A number of private security researchers are increasingly voicing doubts that the hack of Sony‘s computer systems was the work of North Korea. …
Security researchers say they need more proof. “Essentially, we are being left in a position where we are expected to just take agency promises at face value,” Marc Rogers, a security researcher at CloudFlare, the mobile security company, wrote in a post Wednesday. “In the current climate, that is a big ask.”
Mr. Rogers, who doubles as the director of security operations for DefCon, an annual hacker convention, and others like Bruce Schneier, a prominent cryptographer and blogger, have been mining the meager evidence that has been publicly circulated, and argue that it is hardly conclusive.
For one, skeptics note that the few malware samples they have studied indicate the hackers routed their attack through computers all over the world. One of those computers, in Bolivia, had been used by the same group to hack targets in South Korea. But that computer, as well as others in Poland, Italy, Thailand, Singapore, Cyprus and the United States, were all freely available to anyone to use, which opens the list of suspects to anyone with an Internet connection and basic hacking skills.
For another, Sony’s attackers constructed their malware on computers configured with Korean language settings, but skeptics note that those settings could have been reset to deflect blame. They also note the attackers used commercial software wiping tools that could have been purchased by anyone.
They also point out that whoever attacked Sony had a keen understanding of its computer systems — the names of company servers and passwords were all hard-coded into the malware — suggesting the hackers were inside Sony before they launched their attack. Or it could even have been an inside job.
And then there’s the motive. Government officials claim the Sony attacks were retaliation for “The Interview,” a feature film about two bumbling journalists hired by the C.I.A. to assassinate North Korea’s leader. In a letter last June, North Korea’s ambassador to the United Nations called the film “an act of war.” But naysayers point out that, as far as they can tell, Sony’s attackers did not mention the film as motivation until that theory percolated in the media.
The simpler explanation is that it was an angry “insider,” Mr. Rogers wrote. “Combine that with the details of several layoffs that Sony was planning, and you don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all.”
On Wednesday, one alternate theory emerged. Computational linguists at Taia Global, a cybersecurity consultancy, performed a linguistic analysis of the hackers’ online messages — which were all written in imperfect English — and concluded that based on translation errors and phrasing, the attackers are more likely to be Russian speakers than Korean speakers.
Shlomo Argamon, Taia’s Global’s chief scientist, said in an interview Wednesday that the research was not a quantitative, computer analysis. Mr. Argamon said he and a team of linguists had mined hackers’ messages for phrases that are not normally used in English and found 20 in total. Korean, Mandarin, Russian and German linguists then conducted literal word-for-word translations of those phrases in each language. Of the 20, 15 appeared to be literal Russian translations, nine were Korean and none matched Mandarin or German phrases.
Mr. Argamon’s team performed a second test of cases where hackers used incorrect English grammar. They asked the same linguists if five of those constructions were valid in their own language. Three of the constructions were consistent with Russian; only one was a valid Korean construction.
“Korea is still a possibility, but it’s much less likely than Russia,” Mr. Argamon said of his findings. …
It is also worth noting that other private security researchers say their own research backs up the government’s claims. CrowdStrike, a California security firm that has been tracking the same group that attacked Sony since 2006, believes they are located in North Korea and have been hacking targets in South Korea for years.
But without more proof, skeptics are unlikely to simply demur to F.B.I. claims. “In the post-Watergate post-Snowden world, the USG can no longer simply say ‘trust us’,” Paul Rosenzweig, the Department of Homeland Security’s former deputy assistant secretary for policy, wrote on the Lawfare blog Wednesday. “Not with the U.S. public and not with other countries. Though the skepticism may not be warranted, it is real.”
Mr. Rosenzweig argued that the government should release more persuasive evidence. “Otherwise it should stand silent and act (or not) as it sees fit without trying to justify its actions. That silence will come at a significant cost, of course — in even greater skepticism. But if the judgment is to disclose, then it must me more fulsome, with all the attendant costs of that as well.”