Claim: SONY hack was inside job

[Mackdog]

The claim is that a former employee actually hacked SONY and not North Korea. And that a private security firm has investigated the attack and suspects it was the former employee. I think Fox is one of the few networks running with this story..why, I do not know. But there are contradictions in the article as to who did the hack. Has anyone looked into this more? Seems like any evidence for either case is sketchy.

A security firm has brought new evidence to the FBI that it claims points to a laid-off employee and others as the hackers behind the massive cyber-breach at Sony, even as the bureau publicly stands by its explanation that North Korea executed the attack.

Content from External Source

Dmitri Alperovitch, with security firm CrowdStrike, recently told Wired that the U.S. has more evidence proving North Korean involvement, and the government can't release it yet.

Content from External Source

http://www.foxnews.com/politics/201...ry-sony-hack-was-inside-job-not-from-n-korea/

 

[Mick West]

Seems like any evidence for either case is sketchy.

Is there any actual evidence at all here?

 

[Mackdog]

Is there any actual evidence at all here?

Thats what I can't figure out, it looks like mostly a claim but no one will release any evidence right now. I would need to look into that security firm CrowdStrike more to see what they actually have for evidence.

 

[Pete Tar]

On Dec. 19, the bureau announced its conclusion that North Korea was responsible for the hacking attack. The FBI cited, among other things, links between the malware used in the attack to “other malware that the FBI knows North Korean actors previously developed.”

Since then, some cyber-security professionals have raised doubts about that assessment, in part because of the speed with which SPE’s network was breached, and because the release of information seemed to have an awareness of internal studio and Hollywood politics. Moreover, the initial messages in the attack made no mention of the movie “The Interview,” the movie cited as the source of North Korea’s motive for targeting the studio.


Norse cited an unidentified former employee, noting “angry posts she made on social media about the layoffs and Sony,” and her links to hacking groups in Europe and Asia, according to Security Ledger. One of the individuals was linked to a server with an early version of the malware used in the attack.

Norse officials said that it was up to federal authorities to follow through on their findings.

“As far as whether it is proof that would stand up in a court of law? That’s not our job to determine, it is theirs,” Kurt Stammberger, senior VP at Norse, told Security Ledger.

But the FBI spokesman reiterated that the bureau “has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector.”
http://variety.com/2014/biz/news/se...th-korea-role-in-sony-hack-attack-1201389525/

Content from External Source

Not much in terms of evidence being presented either way.

An interesting detail that may be a red-herring:

Jeffrey Carr, chief executive at Taia Global Inc., said his firm recently employed scientists to study the imperfect English the Sony hackers used in their notes to the company and journalists. They found errors made in the texts most closely resembled those typical of native Russian speakers, though they didn’t rule out the possibility of a native Korean speaker. Mr. Carr said the stakes were too high for the FBI to be wrong.

http://www.wsj.com/articles/white-house-deflects-doubts-on-source-of-sony-hack-1419986755

Content from External Source

 

[Hevach]

Lot of supposition and no evidence on the inside job. The speed of a breach is generally irrelevant, they're usually quite fast. The general pattern is to use a scripted program to probe various ports on every IP in range looking for responding programs that have known vulnerabilities, but not actually attacking them. When a promising vulnerable IP is found, the attack is very quick because they already know the vulnerabilities.

There is a valid point that North Korea's involvement is questionable. The particular program is available online and used by a lot of groups (black hat criminals and white hat professionals), including previous attacks on Sony that we know weren't North Korea. But, on the other hand, that assumes that the evidence the FBI has revealed to the public is the only evidence they have in this open and active investigation, which I think is a dubious assumption.

 

[Hevach]

http://www.theverge.com/2015/1/7/7507981/fbi-director-comey-reveals-new-details-on-the-sony-hack

To continue on my previous post, the FBI has revealed another piece of their evidence (and said that this still isn't the extent of their case): The IP address was inside North Korea and shows no signs of being properly masked. The IP doesn't appear to be an obfuscation service or server host, meaning the attack originated inside the country. NK has very limited civilian access to the international internet (instead of having the national network connected through a filter like China's it's just not connected for the most part), most of it is in government control.

The implication here is that the attack either originated in North Korea, or the actual attackers compromised both a North Korean server to act as their proxy and Sony's computers in rapid succession.


You can't just use a fake IP address outright, since the address is how the return information is routed back to you - if you make an attack look like it's coming from a junk IP, the return packet will try to get to that IP and will eventually be discarded when it reaches a dead end. There are certain attacks where this is fine - denial of service, for example - but actual data theft requires a two way path. To hide your IP address, you need to use a proxy, VPN, onion routing, or other technique to hide behind another valid address.

 

[Hevach]

https://firstlook.org/theintercept/2015/01/09/nsa-played-key-role-linking-north-korea-sony-h/

More evidence (sort of evidence anyway): The NSA was extensively involved, as were the FBI's behavioral analysis people who compared actions and communications of the hackers to previously known NK hackers.

Rep. Mike Rogers (R-Alaska), whos technological expertise is usually on par with that of a sack of hammers, was at least accurate in calling out the ignorance of industry professionals pretending that the initial information was the only evidence the FBI could have and that far more capable agencies wouldn't have also been involved and pretending they could make a better conclusion from partial evidence than the intelligence community could from all the evidence.