The FBI told their story about North Korea attacking Sony. Before we retaliate, read what they didn’t tell you.

Summary: The government blames North Korea of the Axis of Evil for the attack on Sony, a claim quite like the bogus claims of the past we so credulously believed. No matter how often they lie to us, Americans believe what the government tells us. They lie, we believe, their lies are exposed — rinse, repeat. It makes us easy to govern, incapable of self-government, and quite different than our skeptical unruly forebearers. We can do better. This is a great day to begin. Read this and decide for yourself.

This is the most complete collection of information I’ve found on this story. I’ll update as new articles appear. Second post in this series; see links to the others at the end.



Contents

Articles questioning the FBI’s story About the attack Dissenting voices to the official story Remember this before you believe Major media see the story For More Information

(1) Articles questioning the FBI’s story

While most journalists report official government statements, and cite only approving voices, there are a few who quote dissenters. We should pay attention to these few, considering the long list of government lies attributing evil deeds to designated foes. Learning from experience is the beginning of strength.

I sifted through these articles, each linking to other sources, and assembled the this summary. I believe it shreds the FBI story; at the very least it destroys the certainty about the attackers’ identity. Read and decide for yourself.

(2) About the attack



Hewett Packard posted an excellent summary of the attack and North Korea’s capabilities and possible role. See their August 2014 report about North Korea’s cyber capabilities. They discuss the Chongryon, a group of North Koreans in Japan who run its some of its most important cyber and intelligence programs.

Also see the detailed analysis posted by Risk Based Security.

Why does the government tell us so little of the evidence? Some speculate that the NSA provided much of the evidence, but they’re keeping this SIGINT secret (e.g., Nicholas Weaver at Mashable). That’s logical. The pseudonymous but well-known information security expert going by the handle “the gugq” agrees: “I’ll accept the Feeb’s answer, I just don’t believe they’ve shown their work. Mostly because it’s not their work, they just copied from NSA.” As you see below, after more thought he became more skeptical. So should you.

History suggests skepticism about these stories, given the history of US government and its corporate allies exaggerating the power of designated US foes. The Soviet Union was ominous superpower until it collapsed after years of internal rot (unnoticed by our lavishly funded intel agencies). Brian Honan (info security expert; bio here) reminds us of the 1998 “Solar Sunrise” attack by Iraq on US Army websites? US Deputy Defense Secretary John Hamre said it was “the most organized and systematic attack to date” on US military systems. A massive multi-agency task force eventually arrested 4 teenage boys. See the details here.

(3) Dissenting voices to the official story

(a) The best summary I’ve seen in rebuttal to the FBI’s story — Excerpt from Marc Rogers’s article (red emphasis added):

(1) The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English.

(2) The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. {details and cites follow}

(3) It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. … Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.

(4) Whoever did this is in it for revenge. The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down. {explanation follows}

(5) The attackers only latched onto “The Interview” after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK “might be linked” that suddenly it became linked. I think the attackers both saw this as an opportunity for “lulz” and as a way to misdirect everyone into thinking it was a nation state. After all, if everyone believes it’s a nation state, then the criminal investigation will likely die. …

(6) Whoever is doing this is VERY net and social media savvy. That, and the sophistication of the operation, do not match with the profile of DPRK up until now.

(7) {B}laming North Korea is the easy way out for a number of folks, including the security vendors and Sony management who are under the microscope for this. …

(8) It probably also suits a number of political agendas to have something that justifies sabre-rattling at North Korea …

(9) It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. …

(10) Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.

Rogers’ follow-up post provides more detail, and with analysis even more critical of the FBI story. His conclusion:

We don’t have any solid evidence that implicates North Korea, while at the same time we don’t have enough evidence to rule North Korea out. … calling out a foreign nation over a cybercrime of this magnitude – something serious enough to go to war over – should not be taken lightly.

