Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
FBI's Sony Attribution: Doubts Continue
Security Experts Question Scant North Korean Evidence in HackFBI Director James Comey's Jan. 7 remarks defending the bureau's attribution of the hack attack against Sony Pictures Entertainment to "North Korea actors" haven't silenced many information security experts, who say they remain unconvinced there's enough evidence to attribute the attack to anyone (see FBI Defends Sony Hack Attribution).
See Also: Gartner Market Guide for DFIR Retainer Services
Comey said he has "very high confidence about this attribution to North Korea, as does the entire intelligence community." Responding to doubters, he added that the bureau simply has access to details that they don't. "They don't have the facts I have. They don't see what I see," he said.
Comey offered an additional piece of evidence to substantiate the FBI's attribution, revealing that attackers several times "got sloppy" - by failing to hide behind a proxy server - and thus inadvertently revealed their real IP address, which the FBI found corresponded with addresses used "exclusively" by North Korean-backed hackers in the past.
But that statement doesn't hold up, argues Brian Honan, a Dublin-based information security consultant who's a cybersecurity adviser to Europol. "Anyone working in the field of computer security knows any IP address can be compromised or spoofed to shield a true attacker's real identity," he says.
The attackers could even have faked the apparent goof cited by the FBI. "We've known for years that leveraging IP addresses for definitive evidence has been suspect," says Carl Herberger, vice president of security solutions at application delivery firm Radware."We also know that hackers and criminals leverage all sorts of global [network address translations services] and multiple proxies, including ones within 'difficult jurisprudence domiciles' such as North Korea. Given this, how do we conclude from the FBI data that the government of North Korea was behind this?"
Questions Remain
If Comey's speech was meant to address and rebut the continuing technical questions related to the bureau's Sony Pictures hack attribution, multiple information security experts argue that he failed, in part because the scant additional piece of supposed evidence cited by the bureau - relating to attackers' supposed IP addresses - reveals nothing. "They keep saying things that are not proof, as proof," the zero-day vulnerability broker known as the Grugq says via Twitter.
"Director Comey really has not added any further information to convince me and many other security experts that this attack was backed by North Korea," Honan says, noting that IP addresses located in Japan, Taiwan and Thailand were also reportedly used by attackers.
"To be honest with you, I feel less confident that we have a solid case, if this is the sum total of their evidence that this is a state-sponsored attack," Radware's Herberger says.
On the other hand, some other security analysts have publicly backed the FBI's attribution, and questioned why others are continuing to express doubts. "The real issue is lack of trust in the government," James A. Lewis, who's a senior fellow at the Center for Strategic and International Studies - a public policy research institution based in Washington, D.C. - says in a blog post. He notes that a strong component of attributing the Sony hack to North Korea involves an attempt to deter future cyber-attacks.
Lewis adds that "national technical means" - an intelligence term that refers to covert reconnaissance, for example the use of satellites - have been used to make the North Korea attribution, and that cyber-related technical means remain classified. "The technologies use new kinds of sensors to collect data, including opponent malware - the malicious software [used] in an attack - and attacker identities," he says. "Many commercial entities also use Internet sensors; the chief difference is the ability of government agencies to blend other forms of intelligence with Internet data and, of course, a willingness to undertake covert activities."
Nevertheless, many security experts continue to question the FBI's attribution. Honan, who also heads Ireland's computer emergency response team, says that a big red flag about the FBI having already attributed the attacks is that the bureau still doesn't know how Sony was hacked. In his Jan. 7 speech, Comey said "the likely vector" was a spear-phishing attack that began by September 2014. But that's a likely vector for almost any kind of hack, security experts say.
Did Attackers Hack North Korea First?
The Pyongyang-based government of North Korea, led by Kim Jong-un, has continued to dismiss the FBI's attribution.
Another explanation for attackers using a North Korean IP address is that the country's Internet backbone providers may have been hacked. Jeffrey Carr, CEO of threat-intelligence firm Taia Global, notes in a blog post that the North Korean Internet is handled via Star JV - a joint venture between North Korea's telecommunications firm and Loxley Pacific, or Loxpac, which is itself a joint venture composed of businesses based in Finland, Taiwan and Thailand. "It would be a simple matter to gain access to Loxley's or Loxpac's network via an insider or through a spear-phishing attack and then browse through [North Korea's] intranet with trusted Loxpac credentials," Carr says.
An @hpsecurity report from August 2014 discloses how vulnerable ports are in NK's IP blocks. http://t.co/avhevnSPS8 p.15. Child's play.
� Jeffrey Carr (@jeffreycarr) January 8, 2015
Any Other Sources?
Many security experts say that the FBI could take several further steps to better substantiate its allegation that North Korea hacked Sony Pictures Entertainment. For starters, if the bureau is relying on additional types of evidence - beyond the IP addresses it's cited - then it should say so, Honan says.
"Given that it takes many months to conduct a proper forensic investigation into a cyber-attack, the FBI may have intelligence and information from other sources to support their claims. If so, it would be useful for the FBI to state that - not that people would expect them to reveal their sources, but to provide assurances that their allegations are not based solely on logs from the attack," he says.
Given "serious diplomatic implications" of the attack attribution, Honan also recommends that both Sony and the FBI share the evidence "with a number of respected cybersecurity experts who could then independently verify or critique the claims. These experts need not share the raw data with the rest of the world, but could provide an independent opinion on the matter."
Based on what the FBI has said to date - including making technical assertions that continue to be questioned by outside experts - it might behoove the bureau to make a better case for its attack attribution. "In the current climate of distrust, it might serve any government well - who wishes to make such allegations - if they were able to give some indication of how they can be so sure that a set of IP addresses were used exclusively by one party," says Alan Woodward, a visiting computer science professor at the University of Surrey, as well as a cybersecurity adviser to Europol.
"I could fully understand if the FBI has some supplementary intelligence that lets them make such an assertion - and that they may not be able to share that in public - but they never quite seem to say that," Woodward says.
(News Writer Jeffrey Roman contributed to this story.)