The FBI declined to name the source of the Sony Pictures hack during a U.S. Senate hearing on Wednesday.
"I won't touch on the attribution piece because we're still working very hard on that," said Joseph Demarest, assistant director of the FBI's cyber division. Demarest's comment was in reply to questions from Sen. Charles Schumer (D-NY) during a hearing of the Senate Banking Committee.
"I think most of us were shocked at the sophistication of the breach of Sony," Schumer said. "Fingers are pointing to North Korea. It's sort of surprising that a country like North Korea, which is sophisticated in a few areas but not very sophisticated in most, would have such an amazing ability to turn a large company into a knot."
Schumer was referring to the speculation that North Korea was behind the Sony hack, which crippled its employees' computers and has leaked gigabytes of internal documents, many of them embarrassing revelations. Much of that speculation, although not all, has been based on North Korea's vehement denunciation of an upcoming Sony film, The Interview, a comedy whose plot revolves around an assassination attempt against that country's dictator, Kim Jong Un.
The North Korean government has denied responsibility. But it still applauded the hack, calling it "a righteous deed" of its supporters and sympathizers in a statement from the National Defense Commission, the group that controls the country's huge military. The statement was released by the Korean Central News Agency mouthpiece on Sunday.
Demarest reiterated what some other security experts have said about the hack, characterizing it as out of the ordinary. "The level of sophistication is extremely high and we can tell...that they are organized and certainly persistent," Demarest said of the attackers.
He went further. "In speaking with Sony and separately, the Mandiant security provider, the malware that was used would have slipped or probably gotten past 90% of Net defenses that are out there today in private industry and [likely] challenged even state government," Demarest asserted.
Sony hired Mandiant to help it analyze the attack and research the source.
Even though much of the focus has been on North Korea, some security professionals have said it's unlikely the rogue nation's fingerprints are on the attack.
"Their capabilities are just not that great," said Tom Chapman, director of cyber operations at Edgewave, a San Diego-based security firm, in an interview earlier this week. Chapman is a former U.S. Navy cyber-warfare commander. "Of the hacks we know [launched by North Korea], almost all were denial-of-service attacks."
Unit 121, as the North Korean military's cyber warfare group is known, certainly has the capabilities to conduct denial-of-service attacks, said Chapman. But he was dubious it could do more than that. "We haven't seen [Unit 121] do this before, we haven't seen it do a crippling attack."
Chapman also wondered why North Korea would risk an attack during one of its periodic attempts at slightly warmer relations with the West. "They just released three hostages," said Chapman, talking about the freeing of three Americans -- two of them in early November -- who had been imprisoned on spying charges. "[A hack] would be counter-productive in the eyes of the [North Korean] government at this point."
But Chapman acknowledged that it was possible North Korea had hired outsiders or that sympathizers might be responsible. "Cyber is cheap," Chapman said. "You can get a lot of programmers in Asia for a little bit of money. And it could have been a sympathizer in China or even Sacramento."
On Wednesday, Demarest and others testifying before the Senate described the ease with which anyone could become a fairly proficient hacker simply by spending a few thousand dollars for off-the-shelf tools available from the digital black market, lending credence to Chapman's belief that it a nation state need not be involved.
Their point was that the skills necessary to carry out the Sony hack are not limited to first-tier nations known for cyber capabilities, like Russia, China and Iran, or even a second-stringer like North Korea, but are present throughout cyber crime gangs, whose abilities often exceed that of military cyber squads.
"Senator Schumer, we can make you a hacker in 30 minutes, based on the tools that are currently available in the underground," Demarest said.
Schumer said he doubted that and held up his mobile phone, a simple feature phone, drawing laughs from the hearing room.