determined - Fotolia
The Federal Bureau of Investigation remains steadfast in its decision this week to blame North Korea for the devastating Sony Pictures Entertainment cyberattack, despite skepticism from some information security industry experts.
President Barack H. Obama signed an executive order last Friday authorizing sanctions against the Democratic People's Republic of Korea (aka North Korea) in part due to its involvement in the hack. A backlash ensued, with many wondering what sort of forensic evidence -- if any -- the FBI had.
At the International Conference on Cyber Security in New York Wednesday, FBI Director James Comey discussed new information that he claimed provides a "clear indication" that North Korea was behind the attacks. He tried to hush the skeptics, saying, "They don't have the facts that I have."
To date, the FBI has released few details. However, Comey offered insight on the hacker's "sloppy" methods that helped the FBI trace the origin of the attacks against Sony to IP addresses used "exclusively" by North Korea. While attackers usually use proxy servers to disguise their origins, Comey said several times, "either because they forgot or because of technical problems, they connected directly and we could see that the IPs they were using … were exclusively used by the North Koreans."
However, many security experts quickly noted that IP addresses are not always reliable indicators -- and that they can easily be forged.
The University of Surrey's Professor Alan Woodward told Forbes, "The FBI are implying an IP address is enough -- which it isn't -- without some supplementary evidence. … People are making big decisions based on these attributions."
Robert Graham, CEO of Atlanta-based consultancy Errata Security, also expressed skepticism.
"For me to take the FBI seriously," Graham said, "they'll have to publish the IP address."
Along with the IP address evidence, Comey said tools used in the Sony Pictures hack were similar to those used by North Korea in the DarkSeoul attack against South Korean banks and media companies in 2013.
Comey also said the FBI Behavior Analysis Unit was able to use writing and data patterns to make "psychological matches" between messages received during the hack and North Korean operatives and the Guardians of the Peace, the group that claimed responsibility for the attack.
In addition, Comey said that while the penetration method is still unknown, the FBI is investigating whether spear phishing may be to blame, as Sony had been targeted by a number of spear phishing campaigns over the course of 2014.
Comey said the FBI had other evidence he could not publicly disclose "because it will happen again, and we have to preserve our methods and sources."
Yet without hard evidence against North Korea, naysayers continue to question the FBI's conclusions. When might the FBI release more information? According to expert Bruce Schneier, it could take a while.
"When it's possible to identify the origins of cyberattacks," Schneier said on his blog, "it's as a result of months of detailed analysis and investigation."
Until then, Comey stands behind the FBI's stance.
"There is not much in this life that I have high confidence about," he said Wednesday, "I have very high confidence in this attribution, as does the entire intelligence agency."
In other Sony Pictures hack news, company CEO Kazuo Hirai broke his silence on the hack at the annual Consumer Electronics Show in Las Vegas this week. Hirai said his employees were victims of "one of the most vicious and malicious cyberattacks that we've known." He praised staff and partners for standing against "the extortionist efforts of criminals."
While Sony initially scrapped the release of The Interview, the controversial movie largely believed to be the cause of the attack, the decision was met with criticism and the company reversed course, releasing it in independent theaters and online outlets. Hirai touched on this, saying, "Freedom of speech, freedom of expression, freedom of association … those are very important lifelines of Sony and our entertainment business."
Hirai also noted that he does not expect the attack to have a major financial impact on the company's film studio. The Interview pulled in $31 million in online and video-on-demand sales so far, with an additional $5 million in theater revenue, still short of its reported $45 million budget.
In other news
- Researchers at F-Secure Corp. wrote a blog post Wednesday placing a Russian government agency behind a family of macro-based malware. Based on evidence from emails and target victims, researchers were able to create a clear connection between the MiniDuke, CosmicDuke and OnionDuke malware, all of which use macros to infect victims, a method which fell out of favor nearly a decade ago. Along with Kaspersky Labs, F-Secure researchers believe the malware family could be part of a collection of spyware used by law enforcement agencies. F-Secure researchers wrote, "Considering the victims of the law enforcement use case seem to be from Russia, and none of the high-profile victims are exactly pro-Russian, we believe that a Russian government agency is behind these operations."
- At the Chaos Communication Congress in Germany late last month, reverse engineer Trammell Hudson discussed on a proof-of-concept exploit dubbed "Thunderstrike" that gives attackers control of OS X-based devices. The vulnerability can be exploited by attackers who have mere seconds of physical access to Mac devices with Thunderbolt ports. The attack includes replacing firmware that boots the system with malware; it exploits a flaw that was discovered in 2012 but has not yet been patched. "There is no official channel to remove it," Hudson said. Even worse, he said infected devices can transfer Thunderstrike to devices that connect to them. While the proof-of-concept does not have a malicious payload, a weaponized bootkit could wreak havoc. Hudson successfully completed the attack on MacBooks, Mac Mini and iMac devices.
- For the second time in history, a cyberattack has caused confirmed physical damage. According to Wired, hackers gained access to a steel mill's computer network in Germany and were able to shut down a blast furnace, which the country's Federal Office for Information Security (BSI) said caused "massive" damage. While the steel mill's name, the date of the attack, and details of the damage remain undisclosed, the BSI report reveals that attackers gained access to the system via a spear phishing attack and eventually compromised a "multitude" of systems. This event marks the second time a cyberattack has caused known physical damage; in the first attack, the infamous Stuxnet worm was used to attack an Iranian nuclear plant and reportedly ruined nearly 20% of Iran's nuclear centrifuges; the New York Times later reported the U.S. and Israel were behind that attack.