Ed Jones/AFP/Getty Images
Tech

Did North Korea Really Hack Sony?

Could it have been an inside job? Perhaps a disgruntled employee with a thumb drive, like Edward Snowden? Plus: Details of the attack itself from a leaked FBI report.

Either popular theory for the origin of the devastating hack on Sony would make for a great film plot: it’s North Korea’s revenge for an insulting Seth Rogen film, or an inside job by a ferociously disgruntled former employee in league with hacktivists. With prominent and highly regarded cybersecurity experts rigidly divided on that question, it’s a Hollywood blockbuster that’s barely past the credits.

All sides agree that the cyberattack against Sony is unprecedented in its personal nature and maliciously destructive scope, an attack not intended to enrich anyone or gather any sort of corporate or financial intelligence but specifically to humiliate and harm a specific multinational company—a truly massive crime.

The extent of the Sony breach continues to be revealed even a week after it first struck, but so far the company’s losses involve the theft and leaking of 11 terabytes of data that includes several unreleased films and a litany of internal company documents. Employee salaries and Social Security numbers, sensitive email attachments, and even a file purporting to be a list of grievances about work conditions at the company. In addition, a leaked FBI memo issued to subscribers of its Liaison Alert System email list this week (and reported earlier by Reuters) indicated the attack also involves malware that destroys files and renders entire computer systems permanently damaged

“Destructive malware used by unknown computer network exploitation (CNE) operators has been identified,” the alert warns. “This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”

The memo also includes computer code to watch out for, suggesting the FBI fears the form of the Sony attack could be replicated against other entities.

 “We normally see hacks that steal information, but this is a destruction—they actually destroy files—and that’s very rare,” said Richard A. Clarke, former top cybersecurity adviser to Presidents Bill Clinton and George W. Bush. “They destroy revenue by leaking movies haven’t been released and putting them on the pirate market. They destroy Sony’s reputation with the internal documents. It’s a very smart and destructive attack. I can’t remember seeing that happen before in the United States.”

One of Clarke’s successors, former Obama administration cybersecurity czar Howard Schmidt, agreed, noting that the Sony attack was revealed within days of when the FBI was notified by the cybersecurity firm FireEye that hackers are targeting emails of corporate chief financial officers and others involved with mergers and acquisitions to gain market-moving intelligence. And this week, the FBI also warned of a malware attack on U.S. health care and energy infrastructure. “This is a perfect storm,” Schmidt said. “All three of these things happening at the same time, that’s an awful lot, and that’s significant.”

Thus far, there are three prime suspects in the Sony hacking. A group called Guardians of Peace, or GOP, claimed responsibility via a Reddit post, but there’s little information available about who they are or what their motivations were. The tech website Re/Code reported on Wednesday that two sources within Sony told them the company was about to announce its belief that the North Korean government is behind the breach, but instead a Sony Pictures Entertainment spokeswoman told the AFP that “the investigation continues into this very sophisticated cyberattack.” And the third suspect is a disgruntled—and technologically talented—former employee.

Sony has hired Mandiant, a cyber forensics firm that determined that the Chinese government was behind a crippling 2013 hack of The New York Times, to find the source of the breach. Nobody from Mandiant (a subsidiary of FireEye) or Sony was available for comment.

North Korean leader Kim Jong Un has been vocally upset by the Sony film “The Interview,” due to be released this month; it's a comedy starring Rogen and James Franco in which the protagonists seek to assassinate Kim. Earlier this year, Pyongyang wrote to United Nations Secretary General Ban Ki-moon calling the movie an “undisguised sponsoring of terrorism, as well as an act of war." The repressive regime also wrote to the Obama administration, asking them to block the movie’s release.

Still, for many, the North Korean link seems far-fetched. One reason: The list of DVD-quality versions of Sony films that have been leaked include the Brad Pitt war flick “Fury,” the remake of “Annie,” the Oscar-bait Julianne Moore showcase “Still Alice,” and a British bio-drama, “Mr. Turner.” “The Interview” was not among them.

Tommy Stiansen, the chief techonology officer for Norse, a major hacker-tracking firm that the cybersecurity community relies on for historic cyberattack data, told Bloomberg Politics that he plans to go to Sony and the FBI with what he said was forensic evidence that the attack likely came from IP addresses tied to a specific former Sony employee in Japan who was fired in May.