(b) From the Mashable article (links added):

Jeffrey Carr, cybersecurity expert {see Wikipedia} and CEO of Taia Global, is one of the skeptics. He told Mashable that “one of the biggest mistakes is that because an attack can be traced to the North Korean Internet that somehow means it’s the North Korean government. That’s a false assumption, because the North Korean Internet is basically provided by outside companies, in this case a Thai company. Nothing presented excludes alternate scenarios, so why jump to the most serious one?” Carr notes that it appears the FBI is getting most of its intelligence from private security companies, without vetting or verifying that information. He added: “The White House is now getting ready to take some kind of action, as if it’s a sure thing that the North Korean government is involved. Meanwhile you have the hackers who actually are responsible laughing because this is the most epic false flag ever.”

(c) More from Jeffrey Carr, from his Digital Dao articles:

Is North Korea responsible for the Sony breach? I can’t imagine a more unlikely scenario than that one, and for many of the same reasons that Kim Zetter detailed in her excellent article for Wired. {December 17}

There is a common misconception that North Korea’s ITC is a closed system therefore anything in or out must be evidence of a government run campaign. In fact, the DPRK has contracts with foreign companies to supply and sustain its networks. … For the DPRK, that’s Loxley, based in Bangkok. The geolocation of the first leak of the Sony data on December 2 at 12:25am was traced to the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley offices. This morning, Trend Micro announced that the hackers probably spent months collecting passwords and mapping Sony’s network. That in addition to the fact that the attackers never mentioned the movie until after the media did pretty much rules out “The Interview” as Pyongyang’s alleged reason for retaliation. If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific’s network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK’s network against any target that they wish. Every attack would, of course, point back to the hated Pyongyang government. Under international law, “the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State” (Rule 8, The Tallinn Manual). (December 19}

(d) From the grugq’s post (bio here; his website):

This is a media blitz campaign by a group that is steeped in Internet culture and knows how to play to it. They can manipulate it to maximum effect. This is definitely far more sophisticated than the usual rhetoric from North Korea. … To handle this sophisticated media / Internet campaign so well would require a handler with strong English skills, deep knowledge of the Internet and western culture. This would be someone quite senior and skilled. That is, I can’t see DPRK putting this sort of valuable resource onto what is essentially a petty attack against a company that has no strategic value for DPRK.

(e) Robert Graham (CEO of Errata Security) provides another perspective at their website. Here are two excerpts.

While there may be more things we don’t know, on its face {the FBI press release is} complete nonsense. It sounds like they decided on a conclusion and are trying to make the evidence fit. They don’t use straight forward language, but confusing weasel words, like saying “North Korea actors” instead of simply “North Korea”. They don’t give details. The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch. (19 December 2014)

My story … better explains the evidence in the Sony case than the FBI’s story of a nation-state attack. In both cases, there are fingerprints leading to North Korea. In my story, North Korea is a customer. In the FBI’s story, North Korea is in charge. However, my story better explains how everything is in English, how there are also Iranian fingerprints, and how the threats over The Interview came more than a week after the attack. The FBI’s story is weak and full of holes, my story is rock solid. I scan the Internet. I find compromised machines all over the place. Hackers have crappy opsec, so that often leads me to their private lairs (i.e. their servers and private IRC chat rooms). There are a lot of SPECTRE-like organizations throughout the world, in Eastern Europe, South America, the Islamic world, and Asia. At the bottom, we see idiot kids defacing websites. The talented move toward the top of the organization, which has nebulous funding likely from intelligence operations or Al Qaeda, though virtually none of their activities are related to intelligence/cyberwar/cyberterror (usually, stealing credit cards for porn sites). My point is this. Our government has created a single story of “nation state hacking”. When that’s the only analogy that’s available, all the evidence seems to point in that direction. But hacking is more complex than that. In this post, I present a different analogy, one that better accounts for all the evidence, but one in which North Korea is no longer the perpetrator. (19 December 2014)

(f) From the Tom’s Guide article:

“There’s no evidence pointing to North Korea, not even the barest of hints,” Robert Graham, CEO of Atlanta-based Errata Security, told Tom’s Guide. “Some bit of code was compiled in Korea — but that’s South Korean (banned in North Korea, [which] uses Chinese settings). Sure, they used threats to cancel The Interview — but after the FBI said they might.”

(g) Update: Comment by Marcus Ranum, cyber-security expert (bio here) and on the FM website’s team of authors.

