Friday, December 19, 2014

Sony, the FBI, and NK

The FBI came out saying they thought North Korea hacked Sony: http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.

The main points are, malware code looked reused from previous code attributed to North Korea, the malware uses NK IP addresses, and the "tools" used were similar to a South Korea bank attack believed to be from NK, whatever that means. Here is the problem from the U.S. intelligence departments mouth:
Another indicator pointing to U.S. intelligence is the familiarity with Sony’s computer network. “It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords,” Rogers notes. “While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider.”


That is still all true, which makes the FBI release read like nonsense to me. Consider the possibility of a pure North Korea attack with no insider. That would mean the attacker would need to gain access to Sony's network, likely with an email phish attack or maybe an undetected web attack. Gain access to many files and find passwords in password files and system documentation and diagrams and piece together the information needed to make this malware. And while possible, that makes no sense at all to me. Once you have that level of access and understanding, making malware is the last thing you would do. At that point simply use normal system tools to extract all the data you want without being detected or leaving malware behind. Anyone knowledgeable to create this malware would know better than to use malware if they already had all the access they needed without it. This scenario makes no sense to me and as the quote above states, doesn't pass the Occam's razor test. Let's assume they had access, but couldn't use the tools they needed to get the data and needed to write their own code and...It just doesn't pass the test unless they know something they aren't telling us which is possible but still more assumptions and therefore still doesn't pass the test.

What does pass the test is an insider with this knowledge either is behind the attack, or willfully gave up this information to an attacker and is part of the attack. The attacker could still be North Korea, but only with an insider's help. But more likely that that, an insider working with another outside group with the skills needed and is intent on financial gain from extorting money from Sony and had the idea of trying to blame North Korea or just Korea in general for the attack to cover their tracks. If they knew how the company and media and governments would jump on it for their own self interests, they are brilliant. But I'm guessing they didn't know it would work out so well but rolled with it when the NK part of the story took on a life of its own. And why not? Now that the FBI said what they said, for whatever reason, it is hard for me to picture them finding and bringing to justice the criminals involved if it turns out NK wasn't behind it. And that is the dangerous part of this game which I predict will be played out again and again. How easy is it to get away with a crime like this and blame a nation state if we are so willing to let the nation state be blamed?