“The only reason people are talking about North Korea is that North Korea spoke out against Sony,” Stiansen said. “But North Korea is better than that. They wouldn’t steal all the other movies and not grab ‘The Interview.’ I am convinced that this is an inside job. The group, Guardians of Peace, nobody has never heard of them. I cannot find a drop of information on them. I would say if we can’t find anything on them, they don’t exist and they’re certainly not tied to any particular government.”

Joe Kiniry, a principal at the cybersecurity firm Galois and a key investigator for several European governments on cybercrime, also said he puts “little to no credence to the North Korea idea. It would be very, very surprising if it wasn’t an insider attack. To have that much data leak out through your network and not notice it would mean Sony’s security team is just incompetent. I would highly suspect that it was someone on the inside, someone like a Snowden, filling up a USB disk and walking out with out with it.”

But the sheer size of the Sony attack, as well as its possible objective, have convinced many on the government side of things that North Korea is a prime suspect. “Fundamentally they made a movie about the assassination of the president of North Korea,” Clarke said. “Would they retaliate over that? Oh yeah. Kim Jong Un would ask somebody there to go do something about that. And they’ve demonstrated the capability in attacking companies in South Korea.”

Another expert firmly in the North-Korea-did-it camp is Gary Miliefsky, CEO of the Nashua, N.H.-based cybersecurity firm SnoopWall, which has contended with North Korean attacks in the past. He also noted that North Korea has been an historic adversary of Japan and would relish the opportunity to disrupt a top Japanese company. “They have one of the most advanced cyberarmies in the world,” Miliefsky said. “They have recruited 3,000 to 6,000 cyberwarriors. Their only job is to create malware and advance Kim Jong Un’s agenda.”

Schmidt admitted he’s uncertain as to who is right but also circumspect about the Re/Code report, if only because the Sony breach is so new that “I don’t know that someone would know who did this definitively. It’s going to be really, really difficult to prove that even weeks or months down the road.”

Competing studios in Hollywood, who would seem likely to be particularly concerned about such a breach, also have doubts about the North Korea angle. Sony’s film division has fallen on hard times recently with waves of layoffs, noted an executive at a competing studio. Sony has been beleaguered over the past year or longer, the executive said, adding that the new "Spider-Man" didn’t do as well as Sony had hoped, and that there have been big changes in management. He said that there are a lot of reasons for employees and ex-employees to be angry.

Even if the culprit really turns out to be North Korea, many doubt that there will be serious repercussions. “What will happen? Nothing,” Clarke said. “So far, the U.S. government policy when a private company is attacked by a foreign nation-state, is that the U.S. government does not retaliate. It never has, and I don’t think it’s going to do that over Sony. I mean, when Iranians attacked the largest banks in the United States, the U.S. government did not retaliate.”

That doesn’t mean the government isn’t watching, said Schmidt, whose partner in his firm is former Department of Homeland Security Secretary Tom Ridge. When similar breaches took place in his years at the White House, Schmidt said, there were presidential briefings and discussions in the Situation Room as to whether further attacks were coming. “They’re reaching out to the companies, asking what they can share with us.”

But the relationship between government and corporations is, if anything, more complex and vexed than those between sovereign nations. The U.S. Chamber of Commerce vociferously objected to a 2012 bill that would have created a system for companies to voluntarily inform federal authorities of cybercrime activity and grant companies immunity from lawsuits. The Chamber objected to federal meddling and the creation of “government mandates.”

“The story is that foreign governments are hacking the American companies and the American government is watching and doing nothing about it because American companies have said they don't want the government to do anything about it,” Clarke said. The Chamber “believes the U.S. government should not get involved at all, and then when they get hit they ask Uncle Sam to save them. When the banks got hit by that digital denial of service attack, they all went to the government, ‘Save us! Save us!’”

A Chamber spokeswoman on Wednesday pointed to its support in recent months of a variety of efforts to establish national cybersecurity standards. Yet even in one letter shown to Bloomberg Politics, from to the federal National Institute of Standards and Technology, the Chamber vice president Ann M. Beauchesne wrote, “The information- sharing discussion puts too little emphasis on improving government-to-business sharing. The Chamber wants to expand government-to business information sharing, which is progressing but needs improvement.”

Solving the friendly-fire problem could be the first step in combating the threat.

CORRECTION: In an earlier version of this story, a quote from Howard Schmidt in the 17th paragraph should have contained the word “definitively,” not “definitely,” and comments from a studio executive in the 18th paragraph should have referred to management, not marketing, changes. Additionally, in the third paragraph, Reuters should have been credited for early reporting on the FBI memo.