on security concerns with HealthCare.gov, said he still believes an angry insider at Sony was behind it.
"They were going for destroying the company," he said.
The FBI has not edged off its assertion last Friday that North Korea is to blame. The bureau, after staying mum for days about the source of the attack, was definitive in declaring that "the North Korean government is responsible for these actions."
{{#rendered}} {{/rendered}}
As a caveat, the bureau noted it could not share all the evidence it has. This leaves open the possibility that the FBI is sitting on a smoking-gun piece of evidence that links the hack to Pyongyang beyond the shadow of a digital doubt.
The evidence the FBI did share was this:
- Analysis of the malware "revealed links to other malware that the FBI knows North Korean actors previously developed."
- The FBI observed "significant overlap between the infrastructure used in this attack and other malicious cyber activity" previously linked to North Korea, like North Korea-tied IP addresses that allegedly communicated with IP addresses tied to the Sony attack.
- The "tools" used in the Sony attack were similar to an attack in March 2013 by North Korea against South Korean companies.
Outrage over the claims of a North Korean attack fueled a patriotic show of support this past week for "The Interview," the comedy where Seth Rogen and James Franco play two reporters hired to take out North Korea's leader -- and helped bring it back to select theaters after Sony initially pulled it.
{{#rendered}} {{/rendered}}
In a detailed rebuttal published this week, though, cyber-security expert Marc Rogers picked apart the FBI's case as "weak."
Rogers, who works at mobile security firm CloudFlare and runs security operations for an annual hacker conference, argued that the same piece of malware showing up in the Sony hack is "far from being convincing evidence" of North Korean involvement.
In a column posted on The Daily Beast, he speculated that the FBI was probably referring to two pieces of malware -- Shamoon, which hit energy companies and was found in 2012, and DarkSeoul, which hit South Korea last year.
{{#rendered}} {{/rendered}}
But Rogers noted the Shamoon source code has already leaked. "Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator," he wrote.
He made a similar argument about the FBI's claims on the IP addresses.
Skeptics, including Rogers and Kennedy, also question the idea that the hack was North Korean retaliation for "The Interview." Though North Korea had objected to the film, skeptics say the initial messages from the apparent hackers did not cite the movie. That connection came later.
{{#rendered}} {{/rendered}}
"It was more of an extortion case beforehand," Kennedy said.
North Korea, for its part, denies responsibility for the attack.
But Dmitri Alperovitch, with security firm CrowdStrike, backed up the FBI, telling Wired that the U.S. has more evidence proving North Korean involvement, and the government can't release it yet.
{{#rendered}} {{/rendered}}
His company has been tracking the group behind DarkSeoul. Alperovitch told Wired the network is probably North Korean, and the attackers previously used search terms related to U.S. and South Korean military plans.
"Who else would it be [but North Korea] that would hit both Sony over the movie and South Korea and U.S. military networks looking for that type of info?" he told Wired.
An FBI spokeswoman declined to comment for this article, citing the ongoing investigation.
{{#rendered}} {{/rendered}}
An intelligence source previously told Fox News that the evidence in the case raises the possibility that a country like Iran, China or Russia could have been involved along with North Korea.
Others speculate North Korea wasn't even part of it.
Kurt Stammberger, with the cybersecurity firm Norse, told CBS News that Sony was "essentially nuked from the inside," possibly by a former employee.
{{#rendered}} {{/rendered}}
Kennedy said it's possible North Korea was involved, but the insider knowledge used still points to a former employee. He noted Sony had massive layoffs earlier this year, "a lot of them in the systems administrator field."
One other potential hole was poked in the government's claims this week when Taia Global, a cybersecurity consultant, analyzed the hackers' messages "in an attempt to scientifically determine nationality." The firm said the "preliminary results" showed the attackers were "most likely" Russian. The company said it's possible the attackers were Korean but "not likely."