After weeks of speculation linking the state-sponsored hackers from the Democratic People's Republic of Korea to...
the massive Sony Pictures Entertainment data breach, the Federal Bureau of Investigation today officially pinned responsibility for the incident on the North Korean government.
In its full statement, the FBI said weeks of investigating the incident both with Sony and other U.S. government agencies revealed that North Korea was responsible for the Sony Pictures hack. Though the investigative agency declined to share all sources and information, it did say that the wiper malware used in the attack contained many similarities with malware known to have been used by North Korean hackers in the past, including "specific lines of code, encryption algorithms, data deletion methods, and compromised networks."
The FBI also indicated that the infrastructure used in the in the Sony breach -- which forced the company to take thousands of systems offline and to withdraw a film that was set for a Christmas Day release -- overlapped with other attacks linked to the North Korean government. Namely, the malware used in the attack communicated with IP addresses associated with North Korean infrastructure.
U.S. President Barack H. Obama is expected to speak this afternoon after White House Press Secretary Josh Earnest told reporters Thursday that the administration would consider a "proportional response" to the Sony attack.
"Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart," wrote the FBI in its statement. "North Korea's actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt -- whether through cyber-enabled means, threats of violence, or otherwise -- to undermine the economic and social prosperity of our citizens."
Cyber attack against Sony was not just attack against company & its employees, but on our freedom of expression & way of life –JCJ
— Homeland Security (@DHSgov) December 19, 2014
The U.S. government agency specifically linked the Sony incident to attacks committed last against businesses and media outlets in South Korea, when a number of servers and websites were crippled by destructive malware. In a recent blog post, Kurt Baumgartner, a researcher with antivirus vendor Kaspersky Labs, connected both the Sony and South Korea attacks to the Shamoon malware used against Saudi Arabia-based oil giant Saudi Aramco in 2012, citing a number of similar visuals, vague political messages and the use wipe malware.
Paul Proctor, vice president, distinguished analyst and the chief of research for security and risk management at research firm Gartner Inc., based in Stamford, Conn., told SearchSecurity before the latest FBI statement that if indeed North Korea was behind the Sony hack, it would be a "game changer" for enterprise security. Though Sony may have made mistakes from a security perspective, according to information that has been released to the public, Proctor said that he's seen countless organizations make similar mistakes and go largely unpunished.
"I don't think it's fair to any organization to call them out" for being hacked by a nation-state, concluded Proctor.
But if nation-states are indeed going to target private enterprises in the future, security professionals are going to need to make a number of changes to account for attacks so aggressive and malicious, Proctor said, including revisiting the idea of encrypting data internally and focusing on what Gartner refers to as "people-centric security" -- essentially educating all users on potential threats to an organization and how to react if they notice potential signs of an attack.
"Every single time someone gets hacked, there is reason to say, 'They had terrible security,'" said Proctor. "The idea that if you had sufficient technical resources and capability to detect this type of attack, is that really the low bar for what it means to have good security these days? What percentage do we think actually has good security?"
In a field ripe with counterintelligence, bad analysis, and technical uncertainties a "we did technical analysis so trust us" is a fail.
— Robert M. Lee (@RobertMLee) December 19, 2014
Putting your C&C infrastructure in NK is a good way to hide your tracks now. Using NK malware derivatives a good mis-attribution technique.
— Chris Wysopal (@WeldPond) December 19, 2014
Turns out Kim Jong-Un was missing for months because he was learning how to code malware. At least, in my movie version of the Sony hack.
— Sean Gallagher (@thepacketrat) December 18, 2014
Need more info on the Sony Pictures hack? Read our coverage on the extortion attempts received by Sony executives just days before the company's valuable information was leaked online.