Despite public U.S. expressions of doubt, North Korean links to Sony Pictures hack are strong - Flash//CRITIC Cyber Threat News. | Flash//CRITIC Cyber Threat News.

N. Korean hackers linked to Sony cyber attack

As a senior FBI official voiced doubts last week about North Korean government involvement in the cyber attack against Sony Pictures Entertainment, U.S. intelligence and security agencies increasingly are convinced Pyongyang or those sympathetic to the regime of Kim Jong Un carried out the highly sophisticated cyber strike.  Publicly, the FBI played down the damaging attacks against a major U.S. corporation. FBI Assistant Director Joe Demarest told a Senate hearing and in other public remarks that there is no conclusive evidence linking the attacks to Pyongyang’s cyber attackers.The comments by Demarest were typical of the federal government response to threats and attacks under President Obama, whose administration systematically has sought to play down or ignore various threats and incidents by states like North Korea, Iran, China and Russia. The response is part of the left-liberal foreign and national security policies aimed at seeking closer ties to adversaries — often at the expense of America’s friends and allies.  Additionally, the official vagueness in playing down the identification of North Korean agents or surrogates in the Sony networks attacks appears designed to reduce pressure on the administration to take action in response. The administration is under increasing demands from the private sector for government to develop policies and to take effective countermeasures against what is becoming a strategic threat to U.S. economic interests and ultimately national security.  The White House has said it has adopted a passive approach to cyber attacks and has sought to deal with them through diplomacy and discussions in international forums.  At Fort Meade, Md., analysts at the National Security Agency and U.S. Cyber Command internally have concluded the cyber attack against Sony almost certainly is North Korean in origin, based on forensics and motive, according to defense sources. A group called the Guardians of Peace has claimed responsibility.  Analysis of the malicious software used in the cyber attacks shows clearly that sophisticated code was used. And the main evidence linking the malware to North Korea was the discovery of Korean language embedded within it. Additionally, the attacker’s software relied on internal Internet Protocol addresses and user credentials obtained from Sony employees that demonstrated lengthy pre-strike reconnaissance of Sony networks.  As for motive, the studio’s role in producing the forthcoming comedy “The Interview” is another indicator. The movie storyline involves a plot by the CIA to use two journalists to assassinate North Korean leader Kim Jong Un. North Korea has said release of the film would be tantamount to an act of war. The film is scheduled for release Dec. 25.  The attacks were carried out two weeks ago and have produced a financial and corporate nightmare for the movie company. Computer networks were penetrated and 100 terabytes of data stolen, including unreleased films, personal information of actors and movie executives, and emails on sensitive discussions. Some storage media was destroyed.  The stolen files were posted online and news outlets have been reporting regularly on salacious revelations from the pilfered data. Financial losses for the company could be as high as $100 million, according to private analysts.  Authorities and security analysts, the group that claimed responsibility, the Guardians of Peace, is a cover name for what analysts call a “false flag” operation – an intelligence terms that provides plausible deniability for the Pyongyang regime.  A North Korean government spokesman said Dec. 7 that the Pyongyang regime was not behind the hacking attack. However, state-run North Korean media quoted a spokesman as saying that the country had “a great number of supporters and sympathizers” around the world, including what it termed “champions of peace” – language similar to the name of the group Guardians of Peace.  Additionally, the Sony hack was very similar to the cyber attacks carried out against South Korean media outlets. For example, between April and June of 2012 a hacker authorities identified as “IsOne” struck the networks of the JoongAng Ilbo, a conservative South Korean daily. Using advanced reconnaissance prior to the attack, the cyber attack destroyed the newspaper’s production system, along with the databases for articles and photographs. Large numbers of files obtained in the hack were posted on a South Korean message board.  Authorities in South Korea identified the IP address used by the hacker as belonging to the Korea Post and TelecommunicationsCorporation, an entity under the North Korean Ministry of Post and Telecommunications. The company had leased the IP address from a Chinese company.  “The Guardians Of Peace are people who love Glorious Leader and have computers,” said one security analyst, noting that the only people who have access to computers linked to the Internet in North Korea are government-affiliated specialists.  The malicious software used to wipe drives of data is called Destroyer by some analysts and WIPALL by others, and it was customized for the attack on Sony based on careful mapping of the company’s network.  The stolen files were posted on Pastebin.  Seven proxy servers used in the attack were traced to Thailand, Poland, Italy, Cyprus, Bolivia, Singapore and the United States, another sign of state-level sophistication. Advanced cyber attacks are capable of routing their attacks through servers around the world in order to make it difficult to identify the source.  The FBI issued a warning to industry after the Sony attack warning that the wiper software can overwrite an infected networks master boot record and all data files, making the threat especially nefarious.  House Intelligence Committee Chairman Rep. Mike Rogers told reporters that he believes North Korea is the likely culprit.“I would argue as a former FBI agent that, when a nation state says that ‘This group … did this on behalf of the North Korean people … and we appreciate it,’ as we would say in the FBI: that is a clue,” Rogers said.  A security report by Hewlett-Packard published in August said North Korean cyber attacks follow distinct patterns like those used in the Sony attack: Careful reconnaissance, the use of destructive wiper malware and theft of data.  “The majority of the incidents attributed to North Korean actors consistently used wiper malware,” the report said, noting that the groups that claim responsibility for North Korean-linked attacks are relatively unknown.  “These factors seem to indicate that a single group may have been responsible for several attacks over time, using different group names as a false flag,” the report said.  

– Bill GertzDec. 13, 2014