Tuesday, February 03, 2015

Explaining the Game of Sony Attribation

Attribution is a blame game. It’s not about who did it, but who is best to blame. Ambulance chasing lawyers sue whoever has the most money, not who is most responsible. I point this out because while the U.S. “attributes” the Sony hack to North Korea, this doesn’t mean North Korea did the attack. Instead, it means that North Korea was involved enough to justify sanctions. It still leaves the question of “who did it” unresolved.

The situation is comparable to the recent terrorist attack on Charlie Hebdo in France. Two brothers committed the crime, but “Al Qaeda of the Arabian Peninsula” (AQAP) claims credit. The precise facts are murky, but we have a good idea what happened. While AQAP probably provided some training, it appears the attack was conceived, planned, financed, and executed by the two brothers themselves without AQAP help. The brothers took out bank loans and purchased the weapons from the criminal (not terrorist) underground. They appear to have planned the attacks with a friend from ISIS (the Islamic “Caliphate”), an organization hostile to AQAP. It appears most of their training was in France rather than during their trip to AQAP camps in Yemen. AQAP waited several days to claim responsibility, as if they were as surprised by the attack as everyone else.

However much credit/blame AQAP deserves is a question of politics, and how much weight you want to place on their small contribution. Politically, we don’t want to give AQAP credit. We already have enough to blame on them to justify drone attacks. Therefore, there is much questioning whether AQAP is truly responsible.

Blaming North Korea for the Sony hack is similarly political. Not even the U.S. government claims that it was by uniformed cyber-soldiers working out of a building inside North Korea. Instead, the U.S. is claiming that North Korea shares some responsibility – enough to justify sanctions. It could be as little responsibility as AQAP has for the Charlie Hebdo attack.

That this attribution is political rather than technical is demonstrated by the way they go about it. They are using the same political process as they used to prove Iraq had WMDs. For example, government officials leak information to the press on condition of anonymity so that they can’t be questioned or challenged. Humorously, it’s not just the same technique, it’s the same corrupt reporters (like David Sanger from the NYTimes) that they used to promote the WMD idea. They are also using the same “independent” experts (Mandiant, Hayden, etc.) they always use to “independently” verify cybersecurity stuff, and to smear critics as “Truthers” or “Deniers”.

In the end, though, both government and critics could be right. North Korea could share enough responsibility to merit sanctions, while at the same time, be largely uninvolved in the attack.


In all likelihood, the Sony attack is what it seems: angry insiders trying to extort the company for money. Insiders are strongly implicated by the language of the communiqués from the “Guardians of Peace”. The hackers obviously cared more about internal Sony politics than the film “The Interview”. By “insiders”, we mean a range of possibilities, from IT tech support employees, to something out of left field, like an executive’s kid exploiting the parent’s credentials.

These insiders are connected to others. That’s because the entire hacker underground is interconnected. Links to North Korea aren’t terribly surprising, but they aren’t the only possible link. The government has a long list of cyber adversaries. An attack of this size is too important to waste on just North Korea. When the dust settles and the FBI has swooped in and arrested people, will find many more attributions than just North Korea tied to the Sony attack.

For example, consider the group known as “Lizard Squad”. They clearly have some sort of ties with Sony, if only as “gamers”. Among their activities was calling in a bomb threat last August in order to divert the flight of a Sony executive. Over Christmas, they DDoSed the Sony PlayStation network, preventing kids from using their Christmas presents. As reported by Brian Krebs, the FBI has already arrested several people in connection with the Lizard Squad.

Another example is Kim Dotcom (“the other Kim” in this affair). He’s the FBI’s #1 most cyber-Wanted. For over a decade, Kim has facilitated copyright infringement and the downloading of music/movies through his “Mega” companies. He is know for providing bulk upload/download services to hackers, and thus may have been involved in the exfiltration of Sony data, which required terabytes of data transfer. He’s also been involved with Lizard Squad, offering them free vouchers if they stopped their Christmas DDoS attacks. When the United States finally succeeds in getting him extradited from New Zealand, we might see some charges related to Sony.

Another example is Wikileaks. In truth, the government is happy with Assange’s self-imposed prison sentence, so he’s at the bottom of their Wanted list. Other Wikileaks activists are more important, as recent revelations showed. A simple email exchange, such as a Wikileaks member suggesting what information hackers should steal from Sony, would be a useful way to go after Wikileaks.

The Sony hackers tried to extort money. That means they probably used either BitCoin or gambling websites, both of which are used to cyber-launder money, both of which the FBI hates with a passion. When the FBI makes their arrests, and the entire extortion scheme comes to light, we’ll probably see some of these sites implicated.

Hackers interact a lot on forums and chat rooms. After the FBI makes its first arrests, it’ll release those people back into the community in order to trap additional hackers. This is the catch-and-release strategy they used with Sabu to take down LulzSec. (Pro tip: always be the first hacker arrested). They’ll be going after other hackers that helped plan the attacks, but they’ll also catch a lot of “accessories after the fact” (like Barrett Brown in the Stratfor case).

Finally, there may be other countries involved. The virus used shares characteristics with attacks by Iran. China is responsible for much of North Korea’s hacking infrastructure – indeed, the attacks could’ve been by Chinese to begin with, hiding behind the North Koreans.


The title of this piece isn’t a misspelling. I use “attribation” because attribution is a game. The goal isn’t to find out who did the hack, but the to find out the best person to blame. It’s a political decision more than anything. A year from now, after arrested perps confess the details, and all the facts are known, we’ll still be debating the political question of attribution. Nobody likes to blame poor kids getting in over their heads using simple hacking techniques. Everyone likes to blame nation states who develop sophisticated cyber viruses. Thus, North Korea is a better target to blame, regardless of the facts. Or the vast Lizard Squad conspiracy, or the kingpin Kim Dotcom, or so on.

If you’ll remember, the Stratfor hack was “state sponsored”, if you wanted to play the attribation that way. It was conceived, planned, and executed after the LuzSec group leader had become an informant for the FBI. The hack used FBI servers to exfiltrate data. I have several bets (in BitCoin, what else) with friends on this issue. Namely, I’ve bet that by the end of 2015, we’ll have gotten several arrests, and it will turn out that North Korea was as little involved in the Sony hack as the U.S. government was in the Stratfor hack. That isn’t to say North Korea doesn’t deserve sanctions, only that they clearly didn’t “do” the hack.

1 comment:

dre said...

Too soon? -- http://www.cbronline.com/news/security/russian-hack-on-sony-provokes-questions-over-north-korea-role-4504131