In Sony Hack, All the Suspects Check Out


JANUARY 01, 2015

An entrance gate to Sony Pictures Entertainment at the Sony Pictures lot is pictured in Culver City, California in this April 14, 2013 file photo. North Korea said "wait and see" on December 1, 2014 when asked if Pyongyang was involved in a cyber attack on Sony Pictures Entertainment a month before its planned release of a movie about a plot to kill the reclusive state's leader, Kim Jong Un.  REUTERS/Fred Prouser/Files    (UNITED STATES - Tags: ENTERTAINMENT POLITICS SOCIETY SCIENCE TECHNOLOGY BUSINESS)

If the Sony Pictures hack were a game of Clue, cyber security firms would be just about out of suspects.

Weeks after the United States declared that North Korea was behind the attack on the studio, researchers are still asking who dunnit, pointing fingers at everyone from an ex-Sony employee to Russian criminals to a band of video game enthusiasts called the Lizard Squad, some likelier than others. Next up: Col. Mustard, at a LAN workstation, with a virus.

It is not easy to figure out who is responsible for a massive hack like this one. Attackers can cover their tracks by leaving false clues or can blow up the evidence by erasing data — an unusual tactic used in this case. Sony’s network was particularly messy, because it is frequently been a target of cyber attacks in the past, making it even harder to sift through what was left.

The back-and-forth is not unusual, said Kevin Mandia, founder of Mandiant, the FireEye division investigating Sony and other high-profile breaches. The biggest difference is that these disagreements usually happen in private, he said. Perhaps the least surprising theory, and the likeliest to be wrong, is that the hack was an inside job from start to finish—the usual suspects.

“Every time we respond to an incident, it’s way more likely than not someone assumes it’s an insider,” Mandia said in an interview. “Well over 99 percent of the time, there is no insider involvement.”

Many suspects

In this case, the blizzard of reports reflects the likelihood that Sony’s network was compromised in numerous ways and, possibly, was hacked by more than one party. Breached companies often find more problems than they expect once they start poking around in their networks, and that can include overlapping intrusions.

Sony declined to comment.

The Federal Bureau of Investigation is standing by its assertion that it was North Korea, which has denied any involvement. In an e-mail, the FBI wrote that there was “no credible information to indicate that any other individual is responsible.”

The US National Security Council said in an e-mail this week that it supported the FBI’s findings.

The problem many people have with the FBI’s conclusion is that the bureau won’t release all of its evidence, citing the need to “protect sensitive sources and methods.” Those could include telephone intercepts, hacked copies of e-mails or human sources inside the North Korean government who could be placed at risk if outed. That is not out of the ordinary either, said Mandia, who declined to discuss specifics of the Sony hack because of the ongoing investigation.

Filling the void

To fill the information void, security firms have turned to other sources for data, such as social networks, computers that monitor Internet traffic and known attack servers, and underground chat rooms frequented by hackers. “Everybody always challenges attribution,” Mandia said.

It is a cycle that Sony, more than the average company, knows well. People familiar with the investigation of Sony’s last major hacking incident have said that when specialists went into the company’s computers in 2011 looking for the source of an intrusion into the Playstation Network, they found that at least three different hacking groups were inside. The most serious was a Russian cyber crime ring that had gained a foothold at least two years earlier, and was stealing and reselling video games, Bloomberg News reported. Sony did not disclose the theft.

Lizard squad

The speculation about who was behind the latest attack continues. A self-described member of the Lizard Squad told the Washington Post that it provided Sony employee passwords to hackers from Guardians of Peace, the group the United States says is linked to North Korea.

The Intercept reported on Wednesday that the Guardians of Peace might go after an American news organization next, citing an FBI bulletin based in part on messages the hackers had posted online.

Bruce Schneier, a prominent cyber security author, blogger and chief technology officer at Co3 Systems, says there is not enough information available publicly to determine who is responsible for the Sony break-in, partly because of the minimal evidence the government has presented. “The truth is we don’t know,” he said in a recent interview.

Despite all this murk, hacker tracking is actually more precise than it used to be, Mandia said. As investigators compile and share evidence about technical indicators and behaviors of hacking groups, trends have begun to emerge. For example, state-sponsored groups have telltale signs, like jettisoning their malware quickly. They prefer to use legitimate log-in credentials to peruse victim networks while masked as an authorized user; they cover their tracks by deleting data in log files; and it is difficult to pierce their infrastructure.

So the investigations are getting cleaner — they just do not look that way to outsiders. Blame government secrecy for that.