Sony Pictures and Cyber Warfare

On November 25th, Sony Picture Entertainment was hacked by a group calling itself the Guardians of Peace, where millions of records of passwords, social security numbers, e-mails, salaries, and other extremely sensitive information was released to the public.  The exact scope of the data extracted from Sony is hard to fully grasp but, so far, the following information has been released to the public:

  • 47,426 Social Security Numbers
  • 3,000 employee records with salaries, benefits, passports, and contact details
  • 600+ plain text passwords, IP addresses, root certificates and other IT data
  • Financial reports, acquisition strategies, and budgeting forecasts
  • 19,944 e-mails.
  • 4,013,780 anti-piracy take-down notices

The group, Guardians of Peace, did not claim any connection to The Interview or North Korea, and the Assistant Director of the FBI's Cyber Division claimed no attribution to North Korea for the first two weeks of the cyber attack on Sony.  It wasn't until December 14th, after a comment by Representative Mike Rogers, chairman of the House Intelligence Committee, that the idea of North Korean involvement became seriously considered. Unfortunately, Mike Rogers' comment also spawned a slew of cyber warfare dialog that has since hijacked the conversation into thoughts of retaliation.

That was the first [time] — if you take at face value public reports — a nation state decided a retribution act could result in destroying data, bringing down a company…
— Rep. Mike Rogers
This attack is no different than a 9/11-type attack. They stole this material. It probably was North Korea. They want to f–k with Sony. They’re really pissed off. It’s outrageous. The president should have announced immediately we’re under attack…
— Howard Stern

The conservative media then began to have an absolute field day with this new dialog shift and suddenly you couldn't talk about Sony without hearing North Korea, Cyber Warfare, or even more ridiculously, 9/11.  Except there are a few problems with this new direction.



The Technology

It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. Occam’s razor suggests an insider.
— Marc Wrogers

The technology behind most attackers is fairly robust; a typical botnet (a collection of thousands of computers controlled by a single person or organization) is large enough and geographically dispersed enough to make tracing an attack to a single location nearly impossible.  Even if you ignore the fact that the malware delivered was hard-coded to attack very specific parts of the Sony Picture Entertainment network, it is extremely unlikely that forensic evidence would be conclusive enough to successfully identify a nation state as the perpetrator while the attack is still ongoing.

This is for two reasons:  First, a botnet allows attackers to route traffic through dozens, hundreds, or thousands of computers to obfuscate their original source. In order to determine the original source of the traffic, you would have to peel back each layer of obfuscation like an onion.  This layer of security is so popular and well known that it actually has a name:  The Onion Router, and it's used by journalists every day throughout the entire world in order to protect their identities - and lives.

Furthermore, the three pieces of evidence the FBI released to the public yesterday when they did officially attribute the attack to North Korea were:  Familiarity of Malware, IP addresses originated in North Korea, and Familiarity of... erhm... Malware.  Which means that the FBI's public statement really only has one point:  specific lines of code, encryption algorithms, and other methods.

For those that don't know, you can literally buy hacking tools that are, essentially, plug-and-play.  It's such a common occurrence that "real" hackers actually make fun of people who rely on these purchased methods, calling them script kiddies. It's not impossible that North Korea has a bunch of script kiddies - it's actually fairly likely - and would reuse a bunch of old code, but it's also just as likely that a group of random kiddies bought the same code that North Korea has in the past.



Inconsistency in GOP Public Outreach

We worked with other staff with similar interests to get in.
— Alleged hacker

In a recent interview with The Verge, an alleged hacker cited "equality" as being a primary objective of the attack on Sony, which is an interesting objective for a group of North Koreans to levy against a Japanese company.  Similarly, after the story became international news, several statements allegedly released by the Guardians of Peace have been seen as not genuine.

The fact that the code was written on a PC with Korean locale & language makes it less likely to be North Korea [...] because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden.
— Marc Wrogers

Part of the uncertainty is due to the methods the hackers are using to communicate with researchers and the world:  Through hacked e-mail accounts (never the same one twice) and through file dumps on bit torrent sites that are only on the internet for however long it takes the file sharing site to pull the information down. Another part of the uncertainty is actually, ironically, the dialect being used by the Guardians; it is too stereotypically Korean to be historically accurate based on the Wests' limited interactions with North Korean Refugees [Sources: 1, 2, 3].



Cyber Warfare

Finally, the dialog of creating a war zone in the cyberspace is a dialog that we should not be having because of this.  Cyber Security is an incredibly important aspect of our lives in 2014, but let's not forget that this is an insignificant event for Americans, that this is a Japanese country, no one had even heard of this movie before this incident, and the evidence supporting North Korean involvement is fairly slim.

Hell, the data breach at Staples yesterday has had more of an impact on American life in fifteen hours, compromising over 1,000,000 credit cards!  I mean, honestly, who even knew this movie was coming out before Thanksgiving?

Yet, in spite of the relative insignificance of this breach for the American people, we're forced to listen to the saber rattling of old men who think that this is a declaration of war by the fairly unimportant nation state of North Korea.  Simply put, rather than this being a case study of why Defense in Depth is important, we're instead breeding fear; and we've already seen how a reactionary strategy based on a scared public has worked for us in the Middle East.