As North Korea Loses Internet, Anonymous, Others Question Whether It Really Hacked Sony
WASHINGTON -- North Korea's Internet service went down in a suspected cyberattack Monday, just days after the U.S. government blamed the country for hacking Sony Pictures Entertainment and the White House said it was considering a "proportional response" to the crime.
Doug Madory, director of Internet analysis at the U.S.-based Internet performance company Dyn, which first detected North Korea's Internet problems, told HuffPost Monday that the explanation could be benign. But, he added, "another explanation is that [North Korea is] experiencing a DDOS attack" -- that is, a distributed denial-of-service attack, a common type of hack.
"This does not look like anything that we've seen before," said Madory.
Bernadette Meehan, a spokeswoman for the National Security Council, wouldn't respond to questions about U.S. culpability Monday. Instead, she referred HuffPost "to the North Koreans for questions about their systems."
The allegations of attacks and counterattacks, the non-denials and the unanswered questions add yet more chapters to an international drama that has engulfed a movie studio, derailed a Christmas-season blockbuster and pitted a totalitarian regime against the U.S. government. And no one seems to be exactly sure what is happening, or why.
On Friday, the FBI released a statement blaming the North Korean government for the massive cyberattack against Sony last month. President Barack Obama also said over the weekend that he was considering re-adding North Korea to the United States' terrorist watch list.
But North Korea has continued to deny that it's behind the Sony breach, and the group that has claimed responsibility -- the hacking collective Guardians of Peace -- ismocking the FBI online, according to The Daily Beast. Some security researchers, as well as members of the hacktivist group Anonymous, are questioning whether there is enough evidence to blame North Korea at all.
"I have yet to see evidence of North Korea behind this," Kyle Wilhoit, a senior threat researcher at Trend Micro, a Japanese security firm, told HuffPost on Monday. Wilhoit argued that just because the FBI sees similarities between the code used in the Sony hack and other North Korean malware doesn't mean it was the same attacker.
"The language of the binary (Korean) is a bad way to attribute anything," he said in an email, adding, "I know the US likely has far more data they can't share, but until I see some proof, I'm skeptical."
Marc Rogers, head of security for the recurring hacking conference Def Con, argued in a blog post Sunday that the FBI's claim that certain Internet protocol (IP) addresses point to North Korea "is perhaps the least convincing of all." IP addresses, Rogers noted, "are often quite nebulous things."
Meanwhile, Kim Zetter wrote in Wired that nation-state attackers "generally don’t chastise their victims for having poor security" or post "stolen data to Pastebin," as occurred in the Sony hack. "These are all hallmarks of hacktivists -- groups like Anonymous and LulzSec," Zetter wrote.
A hacktivist associated with Anonymous told The Huffington Post that "Anonymous doubts that [North Korea] did that Sony Attack." As to who might be behind it, the hacktivist suggested "a troll or the U.S. government. Some people just want to see the world burn :P" (Here's the reference, for those unfamiliar.)
Another hacktivist associated with Anonymous, who goes by the Twitter handle@AnonyOps, told HuffPost that "unless these 'unnamed US officials' go on record and present the evidence, I'm suspicious." AnonyOps added, "When it comes to malware, because so many nation states are some of the most prolific developers of it, I'll wait until the proof is public."
But other cybersecurity experts who are closely following the hack say the FBI's North Korea claim may indeed have merit.
Dmitri Alperovitch, the co-founder and CTO of CrowdStrike, which conducts data breach investigations, said that independent of the FBI, "we have a high degree of confidence ourselves" that North Korea was behind the attack. (He said he "can't discuss" whether his company is investigating the data breach with Sony.)
Alperovitch believes the hack is the work of "Silent Chollima" -- the name CrowdStrike has given to a group of North Korean hackers who have been active since at least 2006. Silent Chollima launched a major attack in 2009 against dozens of websites in the United States and South Korea. Alperovitch acknowledged that Silent Chollima hasn't posted stolen materials on Pastebin before, as has happened with the Sony data, but said that "when you have a trail of breadcrumbs a mile long that's all pointing the same direction and you've got a motive with the movie, it's pretty clear that this is the same actor."
In June, North Korea threatened to retaliate against the United States unless it agreed to not release "The Interview," a comedy directed by Seth Rogen and Evan Goldberg about assassinating North Korean leader Kim Jong Un. Sony had scheduled "The Interview" for a Christmas release date, although it's now not clear when or in what form the movie might see the light of day.
Sony Pictures CEO Michael Lynton told NPR's "All Things Considered" on Friday that he has hired Mandiant, a FireEye company, to do forensics on the hack. Richard Bejtlich, chief security strategist for FireEye and a former Air Force intelligence officer, said he is not allowed to comment on clients.
"I understand why some people" have doubts about attributing the Sony hack to North Korea, said Bejtlich. But he added that "they are holding investigators to a standard that likely exceeds those found in courts of law."
All of which brings us to Monday, when North Korea's Internet began suffering widespread outages. The White House had, in the days proceeding, ruled out what one Defense official described to The New York Times as a "demonstration strike" in retaliation. During a Monday briefing, Marie Harf, a spokeswoman for the State Department, called on the North Korean government to "admit the culpability and compensate Sony" for the financial damage the hacks have caused.
But Harf also offered an interesting choice of words when discussing the administration's possible response to the responsible parties.
“As the president said, we are considering a range of options in response,” she said. “We aren’t going to discuss, publicly, operational details about the possible response options -- or comment on those types of reports in any way -- except to say that as we implement those responses, some will be seen, some may not be seen.” (hufpost)