I’m about to spoil the first episode of BBC’s brilliant Twilight Zone-for-the-social-media-era series Black Mirror. You’ve been warned. Oh, also, I will eventually get to talking about North Korea and Sony. So, stick with me here.
Black Mirror, a technology-obsessed anthology series created by a Guardian columnist, has been around since December 2011, but many of us in the States are discovering it for the first time now that its first two seasons have been thrown up on Netflix. I watched the first episode this weekend, and it kind of made me think about the Sony Pictures hack.
The episode starts off fine enough, with a fairly straight-forward scene of the British Prime Minister awakening to news that the country’s most popular literal Princess, like a fictional version of Kate Middleton, has been kidnapped. He is rushed into a meeting room with his highest ranking officials who wait patiently as he watches the ransom video the kidnapper’s made, featuring the teary-eyed, terrified Princess reading text off of cue cards just behind the camera. We’ve seen these types of scenarios play out in film and TV so often, be in real life or dramatized in something like 24. So, it’s not immediately clear that Black Mirror is bringing anything new to such well-trodden territory. That’s when the two big twists hit: 1) The kidnappers want the Prime Minister to have sex with a pig on live, national television later that day or else they’ll kill the princess; 2) The ransom video was uploaded to YouTube meaning that thousands have already seen it by the time the Prime Minister gets to it.
The rest of the episode is a race to find and rescue the princess, and when they try to create a CGI video of the PM taking it to a pig as a backup plan what appears to be one of the princess’ fingers arrives, bloodied in a box, to remind everyone that the kidnapper’s mean business and will not be fooled. Ultimately, the PM has to go through with it, suffering a national embarrassment that few actually wanted to watch but most couldn’t turn away from. It turns out that the princess was actually freed half an hour before the deadline, and her life was never actually in danger. The person who kidnapped her wasn’t some terrorist or agent for a hostile foreign government; he was actually an award-winning artist engineering some new fangled version of performance art. Maybe he also did it just to see if it would actually work, and that if it did work it would be kind of funny.
What if the people who are truly behind the Sony Pictures hack just did it because they thought it would be really funny, like the guy in Black Mirror? More importantly, what if those people have nothing to do with North Korea whatsoever?
Those questions were seemingly laid to rest when the FBI flat out declared that North Korea was behind the hack, and the mysterious internet outage which subsequently plagued North Korea is potentially the United States’ counter-attack, possibly convincing China to cut off internet access to North Korea. It all seems like a done deal. North Korea promised that there would be some kind of retaliation if Sony Pictures went ahead with its plans to make The Interview, Sony mostly ignored those threats and pushed forward, and cut to a couple of months later and something calling itself Guardians of Peace unleashes terabytes of data hacked from Sony’s surprisingly vulnerable internet servers. North Korea denied any involvement, although in a highly suspicious “We’re not responsible for this, but we think it’s hilarious” kind of way, and the initial communications from Guardians of Peace made no reference to The Interview. Suddenly, once the press started eating this all up with a spoon and reporting loads of embarrassing information uncovered in the hacked emails Guardians of Peace begins making specific references to The Interview. Blah, blah, blah. I think we all know where it went from there. Guardians made a 9/11 threat against movie theaters which dared play The Interview, Sony pulled the film, and then changed their mind when independent theaters stepped up to stick a big middle finger at the terrorists.
However, there are those who aren’t so certain that The Interview really was almost banned due to state-sponsored terrorist threats. In fact, there are those who think it’s ridiculous that the FBI has identified North Korea as the culprit because there’s no way they can actually know that for sure so soon after a hack like this, from TechCrunch:
It’s pretty clear that the Sony Pictures hack was neither an act of war or particularly belligerent. As Marc Rogers of CloudFlare and DEF CON notes, finding out who performed a hack, even one as ham-handed as this one, is difficult. Hackers with any sense use proxies and attack soft targets. But once they’ve attacked and dumped their goods, it becomes nearly impossible to follow them back to their dens, whether that is in Atlanta or Pyongyang.
But we can’t just throw our hands up in the air and lament, “Well, I guess we’ll never really know for sure.” Nor can we apparently simply trust that the FBI is right about this. Security experts are increasingly of the opinion that this must have been an inside job. As originally reported by The Security Ledger, researchers from a security firm named Norse have “identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand. The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.” Once Norse had identified the former Sony employee it traced that individual’s online footprint, leading to the discovery that someone this employee talked to through IRC forums was actually operating from the same internet server the earliest version of the malware unleashed upon Sony Pictures is believed to have been compiled.
That’s not necessarily damning evidence against the theory that North Korea is behind this, but it does beg the question of what makes the FBI so sure that North Korea is the culprit. When they first pinned the crime to Kim Jong Un & Pals, they did at least explain how they reached their conclusion:
Analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously deployed. There was a significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. Several IP addresses associated with known North Korean infrastructure communicated with IP addresses hardcoded into the data deletion malware used in the Sony attack. Furthermore, tools used in the Sony attack have similarities to those employed in a cyberattack carried out by North Korea against South Korean banks and media outlets in March of last year.
But the Security Ledger is quick to point out that for every thing which points to North Korea there are several others that lead you elsewhere:
For example, recent analysis has focused on date and time stamps attached to the leaked Sony data. Researchers have used those time stamps to infer the speed with which the data was transferred off Sony’s network. Reports have suggested that the timestamp data points to a data leak within Sony’s enterprise network, for example: to a USB device or external hard drive. […] The hackers also exhibited a somewhat sophisticated knowledge of how Hollywood works – leaking data that was deeply personal and particularly embarrassing to Sony executives.
The involvement of an insider would explain how the attackers obtained critical information about Sony’s network, including the IP addresses of critical servers and valid credentials to log into them. Even in sophisticated attacks, remote actors might spend days, weeks or months probing a network to which they have gained access to obtain that information: using compromised employee accounts to explore and find sensitive data before stealing it or causing other damage. It is during that “lateral movement,” malicious actors are often spotted. In the case of the Sony hack, however, the malware was compiled knowing exactly what assets to attack.
For its part, the FBI is undeterred, concluding in a released statement that there is no “credible evidence to indicate that” anyone other than North Korea “is responsible for this cyber incident.”
Look, I’m no hacking expert or even amateur. I’m in no position to reasonably weigh in on what all the evidence indicates, though it seems perfectly possible to me that there’s some scenario where both sides are right and that this disgruntled ex-employee could have had her hacking operation bankrolled by North Korea. However, I am looking at all of this and wondering: What happens if it turns out North Korea truly did have nothing to do with the hack of Sony Pictures? Does President Obama have to apologize to them? If so, that’s going to be pretty awkward.
Source: The Security Ledger