clock menu more-arrow no yes mobile

Filed under:

Did North Korea really hack Sony?

Kim Jong Un inspects "new" military technology made by unit 1501 of the Korean People's Army in this 2013 photo.
Kim Jong Un inspects "new" military technology made by unit 1501 of the Korean People's Army in this 2013 photo.

Did North Korea really hack Sony? Not everyone is convinced by the FBI's claim that the country is responsible for last month's devastating cyberattackon Sony Pictures. And the skeptics are right that none of the evidence the US government has released so far definitively ties the Pyongyang regime to the attacks.

Yet there are still reasons to suspect that North Korea played a role in the attacks. One possibility: North Korea may have worked with an independent group to pull it off.

Here's how the evidence stacks up so far.

The FBI's evidence is weak, but the US might not share its strongest evidence


The FBI released a statement last week blaming North Korea for the attack on Sony, and President Obama underscored the FBI's accusations at a Friday press conference.

But as a number of computer security experts have pointed out, the FBI's evidence is far from conclusive. The agency points to two main pieces of evidence linking North Korea to the attacks:

  • Malware used in the attack is similar to malware North Korea has used in previous attacks, and
  • North Korean computers communicated with some of the same servers the Sony malware communicated with.

But neither of these is conclusive proof of North Korea's involvement. A lot of sharing goes on in the hacking underground. It's possible that North Korea, for its earlier attacks, had simply adopted malware that was already being used by other hackers. Or maybe North Korea developed the malware, but someone else has since gotten a copy of it and customized it for their own use.

A similar point applies to those shared IP addresses. One explanation for this is that North Korean hackers were using those computers for command-and-control purposes. But another possibility is that those machines provide some kind of shared infrastructure used by many different hackers. North Korea may have been communicating with them for reasons that have nothing to do with the Sony attacks.

Maybe the FBI is presenting weak evidence because that's all it has. But another possibility is that the government has stronger evidence that it's not willing to share publicly.

For example, suppose that the National Security Agency had managed to hack into North Korean systems and was able to monitor everything they did. That wouldn't be surprising — the NSA is good at hacking and North Korea would be one of the agency's top targets. That would help the US government to conclusively determine whether or not the North Koreans were responsible for the attack.

But if the US government publicly revealed such a capability, they'd lose an extremely valuable source of information about future activities of the North Korean regime. So in this situation you'd expect the US government to do exactly what it did last week: publicly release vague and inconclusive evidence, while holding the best evidence back. That would be enough to convince most people that North Korea was responsible without damaging future intelligence operations.

So, to some extent, whether you believe the US government's charges depends on how competent you think its intelligence agencies are. Hopefully, they wouldn't publicly blame the North without strong evidence, even if they couldn't share it all publicly. On the other hand, intelligence agencies have made big mistakes before, so it's not surprising that people are skeptical.

The hackers haven't acted like a normal nation-state, but North Korea isn't a normal nation-state

(Ed Jones/AFP/Getty Images)

Wired's Kim Zetter, a leading skeptic of the "blame North Korea" position, argues that "nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack." This is true. Governments generally have specific goals — interfering with Iran's nuclear program, say, or gathering intelligence — that are easiest to achieve if the targets don't know they're being attacked. So they generally try to fly below the radar for as long as possible. And the tone of the hackers' messages and postings did not exactly scream "highly professionalized government operation."

The problem with this argument is that there's nothing normal about North Korea. The country has repeatedly gone out of its way to antagonize other countries. It has test-fired missiles over Japan, shelled a South Korean island, and probably sank the South Korean naval ship Cheonan. North Korea denied responsibility for the Cheonan attack just as it has denied responsibility for hacking Sony, but few people believed the denials.

North Korea isn't like other countries. It has different goals and pursues them in different ways than almost any other country on the planet. So it wouldn't be surprising if they carried out their attacks in different ways than other countries have.

And there's one big reason to think North Korea played some role in the attacks. If they didn't, then why were the hackers so obsessed with getting Sony to shelve The Interview? The hackers' campaign against the movie included a thinly veiled threat to blow up movie theaters that showed it. Then, after Sony announced they'd be canceling the scheduled December 25 release of The Interview, the hackers reportedly emailed Sony executives and told them that the leaks would stop unless Sony causes "additional trouble" by releasing the movie in the future.

While plenty of people think the movie is in bad taste, it's hard to imagine anyone outside of Pyongyang being so angry about the film that they'd launch a major cyberattack to stop its release.

Did North Korea have outside help?


Of course, critics of the North Korea theory have pointed out that the hackers' focus on The Interview didn't start until a week after hackers went public in late November.

One possible explanation is that North Korea only got involved in the attacks after the initial attack. Perhaps someone totally unconnected to Pyongyang compromised Sony's network and then sold control and data to the North Korean government. Or perhaps the attack was carried out by a hacker group that sometimes does work for the North Korean government, but North Korea only became directly involved after the initial announcement. That would explain why they seemed to use some of the same tools and infrastructure.

This would also help to explain the skillful way the hackers manipulated the media into embarrassing Sony, increasing hackers' leverage in the process. As Vox's Todd VanDerWerff has written, the attackers doled out leaked documents in batches to strategically-chosen journalists, making it more likely that reporters from various media outlets would comb through the files looking for scoops.

That ensured that the media would publish a lot of damaging scoops about the company before the hackers pivoted to its Interview-related demands. Todd notes that if the hackers had focused on The Interview from the outset, media organizations would have been squeamish about participating in what amounted to a blackmail campaign against Sony.

It's hard to imagine that North Korea, working alone, would have had sufficient understanding of American media habits and organizations to pull this off. But if North Korea were working with an outside group with ties to the West, they could outsource the details of the media campaign to them.

Ultimately, there might not even be a clear line between a North Korean operation and an independent one. In the internet's shadowy underworld, hackers can be affiliated with multiple groups, and groups can do work for multiple customers. Hackers often share code and computing resources with each other without knowing exactly how they'll be used. So the answer to the question "did North Korea do it" might turn out to be "it's complicated."