Anatomy of a NYT Piece on the Sony Hack and Attribution

There is a lot of back-and-forth over who hacked Sony Pictures Entertainment. For a not-so-brief summary, here is an extensive timeline to catch you up. I am going to drill down on a single point as it is both fascinating and disgusting. Using a single article that is heavily influencing people around the world, and helping to polarize the InfoSec community on who hacked Sony, I want to show you exactly what you are quoting and reading. Why? Because people don’t seem to be reading past the headline or first couple of paragraphs. What seems like a strong, definitive piece, falls apart and begins to contradict itself entirely halfway through the article. The New York Times piece in question is titled “U.S. Said to Find North Korea Ordered Cyberattack on Sony“.

Consider what the headline says. First, it says that North Korea ordered the attack on Sony. Second, it says the U.S. has found out, meaning there is some body of evidence that led to that conclusion. Seems simple enough. But where does this come from?

American officials have concluded that North Korea was “centrally involved” …
Senior administration officials, who would not speak on the record …
Officials said it was not clear how the White House would respond.
Other administration officials said a direct confrontation with the North would provide North Korea with the kind of dispute it covets.

So how many officials are we talking about here? American officials? Senior administration officials? “Other” administration officials? Not a single one on record, which is very curious given named sources are the backbone of solid reporting. Are these officials part of the military? Law enforcement agency? Or just policy wonks that may or may not be getting briefed by someone with a clue?

The administration’s sudden urgency came after a new threat was delivered this week to desktop computers at Sony’s offices, warning that if “The Interview” was released on Dec. 25, “the world will be full of fear.”

Wait, so the Sony network is still entirely compromised weeks after it was publicly disclosed? That is an interesting angle, why haven’t we seen articles covering that? The company brought in to do forensics, are they losing this battle? Or did they mean the message was emailed to Sony employees, and the wording is confusing since the initial attack included actually replacing the desktop background on thousands of Sony desktops? Or was this a reference to the attackers posting that message on a public website (Pastebin)?

“Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”

This comes from the latest Pastebin post, since removed. I think that is the simple, logical explanation.

While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with knowledge of the company’s computer systems, senior administration officials said.

Wait a minute, the title is definitive, the U.S. says North Korea did it. Now even more unnamed officials say Sony insiders may have helped them? If you follow the whole “this is an act of war” nonsense, then any American Sony employee just committed treason, right? If it was a Japanese Sony employee, then Japan is in league with North Korea? I mean, we have to be careful on our rhetoric of war and blame, as these little comments can mean big things.

North Korea’s computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.

So Newt Gingrich, Dave Aitel, and others are saying a North Korean attack on Japanese company Sony is an “act of war” against the U.S., but we openly admit that the U.S. government has been trying to penetrate North Korean computers for at least four years, and that isn’t an act of war? That doesn’t make sense. Either such intrusions are an act of war, or they aren’t. We can’t have this both ways.

It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “this was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”

So the definitive headline is now clouded by statements like these. We don’t know where the attacks originated, the tools were commonly available and had been seen in attacks years ago, but then the official says it is sophisticated? Not sure this ‘intelligence official’ has the same standards for the word ‘sophisticated’ as many in InfoSec.

But there is a long forensic trail involving the Sony hacking, several security researchers said. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributed to Iran — and another last year in South Korea aimed at banks and media companies.

Do we all know what a forensic trail is? This is a shaky list of circumstantial evidence at best. Given the use and history of the tools, making an assumption on who used it seems absurd.

But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggested that the same group or individuals might have been behind the Sony attack.

Again, do we not see how circumstantial this is? On one hand you claim the attackers are sophisticated, on the other you say they use a compromised computer for two years that would implicate them because of past attacks.

The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat, the security researchers said.

Definitive headline, yet more doubt on who attacked Sony.

The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, the national oil company, where hackers wiped off data on 30,000 of the company’s computers, replacing it with an image of a burning American flag.

A public tool from two years ago, and this is influencing attribution? Investigators should be logical and skeptical. Actual evidence should be the guiding factor in their investigation and determining attribution.

Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.

So we couldn’t positively attribute the attack two years ago that used those tools, and now we want to use that tenuous link claiming it is some kind of ‘proof’ North Korea was involved? This makes no sense.

“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a researcher at AlienVault, a cybersecurity consulting firm.

I have given many a buzz-quote to the media, and I understand how they can be taken out of context. This is a great example. Blasco sounds like a total idiot, but I have a strong feeling he isn’t. What does this quote mean exactly? Getting access to Sony’s network requires an attack. Subsequent actions are part of that attack, or the fallout. Or does he mean “had access” in the context of a legitimate trusted employee? InfoSec people: be careful when giving buzz-quotes to journalists.

The cost of the assault was small: The attackers used readily available tools to steal data and then wipe it off Sony’s machines.

Once again, “readily available tools”, yet we are attributing this to a nation-state attack? Read between the lines and we have no real attribution at this point, at least not demonstrated by anyone. I doubt Mandiant is sharing their results with anyone publicly, leaving the rest of this to guess-work.

Representative Mike Rogers, the Michigan Republican who leads the House Intelligence Committee, said the hackers had “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.

Ya think? That is hacker 101 shit right there Mr. Rogers. Sophisticated malware to allow such access has been around for more than 30 years, and is trivial to get from thousands of web sites.

The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.”

Well played North Korea.

All in all, we have an article with a definitive title, “citing” between one and dozens of unnamed officials, that may be guessing like most of the world, giving as much “evidence” that it wasn’t necessarily North Korea, and it is whipping up a frenzy causing politicians and InfoSec professionals calling this war. I’ve said it for a week, and I must say it again. How about we wait for actual evidence. A public report outlining all of the forensics available, that can be peer-reviewed to some capacity, before we go rattling our saber at a country that may not be involved. Sure, North Korea is wonky on their statements implying it was them, then “half-denying” it, whatever that means (curious no one ever links to these statements, or are these more “unnamed officials” from their government?).

Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn’t mean they actually did anything. Taking their implications or half-denials as fact isn’t prudent. I am not saying North Korea wasn’t involved. I am simply saying that this speculative circle-jerk is not helping anyone, and only serves to cause headache and grief. Level-heads must prevail. If you feel the need to comment on the matter, make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.