WASHINGTON/BOSTON – U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month’s massive cyberattack against Sony Pictures, an official close to the investigation said.
As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, the official said Monday, U.S. investigators are looking at the possibility that Pyongyang “contracted out” some of the cyber work. The official was not authorized to speak on the record about the investigation.
Johannes Ullrich, dean of research at SANS Technology Institute, said the attacks could have been carried out by independent hacker groups, possibly with help or direction from North Korea. “Sometimes state actors use the hacker groups and stay at arm’s length, but are helping these groups,” he told reporters.
The free flow of information among hacker groups and rogue nations could mean multiple parties were involved, Ullrich said. He noted that the Sony attack “did not require a high level of sophistication, but what it required was persistence, to find the weak spot to get in.”
The attack on Sony Pictures Entertainment Inc. is regarded to be the most destructive against a company on U.S. soil because the hackers not only stole huge quantities of data, but also wiped hard drives and brought down much of the studio’s network for more than a week.
While U.S. officials investigate whether North Korea enlisted help from outside contractors, the FBI stood by its previous statement that Pyongyang was the prime author of the attack against the Sony unit.
“The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment,” the FBI said in a statement to Reuters.
North Korea has denied that it was behind the Sony attack and has vowed to hit back against any U.S. retaliation.
Even after Washington pointed the finger at North Korea for the massive cyberattack on Sony Pictures, vowing a “proportional response,” private security experts say the evidence is far from clear cut, and have begun to question whether Pyongyang was involved at all.
“I’m skeptical about the claim and I would be even more skeptical that the North Koreans did it on their own without help from a third party or government,” said John Dickson, a former U.S. Air Force intelligence officer who is now a partner in the cybersecurity firm Denim Group.
The North Koreans “certainly have the will to poke us in the eye,” but “don’t have the critical mass skills of other nation states” to carry out an attack of this kind, Dickson told reporters.
Mark Rasch, a former federal cybercrimes prosecutor, said: “I think the government acted prematurely in announcing unequivocally that it was North Korea before the investigation was complete. There are many theories about who did it and how they did it. The government has to be pursuing all of them.”
The FBI said its determination that North Korea was behind the hack was based on information from a variety of sources, including intelligence sources, the U.S. Department of Homeland Security, foreign partners and the private sector. “There is no credible information to indicate that any other individual is responsible for this cyber incident,” the agency said.
Kevin Mandia, whose security firm was hired by Sony to investigate the attack, said the only way to know who the culprits are is to trace the network traffic from the infected machines back to the hackers’ machines. Only the government and Internet service providers have that kind of visibility, he added.
“I don’t have the data that they have to come up with that conclusion,” Mandia, chief operating officer of FireEye Inc, said in a video interview. “Every attack loops through numerous machines. You have to peel that onion all the way back. It isn’t an easy thing to do.”
Security experts note that it is relatively easy for hacker to route their attacks through third parties to fake their location and that is nearly impossible to conclusively show the source of an attack.
Security technologist Bruce Schneier of Co3 Systems, also a fellow at Harvard’s Berkman Center, said he also doubts the role of North Korea. “The truth is we don’t know,” he said. “There are facts that are classified and not being released.”
North Korea has been seen as the source of the malware, presumably due to anger at the cartoonish portrayal of the Pyongyang regime in the comedy film “The Interview.”
But a linguistic-based analysis of the malware by the Israeli-based security firm Taia Global said the native language of the hackers appeared to be Russian, not Korean. The study concluded that the software authors were not native English speakers, and that the translation errors pointed away from the Koreans.
“We tested for Korean, Mandarin Chinese, Russian and German,” the report said. “Our preliminary results show that Sony’s attackers were most likely Russian, possibly but not likely Korean and definitely not Mandarin Chinese or German.”
Other experts argue that the Obama administration would not publicly name North Korea unless it had solid evidence.
“I’m amazed that people continue to have doubts,” said James Lewis, a cybersecurity researcher at the Center for Strategic and International Studies. “People love conspiracy theories.”
Lewis insisted that U.S. intelligence has the capability to locate the source of the attacks, and there is no domestic political need to blame North Korea. “The intelligence community would never have let (Obama) stick his neck out on this unless they had a high degree of confidence about this,” he said.
Yet Paul Rosenzweig, a former U.S. Homeland Security official who now heads a consulting group, said “it is worth considering the opposing view.” In a post on the Lawfare blog he wrote, “In the post-Watergate/post-Snowden world, the (government) can no longer simply say ‘trust us.’ “