Doubts Persist On U.S. Claims Of North Korean Role In Sony Hack

Enlarge this image toggle caption Ahn Young-joon/AP Ahn Young-joon/AP

Within days of the hack against Sony Pictures, the U.S. government came out and said, in no uncertain terms, the attacks originated from North Korea — and the nation-state of North Korea was involved. Well, both claims have raised eyebrows among private security researchers. Many just don't believe it.

Circumstantial Evidence

Law FBI Officially Pins Sony Cyberattack On North Korea FBI Officially Pins Sony Cyberattack On North Korea Listen · 3:56 3:56

The FBI says the attack came from IP addresses — unique computer addresses — that trace back to North Korea.

But Scott Petry, a network security analyst with the firm Authentic8 says, you can spoof an IP address from anywhere in the world.

"The fact that data was relayed through IPs associated with North Korea is not a smoking gun," Petry says. "There are products today that will route traffic through IP addresses around the world."

Meaning traffic that appears to come from Pyongyang could have originated in Moscow or Baltimore.

The FBI also says the hackers used malicious software that North Korea has used in other cyberattacks.

Petry counters that, in the world of cyberattacks, criminals constantly are recycling code. A well-known attack against banks called the Zeus Trojan went open source a few years ago — so when a financial institution gets hit, the same malware often shows up.

Again, he says, it's no smoking gun: "It's like saying 'my god, this bank robbery was conducted using a Kalashnikov rifle — it must be the Russians who did it!' "

He says that the FBI's evidence is circumstantial at best, and that its public handling of the case is inconsistent with proper procedure in prior investigations.

Petry recalls back when he worked at Google, the search giant had evidence the Chinese government was trying to hack its servers, perhaps to mine emails from dissidents. The U.S. government, he says, counseled the company to keep quiet.

"There has never been any firm public attestation that the Chinese were responsible for any of those exploits," he says. "And yet in this instance, the FBI comes out in a matter of days and says it's North Korea, case closed."

The FBI declined to comment on the skepticism of Petry and other cybercrime experts, citing its ongoing investigation.

Nation-State Behavior

Himanshu Dwivedi with Data Theorem, Inc. is another skeptic.

"When you have any source attacker as a nation-state, one of the key goals that they traditionally have is persistence — which means staying in a location, obviously electronically, for a very long period of time," he says.

Dwivedi has investigated cyberattacks since the 1990s. He's worked on cases involving nation-state actors big and small, and he says it doesn't make sense that North Korea would want to make a splash: If they're trying to destroy data or, let's say, steal classified information we don't know about from a Sony executive, they'd keep quiet — not talk publicly.

Who It Could Be

The FBI is looking at data that most of the world cannot access, but Shlomo Argamon, a professor of computer science at the Illinois Institute of Technology and chief scientist with Taia Global, took a look at the data that's publicly available — including leaked emails, postings to Internet forums, and transcriptions of messages that appeared on hacked computers at Sony.

Based on the writing style, Argamon wanted to identify the most likely native language of the hackers. He considered four: Korean, Mandarin Chinese, Russian and German.

And in his analysis, he dissected sentences like: "One beside you can be our member." Meaning that anyone you meet might secretly be a member of the hackers' group.

It's a word-for-word translation from Russian — not from any of the other languages. And that's the pattern that led him to a finding he describes as significant: The hackers used phrasing most consistent with the Russian language.

"There was some consistency with Korean, but much, much less," Argamon says. "Which indicates that although it's possible that these messages were written by people whose native language is Korean, it is far more likely that they were Russians."

Argamon only has preliminary results so far, but he says much more analysis must be done in order to draw a strong conclusion — both by him, and by the FBI.