If the Sony hack were a game of Clue, cyber-security firms would be just about out of suspects by now. Weeks after the U.S. declared that North Korea was behind the attack on Sony Pictures, researchers are still asking who dun it, pointing fingers at everyone from an ex-Sony employee to Russian criminals to a band of video-game enthusiasts called the Lizard Squad, some likelier than others. Next up: Col. Mustard, at a LAN workstation, with a virus.
It isn't easy to figure out who is responsible for a massive hack like this one. Attackers can cover their tracks by leaving false clues or can blow up the evidence by erasing data—an unusual tactic used in this case. Sony's network was particularly messy, because it's frequently been a target of cyber-attacks in the past, making it even harder to sift through what was left.
The back-and-forth isn't unusual, says Kevin Mandia, founder of Mandiant, the FireEye division investigating Sony and other high-profile breaches. The biggest difference is that these disagreements usually happen in private, he says. Perhaps the least surprising theory, and the likeliest to be wrong, is that the hack was an inside job from start to finish—the usual suspects.
"Every time we respond to an incident, it's way more likely than not someone assumes it's an insider," Mandia said in an interview. "Well over 99 percent of the time, there is no insider involvement."
In this case, the blizzard of reports reflects (besides a frenzy of speculation) the likelihood that Sony's network was compromised in numerous ways—and may have been hacked by more than one party. Breached companies often find more problems than they expect once they start poking around in their networks, and that can include overlapping intrusions.
Sony declined to comment.
The Federal Bureau of Investigation is standing by its assertion that it was North Korea, which has denied any involvement. In an e-mail, the FBI wrote that there's "no credible information to indicate that any other individual is responsible." The president's National Security Council said in an email this week that it supports the FBI's findings.
The problem many people have with the FBI's conclusion is that the bureau won't release all of its evidence, citing the need to "protect sensitive sources and methods." Those could include telephone intercepts, hacked copies of e-mails or human sources inside the North Korean government who could be placed at risk if outed. That's not out of the ordinary either, says Mandia, who declined to discuss specifics of the Sony hack because of the ongoing investigation.
To fill the information void, security firms have turned to other sources for data, such as social networks, computers that monitor Internet traffic and known attack servers, and underground chat rooms frequented by hackers. "Everybody always challenges attribution," Mandia says.
It's a cycle that Sony, more than the average company, knows well. People familiar with the investigation of Sony's last major hacking incident have said that when specialists went into the company's computers in 2011 looking for the source of an intrusion into the Playstation Network, they found that at least three different hacking groups were inside. The most serious was a Russian cyber-crime ring that had gained a foothold at least two years earlier, and was stealing and reselling video games, Bloomberg News reported. Sony didn't disclose the theft.
The speculation about who was behind the latest attack continues. A self-described member of the Lizard Squad told the Washington Post that it provided Sony employee passwords to hackers from Guardians of Peace, the group the U.S. says is linked to North Korea. (Bloomberg reported the Lizard Squad's possible involvement last week.) The Intercept reported today that the Guardians of Peace may go after an American news organization next, citing an FBI bulletin based in part on messages the hackers had posted online.
Bruce Schneier, a prominent cyber-security author, blogger and chief technology officer at Co3 Systems, says there's not enough information available publicly to determine who's responsible for the Sony break-in, partly because of the minimal evidence the government has presented. "The truth is we don't know," he said in a recent interview.
Despite all this murk, hacker tracking is actually more precise than it used to be, Mandia says. As investigators compile and share evidence about technical indicators and behaviors of hacking groups, trends have begun to emerge. For example, state-sponsored groups have telltale signs, like jettisoning their malware quickly. They prefer to use legitimate log-in credentials to peruse victim networks while masked as an authorized user; they cover their tracks by deleting data in log files; and it's difficult to pierce their infrastructure.
So the investigations are getting cleaner—they just don't look that way to outsiders. Blame government secrecy for that.