Sony Pictures suffered a brutal cyber-attack on Nov. 24. The hackers, who call themselves #GOP, for Guardians of the Peace, leaked 3,800 employee Social Security numbers, plus salaries, layoff plans, tons of username/password combinations, and some not-yet-released Sony Pictures movies. It was rough.

Sony Pictures is working with cybersecurity company Mandiant and the FBI to control the damage and investigate the hack. And out of the rubble, a theory started circulating: What if North Korea hacked the company in retaliation for it making the upcoming comedy The Interview, which makes fun of the country and its leader, Kim Jong-un? The idea has been gaining traction. North Korea is weird and vindictive, and was really mad about that movie. It totally would do this, right? Actually, maybe not. Experts have doubts.

In a blog post on North Korea Tech titled “Did North Korea Hack Sony? Probably Not,” Martyn Williams outlines his reasons for being skeptical of the theory. He explains that though North Korea is thought to have instigated various cyber-attacks on South Korea—including one major hack that took out broadcast TV and ATM networks for a while in 2013—the country is usually covert about what it’s doing.

In this case the hackers made demands, identified themselves as #GOP, and took over Twitter accounts to criticize Sony Pictures CEO Michael Lynton. North Korea has never done things like that before. Williams also points out that the country has also never publicly attacked an institution it was mad at even though, “many organizations have angered it in the past.”

If the hacking theory seems flawed to you simply because most North Koreans don’t even have access to a cellphone or computer, much less the Internet … that is a very reasonable point! But the country definitely has some hacking clout, even if it’s not super-sophisticated about it.

Frank Cilluffo, the co-director of the Cyber Center for National and Economic Security at George Washington University, testified before Congress that North Korea’s cyber-attack prowess “poses an important ‘wild card’ threat, not only to the United States but also to the region and broader international stability.” And a 2009 U.S. Forces Korea report showed that North Korea regularly succeeds in infiltrating United States networks. It seems like the country has at least a few hundred if not a few thousand hackers working on intelligence-gathering and good old scams.



An anonymous North Korean diplomat in New York told the Voice of America broadcast network on Thursday that the accusation was “another fabrication targeting the country.” He added, “My country publicly declared that it would follow international norms banning hacking and piracy.”

Lucas Zaichkowsky, a security expert at Resolution1, told CBC News, “State-sponsored attackers don’t create cool names for themselves like Guardians of Peace and promote their activity to the public.”

Tommy Stiansen, the chief techonology officer for cyber investigation firm Norse, told Bloomberg Politics that he is going to Sony and the FBI with IP address evidence that the attack could have come from a former Sony employee in Japan who was fired in May. “The only reason people are talking about North Korea is that North Korea spoke out against Sony” and The Interview, he said. “I am convinced that this is an inside job. The group, Guardians of Peace, nobody has never heard of them. I cannot find a drop of information on them. I would say if we can’t find anything on them, they don’t exist and they’re certainly not tied to any particular government.”

A U.S. national security source told Reuters on Thursday that in spite of doubts and the country’s own denial, North Korea is still one of a few suspects U.S. law enforcement is investigating related to the hack. Right now it seems that no one knows for sure what happened. Jaime Blasco, director of AlienVault Labs, told Mashable, “This kind of data can be easily manipulated. … I wouldn’t bet on anything at this point.”

Martyn Williams of North Korea Tech still feels that the country is an unlikely culprit. “It still doesn’t seem to fit the regular MO of the North Koreans or any other nation state for that matter,” he told Slate in an email. “Why draw all this attention to the hack, why leak the information in a very public way, why come up with a name for the group. It all just draws attention.”