So who was really behind the Sony hack? And does it really matter?
We’ve certainly seen some amazing ups and downs in our efforts to answer the first question. Initially, everyone fixated on the previously unknown, Anonymous-like hacker group Guardians of Peace, which took credit for the hack. Then the media began speculating that the hack had something to do with the movie The Interview. Since the movie involved the assassination of North Korea’s leader, Kim Jong Un, the suspicion arose that North Korea was the real culprit. There was a backlash against this suggestion, with many experts explaining why North Korea’s involvement was unlikely. Ira was in this camp.
From there, things got really interesting. The hackers seemed to latch onto the media speculation, demanding that Sony not release The Interview, even threatening 9/11-style attacks against theater-goers. Theater owners panicked and refused to book the movie. Sony capitulated and canceled the Dec. 25 release. Then came another backlash, and in the name of patriotism, Sony put the movie out, mostly in smaller, independent theaters, as well as online.
Meanwhile, the U.S. government expressed confidence that North Korea was responsible for the attacks. The media reaction to that was to seek out computer security experts who would argue that the government was wrong.
Analysts at security consulting firm Norse, having performed independent research on some of the compromised data and looked at hacker message boards, came up with their own theory: that a former Sony employee provided information to former Lulzsec members, thus enabling the attacks. Norse noted that the malware used in the attacks included insider credentials. It also contended that North Korea would not act so childishly and would not have deployed the same command-and-control structure it had used in the past.
To be clear, it is possible that a laid-off, disgruntled employee sought out parties to exact revenge. That in no way means that this was the actual source of the attack in question. Sony, like all large organizations, is actively being targeted by many parties for many reasons.
The people second-guessing the U.S. government accusations essentially argued that it was more likely that the attackers were just malicious, if clever, script kiddies, and not representatives of an unpredictable, vindictive and destructive nation-state. In doing so, they completely discounted the fact that U.S. government has billions of dollars of surveillance technology, and that the National Security Agency over the past year has notoriously been accused of collecting and analyzing every bit of data in the universe.
After the new year, however, when President Obama announced sanctions against North Korea, the media generally got in line. It was clear that the U.S. government was confident enough in public and classified information to take action. We have also revised our early assessment, having recognized that the government wouldn’t be so confident unless it had information that the rest of us aren’t privy to. And having once worked at the NSA, he can well believe that’s true.
But what about that second question: Is it important to know and understand your attacker? Yes, it is.
Then the question to ask is, How likely is it that an insider was involved? As various people, including the Norse analysts, have noted, the malware used in the Sony attack did have administrator credentials hardcoded into it. But that doesn’t prove insider involvement.
A reasonably competent attacker can obtain insider credentials in a matter of hours. A skilled attacker can do it in less than an hour. But even minimally skilled attackers can launch spearphishing attacks, obtain low-level access into an organization, and then troll the network for elevated privileges. So the fact the Sony hackers had administrator credentials says little about the identity of the hackers, especially given that there were widespread vulnerabilities throughout the network, according to the leaked documents.
On the other hand, the malware did use the command-and-control infrastructure that was previously used by North Korea. The malware used in the attack was previously used in North Korean attacks. With the so-called Dark Seoul attack, North Korea did previously use destructive malware against South Korean financial organizations.
To some people, all of this argues against North Korean involvement. They figure that state-sponsored hackers wouldn’t be so careless as to leave so many tracks that could allow for easy attribution. Well, if there is anything that we have learned in our combined four decades of investigating computer-related crimes, it’s that you should never underestimate the stupidity of criminals.
Even the most advanced hackers will make mistakes. Many criminals are arrogant enough not to take significant steps to cover their tracks. But even when that is not the case, mistakes will be made. For example, while Stuxnet was the most advanced malware at the time, the lack of a kill switch caused the malware to spread well beyond the intended targets, allowing for its identification and the exposure of intelligence methods.
Also, even when attackers have a variety of tools and infrastructures available to them, they tend to use the ones that have provided repeatable success. Why deviate too far from a successful pattern? And Sony’s lack of strong security apparently gave the attackers little reason to change their tried-and-true methodologies.
When you examine attack attribution, the details don’t always point to a specific pattern, as nice as that would be. You must frequently look to the attack infrastructure and other attack fundamentals. In this case, the high-level patterns do match North Korea, and this is not even considering any classified data that might be available.
But is it possible that the attackers purposefully mimicked North Korean strategies to throw off investigators? Yes, it’s possible. Still, is that possibility more likely than the attackers actually being agents of North Korea? Not at all.
Knowing what we know now, we would have to say that North Korea used its traditional attack infrastructure. Its hackers used malware they were very familiar with. Although the supposed extortion demand doesn’t quite fit that scenario, everything else seems to point to a North Korean attack. And it is very difficult to discount the evidence that the U.S. government has intelligence sources that more definitively tie North Korea to the Sony attack.
Sony can move forward on a fairly strong assumption that the guilty party was North Korea. Chances are, though, that if your organization is attacked, the circumstances won’t merit the involvement of the FBI and federal intelligence agencies. That being the case, you need to come up with a rational analysis of your likely attacker on your own.
In almost all cases, criminals leave enough clues, in their targets and methods, to identify them; never underestimate their stupidity. When you examine what the criminals have targeted and the methods they used, you can potentially extrapolate other attack elements. You can also go to peers at other organizations, or look to law enforcement or Infragard for advice.
Ideally though, you will have a proactive threat intelligence program. You should identify the most likely attackers and take steps to address the vulnerabilities they are most likely to exploit.
With or without a threat intelligence program, you still need to ensure that basic security precautions are taken. Sony was vulnerable to just about any attacker. The malware used on Sony’s systems could have been detected with adequate anti-malware software. The fact that terabytes of data could be downloaded, supposedly including full-length movies, which constitute Sony’s most prized intellectual property, demonstrates that Sony inadequately monitored critical assets and network traffic. North Korea may have thousands of cyberwarriors who were available to target Sony, but in fact it deployed nothing that an appropriate security program couldn’t have stopped.
Enterprise-size organizations like Sony must assume that they are being targeted by everyone from script kiddies to nation-states. While no security program will provide perfect security to such an organization, enterprise organizations do require robust security programs that account for the most likely and most basic attacks. It would require a series of articles to outline the composition of such a program, but it certainly would include anti-malware software that should have prevented the malware used in the attack against Sony. Similarly, you would not see leaked memos documenting blatant and purposefully unmitigated security vulnerabilities.
A threat/security intelligence program would tell you where to enhance resources to the more critical and advanced threats that you face. There should always be some prioritization, based upon a reasonable expectation as to the likely nature of the attacks that you will face.
If Sony had implemented the appropriate security countermeasures, it could have at least detected the presence of malware on its network and prevented the destruction of its systems. This would have also given it the opportunity to proactively search its network for other signs of compromises.
Yes, understanding the threat does matter.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. Ira and Araceli Treu Gomes can be contacted through Ira's Web site, securementem.com.