Is North Korea Really Behind the Sony Breach?

For the second time in three years, Sony is the main character in a massive and humiliating cyberattack.

The Sony breach certainly seems to be the gift that keeps on giving this holiday season. And if the commonly accepted narrative reflects the truth, this whole nightmare scenario stems from what promised to be a puerile comedy titled “The Interview.” The premise of the movie revolves around a pair of journalists who are granted a rare interview with North Korean supreme leader, Kim Jong-Un, and the subsequent plot to assassinate the Hermit Kingdom’s despotic dictator.


Sony, having clearly failed to learn its lesson after attackers hacked its PlayStation Network into a month-long coma in the spring of 2011, is the main character in yet another serious and humiliating security incident.

Here’s a rough and heavily abridged timeline of events:

First Sony Pictures Entertainment gets hacked by a group widely believed to be allied with the Democratic People’s Republic of Korea. Then, in no particular order, the hackers start releasing troves of stolen proprietary information, including but not limited to movies, scripts for future movies, sensitive employee healthcare information and internal email spools. Finally the hackers threaten to attack movie theaters on the release of “The Interview,” Regal Cinemas – among the largest movie theater chains in the United States – says it will not play the movie and Sony ultimately decides to delay its release.

In general, when a nation-state sponsored hacking group carries out an attack, they do so as secretly as possible.

The popular opinion is that North Korea is behind the attacks. There’s been a healthy amount of skepticism towards that position though – and with good reason. In general, when a nation-state sponsored hacking group carries out an attack, they do so as secretly as possible. You can generally look at an advanced persistent threat group or campaign and say that a certain country was probably responsible for a given attack. But the goal, typically, from the attacker’s perspective is to never allow for 100 percent clear attribution. That goal is aided by the reality that attribution is a naturally imperfect science on the Internet anyway.

In this case, the group that claimed responsibility for the attack apparently posted a showy and, frankly, ridiculous graphic of a spooky looking skeleton on a number of owned desktops on Sony’s network. Most APT groups aren’t in the business of announcing their presence on a compromised network. This Guardians of Peace group has since issued some serious threats against Sony, moviegoers and the broader American public.

The question remains: is North Korea in some way behind the attack on Sony? Threatpost and scores of other news outlets are following the U.S. Government’s lead today and reporting that North Korea is in fact “centrally involved” in the attack. Details of what the U.S. Government knows remain scant at the time of publication, but there is supposed to be a White House announcement later in the day.

Wired, on the other hand, is sticking to its guns, and continues to suggest that there is little evidence linking the Sony hack to North Korea. Wired cites the difficulty of attribution as well as statements from Sony and the FBI – who have both stated publicly that there is no evidence to link this attack to North Korea – as reasons for skepticism. It’s hard to disagree with Wired. Why would a foreign government very publicly attack a foreign corporation over an intentionally absurd movie?

There could be a number of reasons actually.

Some observers believe anger over “The Interview” is an excuse for North Korea to flex its cyber-muscle.

“It’s not about a movie or even Sony, at all,” wrote Immunity CEO and former NSA scientist Dave Aitel on the Daily Dave mailing list. “When you build a nuclear program, you have to explode at least one warhead so that other countries see that you can do it. The same is true with Cyber.”

As Threatpost reported this morning, Aitel was one of the first to publicly theorize that North Korea was behind the Sony hack and likened it to Iran’s alleged involvement in the Shamoon attacks that destroyed 30,000 workstations at the Saudi state-run oil manufacturer, Saudi Aramco, in 2012.

“Iran did this exact same near-mortal blow to Saudi Aramco, as a way of demonstrating that they could and would,” Aitel said. “That’s what just happened to Sony.”

Those are perfectly reasonable, although speculative, explanations for why or how North Korea could be motivated to launch such an attack. However, there is real, forensic and contextual evidence pointing to North Korea as well.

Kaspersky Lab researcher, Kurt Baumgartner pointed out a number of similarities between the Sony hack and other hacks generally attributed to North Korea in a Securelist article earlier this month. Baumgartner notes that the attackers covered their tracks by deploying a destructive wiper malware, called Destover, that overwrote hard drives company-wide. The very same malware was reportedly used in the DarkSeoul attacks targeting South Korea, which were attributed to that country’s northern neighbor.

This Sony attack saga is far from over as a number of questions remain unanswered. This story is definitely worth following in the coming days, and hopefully we’ll learn more about who is behind the attack and what their true motivations are.