U.S.: No alternate leads in Sony hack
By Tal Kopan
12/29/14 7:41 PM EST
A briefing for FBI agents investigating the Sony Pictures hack by a security firm that says its research points to laid-off Sony staff, not North Korea, as the perpetrator provided no usable new evidence, an official said Tuesday.
The news that the FBI had taken the three-hour briefing Monday added to the chorus of well-qualified skeptics who said the unprecedented decision to release details of an ongoing FBI investigation and President Barack Obama publicly blaming the hermit authoritarian regime hasn’t convinced the cybersecurity community.
Asked about the meeting and criticism on Monday, the FBI declined to comment beyond a prepared statement that they are confident the North Koreans are behind the crippling Thanksgiving attack and there is “no credible information” to suggest otherwise.
Tuesday, a U.S. official familiar with the matter said after the three-hour meeting, law enforcement concluded that the company’s analysis “did not improve the knowledge of the investigation.”
Researchers from the cyber intelligence company Norse have said their own investigation into the data on the Sony attack doesn't point to North Korea at all and instead indicates some combination of a disgruntled employee and hackers for piracy groups is at fault.
The official said it became clear to investigators that the researchers had a “narrow” view of the whole picture and their analysis was inaccurate.
Norse, one of the world’s leading cyber intelligence firms, has been researching the hack since it was made public just before Thanksgiving.
Norse’s senior vice president of market development said that just the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.
“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.
He said the briefing was set up after his company approached the agency with its findings.
Stammberger said after the meeting the FBI was “very open and grateful for our data and assistance” but didn’t share any of its data with Norse, although that was what the company expected.
The FBI said Monday it was standing behind its assessment, adding that evidence doesn’t support any other explanations.
“The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector,” a spokeswoman said in a statement. “There is no credible information to indicate that any other individual is responsible for this cyber incident.”
The spokeswoman had no comment on further inquiries about the briefing and whether the FBI found Norse’s case convincing.
A source who had been briefed on the FBI’s investigation said the agency had considered an insider as a possible explanation for the attack, but it wasn't supported by the evidence.
Paul Tiao, a Hunton & Williams partner and former senior cybersecurity counsel to the FBI director, said the FBI would not make such claims if there wasn't conclusive evidence to support it.
“The FBI is a very conservative organization,” Tiao said. “They don't make determinations about attribution and have investigators state that publicly; they don't do any of that lightly at all.”
Tiao added the FBI regularly works with private companies, and he “wouldn't make anything” of the briefing.
“Any time there’s some entity that has potentially useful information about an ongoing investigation, the FBI interviews those people. That’s how the FBI has been doing it for a hundred years, and this is no different,” he said.
The FBI won’t comment further on an open investigation, referring questions to the initial update on the investigation the agency released 10 days ago. That unusual release cited similarities between the malware and infrastructure behind the Sony attack and previous attacks attributed to North Korea as well as technical links to known North Korean-developed malware.
But many security researchers have found that evidence to be thin and unconvincing.
In addition to Norse’s analysis of Internet forums where perpetrators may have communicated and compiled dates within the malware used, a report from firm Taia Global said a linguistic analysis of the purported hacker messages points to Russian speakers rather than Korean.
Security expert Bruce Schneier called the evidence “circumstantial at best” and considered a number of other possible explanations. CloudFlare principal researcher and DefCon official Marc Rogers wrote that the FBI’s indicators seem to rely on malware that is widely available for purchase and IP addresses easily hijacked by any bad guy. Errata Security’s Robert Graham also noted the hacker underground shares plenty of code, calling the FBI’s evidence “nonsense.”
But the doubters leave open the possibility that the government has other intelligence supporting the idea that it’s North Korea that they don’t have access to, and a U.S. official told POLITICO it is likely the U.S. has access to information it is choosing to not release.
The official said law enforcement is still treating the incident as an “active criminal investigation” but that may or may not lead to a prosecution built on evidence that goes beyond a reasonable doubt.
“I think the intent was to release the information because this is the new normal, not to tuck away information and hide it as we have in the past,” the official said, calling the quick preliminary release “unprecedented.”
Stammberger said that if there is more information out there, it should be released to companies like his and others that are also investigating the attack.
“Whenever we see some indicators or leads that North Korea may be involved, when we follow those leads, they turn out to be dead ends,” Stammberger said. “Do I think it’s likely that [officials] have a smoking gun? … We think that we would have seen key indicators by now in our investigation that would point to the North Koreans: We don't see those data points. So if they’ve got them, they should share some of them at least with the community and make a more convincing case.”