The movie angle only cropped up 3 days into the attack, at which point the attackers latched onto it like a bunch of gamergaters who’d found another excuse for misogyny. Prior to the movie angle, there was no North Korea evidence, then it starts popping up. The malware used is not specifically North Korean. It’s run of the mill stuff using techniques that were notoriously used in the ‘shamoon’ attack against Saudi Aramco (does that make it Israeli?). The “common elements” the FBI boneheads are talking about is the disk wipe module, which is the most popular scriptable disk wipe; I’ve used it myself. Please, nobody point the finger at me for this attack in spite of the “common elements” This bears all the hallmarks of a bunch of sociopathic American hackers; more like something from the former “anti-sec” crew than anything state-sponsored. I’m guessing the FBI doesn’t want to talk about those “common elements” because anti-sec was being run by the FBI when they attacked Brazilian police and oil exploration assets. If we ever find out who’s behind it, my money is on some badly adjusted American nihilists in the 20-30 year old unemployed trouble-maker or “security consultant” demographic. These attacks are not sophisticated; what makes them so bad is that they got a very deep foothold in Sony before they started causing trouble, and Sony’s infrastructure was deeply compromised. Most American companies, attacked in a focused manner, would fall just like Sony has.

Marcus sent me a follow-up note:

The attacks almost certainly (in my mind) are the work of some American sociopaths, probably guys pretty much like the antisec crew (which was led by an FBI informant). The tools in use are irrelevant; it would be like saying “the attacker used a gun, which points at Germany because it was an H&K” or “the attacker used a gun, which point to the US because Americans are gun nuts”. The Korean in the malware comments appears to have been planted there as a deliberate red herring; it’s google translate quality. It would be like saying that”это фигня” shows I’m a KGB agent.

(h) Others experts have expressed skepticism, but with no details. Such Brett Thomas (CTO of internet services provider Vindicia; his bio):

All of the evidence FBI cites would be trivial things to do if a hacker was trying to misdirect attention to DPRK http://t.co/hkZ3D7ZfxK — Brett Thomas (@the_quark) December 19, 2014

Another cautionary note, by Sean Sullivan (security advisor to Finnish internet security firm F-Secure):

The US security-intelligence complex is running amok once again. Washington D.C. is incapable of saying “we don’t know.” #ConfirmationBias — Sean Sullivan (@5ean5ullivan) December 19, 2014

Update: Robert M. Lee (Co-Founder at Dragos Security LLC , First Lieutenant USAF – cyberspace Operations Officer; bio here):

“FBI – Update on Sony Investigation” http://t.co/SzHJNBnE5N > Having been in the IC I know how valuable sources are but this doesn’t cut it. — Robert M. Lee (@RobertMLee) December 19, 2014

(4) Remember this before you believe

The aide {Karl Rove} said that guys like me were ”in what we call the reality-based community,” which he defined as people who ”believe that solutions emerge from your judicious study of discernible reality.” I nodded and murmured something about enlightenment principles and empiricism. He cut me off. ”That’s not the way the world really works anymore,” he continued. ”We’re an empire now, and when we act, we create our own reality. And while you’re studying that reality — judiciously, as you will — we’ll act again, creating other new realities, which you can study too, and that’s how things will sort out. We’re history’s actors . . . and you, all of you, will be left to just study what we do.” — Karl Rove, as quoted in “Faith, Certainty and the Presidency of George W. Bush” by Ron Suskind, New York Times Magazine, 17 October 2004

(5) Some in the major news media see the story

Some journalists mix a few skeptical notes to the song played by the government and their journalist supporters. New articles after December 23 appear at this post.

This isn’t from a major publication, but still interesting. Good analysis but the title doesn’t match the text: “The Moral of Sony? Stop Doing Attribution“, The Security Ledger, 19 December 2014.

Here’s a fascinating dissection of an early New York Times story about the hack, by the pseudonymous “Jericho”: “Anatomy of a NYT Piece on the Sony Hack and Attribution“, 19 December 2014. It shows the skill journalists use to create the shiny narratives that package information for us.

(6) For More Information

(a) Other posts in this series:

(b) All posts about cyberwar, cybercrime, and cyberterrorism.

(c) Posts about propaganda and information operations run against us. Never forget or forgive, just learn from this history.