Within days of the hack against Sony Pictures, the U.S. government came out and said, in no uncertain terms, the attacks originated from North Korea — and the nation-state of North Korea was involved. Well, both claims have raised eyebrows among private security researchers. Many just don't believe it.

Circumstantial Evidence

The FBI says the attack came from IP addresses — unique computer addresses — that trace back to North Korea.

But Scott Petry, a network security analyst with the firm Authentic8 says, you can spoof an IP address from anywhere in the world.

"The fact that data was relayed through IPs associated with North Korea is not a smoking gun," Petry says. "There are products today that will route traffic through IP addresses around the world."

Meaning traffic that appears to come from Pyongyang could have originated in Moscow or Baltimore.

The FBI also says the hackers used malicious software that North Korea has used in other cyberattacks.

Petry counters that, in the world of cyberattacks, criminals constantly are recycling code. A well-known attack against banks called the Zeus Trojan went open source a few years ago — so when a financial institution gets hit, the same malware often shows up.

Again, he says, it's no smoking gun: "It's like saying 'my god, this bank robbery was conducted using a Kalashnikov rifle — it must be the Russians who did it!' "

He says that the FBI's evidence is circumstantial at best, and that its public handling of the case is inconsistent with proper procedure in prior investigations.

Petry recalls back when he worked at Google, the search giant had evidence the Chinese government was trying to hack its servers, perhaps to mine emails from dissidents. The U.S. government, he says, counseled the company to keep quiet.

"There has never been any firm public attestation that the Chinese were responsible for any of those exploits," he says. "And yet in this instance, the FBI comes out in a matter of days and says it's North Korea, case closed."

The FBI declined to comment on the skepticism of Petry and other cybercrime experts, citing its ongoing investigation.

Nation-State Behavior

Himanshu Dwivedi with Data Theorem, Inc. is another skeptic.

"When you have any source attacker as a nation-state, one of the key goals that they traditionally have is persistence — which means staying in a location, obviously electronically, for a very long period of time," he says.

Dwivedi has investigated cyberattacks since the 1990s. He's worked on cases involving nation-state actors big and small, and he says it doesn't make sense that North Korea would want to make a splash: If they're trying to destroy data or, let's say, steal classified information we don't know about from a Sony executive, they'd keep quiet — not talk publicly.

Who It Could Be

The FBI is looking at data that most of the world cannot access, but Shlomo Argamon, a professor of computer science at the Illinois Institute of Technology and chief scientist with Taia Global, took a look at the data that's publicly available — including leaked emails, postings to Internet forums, and transcriptions of messages that appeared on hacked computers at Sony.

Based on the writing style, Argamon wanted to identify the most likely native language of the hackers. He considered four: Korean, Mandarin Chinese, Russian and German.

And in his analysis, he dissected sentences like: "One beside you can be our member." Meaning that anyone you meet might secretly be a member of the hackers' group.

It's a word-for-word translation from Russian — not from any of the other languages. And that's the pattern that led him to a finding he describes as significant: The hackers used phrasing most consistent with the Russian language.

"There was some consistency with Korean, but much, much less," Argamon says. "Which indicates that although it's possible that these messages were written by people whose native language is Korean, it is far more likely that they were Russians."

Argamon only has preliminary results so far, but he says much more analysis must be done in order to draw a strong conclusion — both by him, and by the FBI.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

ROBERT SIEGEL, HOST:

The U.S. government is still investigating the highly publicized cyber-attack against Sony Pictures. The FBI accused North Korea of carrying out the attack, a charge Pyongyang denies. We do know the hackers were not happy about the new Sony movie, "The Interview." By the way, we'll hear Bob Mondello's review of the film in a few minutes. First, the different conclusions some private security analysts are drawing about who hacked Sony. Here's NPR's Aarti Shahani.

AARTI SHAHANI, BYLINE: The FBI says the attack came from IP addresses, unique computer identifiers, originating in North Korea. Scott Petry, a network security analyst with the firm Authentic8, says you can fake an IP address from anywhere in the world.

SCOTT PETRY: The fact that the data was relayed through IPs associated with North Korea is not a smoking gun. There are products today that will route traffic through IP addresses around the world.

SHAHANI: Like Pyongyang or Moscow or Baltimore. The FBI also says the hackers used malicious software, code that's been used by North Korea in other cyber-attacks. Petry counters that in the world of cyber-attacks, criminals are constantly recycling code. There's a well-known attack against banks called the Zeus Trojan that went open-source - freely available to anyone a few years ago. So when a financial institution gets hit, the same malware often shows up. Again, Scott Petry says it's no smoking gun.

PETRY: It's like saying my God, this bank robbery was conducted using a Kalashnikov rifle. It must be the Russians who did it.

SHAHANI: He says the FBI's evidence is circumstantial at best. And its public handling of the case is inconsistent with proper procedure in prior investigations. Petry recalls back when he worked at Google. The search giant had evidence the Chinese government was trying to hack its servers, perhaps to mine emails from dissidents. The U.S. government, he says, counseled the company to keep quiet.

PETRY: There has never been any firm public attestation that the Chinese were responsible for any of those exploits. And yet in this instance, you know, the FBI comes out in a matter of days and says it's North Korea, case closed.

SHAHANI: The FBI declined to comment on this skepticism, citing its ongoing investigation.

HIMANSHU DWIVEDI: When you have any source attacker as a nation state, one of the key goals that they traditionally have is persistence.

SHAHANI: Himanshu Dwivedi with Data Theorem is another skeptic.

DWIVEDI: Which means staying in a location - obviously electronically - for a very long period of time.

SHAHANI: Dwivedi has investigated cyber-attacks since the 1990s. He's worked on cases involving nation state actors big and small. And, he says, it doesn't make sense that North Korea would want to make a splash.

DWIVEDI: Because there's no motivation as a nation state to communicate.

SHAHANI: The FBI is looking at data that most of the world cannot access. But Shlomo Argamon, a professor of computer science at the Illinois Institute of Technology, took a look at data from the cyber-attack that is publicly available, like leaked emails, postings from Internet forums...

SHLOMO ARGAMON: Transcriptions of messages that appeared on hacked computers at Sony.

SHAHANI: And Argamon did a linguistic analysis. Based on the writing style, Argamon wanted to identify the most likely native languages of the hackers. He considered four - Korean, Mandarin Chinese, German and Russian.

ARGAMON: There was some consistency with Korean, but much, much less, which indicates that although it's possible that these messages were written by people whose native language is Korean, it is far more likely that they were Russians.

SHAHANI: Argamon only has preliminary results so far. He says before drawing a strong conclusion, he's got more analysis to do, and so does the FBI. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate