…is that it is all but impossible. A skillful black hat can easily lead investigators down paths they want them to take, while obscuring the true origins of a network breach. Mimicking attack vectors, using code associated with known hacking entities, even using language in the coding that points to known entities or countries, are common methods employed by those who wish to leave a false trail as to the origin of network attacks or exploits. (Of course, the most dangerous of that lot can hide for months or years the fact that there has been any network exploit at all.)
There was much discussion in the office this week about the FBI’s announcement that they had what amounts to definitive proof that the DPRK had perpetrated the now-famous hacking of Sony Pictures. I was definitely in a minority with my skepticism, for two reasons. The first is that I have a very hard time believing anything coming out of a Federal agency in this Administration. The Department of Justice, the IRS, the EPA, The State Department, Homeland Security, have all promulgated bald-faced lies to the American people, largely to cover up criminal and unconstitutional activity and/or the incompetence of those in charge. The second is the rather unrealistic understanding the Federal Government (and DoD in particular) has of how the Internet works. They THINK they know. But they don’t.
Apparently, I am not alone in my skepticism. From the Daily Beast:
So, malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other attacks attributed to North Korea.
This may be the case—but it is not remotely plausible evidence that this attack was therefore orchestrated by North Korea.
The FBI is likely referring to two pieces of malware in particular, Shamoon, which targeted companies in the oil and energy sectors and was discovered in August 2012, and DarkSeoul, which on June 25, 2013, hit South Korea (it was the 63rd anniversary of the start of the Korean War).
Even if these prior attacks were co-ordinated by North Korea—and plenty of security experts including me doubt that—the fact that the same piece of malware appeared in the Sony hack is far from being convincing evidence that the same hackers were responsible. The source code for the original “Shamoon” malware is widely known to have leaked. Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator. Increasingly, criminals actually lease their malware from a group that guarantees their malware against detection. Banking malware and certain “crimeware” kits have been using this model for years.
So the first bit of evidence is weak.
But the second bit of evidence given by the FBI is even more flimsy:
“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”
What they are saying is that the Internet addresses found after the Sony Picture attack are “known” addresses that had previously been used by North Korea in other cyberattacks.
To cyber security experts, the naivety of this statement beggars belief. Note to the FBI: Just because a system with a particular IP address was used for cybercrime doesn’t mean that from now on every time you see that IP address you can link it to cybercrime. Plus, while sometimes IPs can be “permanent”, at other times IPs last just a few seconds.
Now, the FBI’s conclusions may be correct, and the DPRK may be officially or unofficially behind the breach. But TDB raises some important points. The DPRK can claim that a skilled hacker can make the evidence point back to them with little effort. And indeed this is a correct assessment. Why the Administration’s jump to blame the DPRK? Perhaps, as the article states, it is yet another example of amplifying and manipulating an event (a good crisis not going to waste?) as justification for yet more government control via draconian regulation.
Blaming North Korea offers an easy way out for the many, many people who allowed this debacle to happen; from Sony Pictures management through to the security team that were defending Sony Picture’s network.
You don’t need to be a conspiracy theorist to see that blaming North Korea is quite convenient for the FBI and the current U.S. administration. It’s the perfect excuse to push through whatever new, strong, cyber-laws they feel are appropriate, safe in the knowledge that an outraged public is fairly likely to support them.
I will be writing more about so-called “Net Neutrality” in the near future. But be certain that the regulations proposed by the Obama Administration have little to do with true net neutrality (despite the rather infantile assertions of some) and much more to do with expanding the regulatory power of the Federal Government over the content of the internet. With the mainstream news media either firmly behind the Far Left, or beholden to them for reasons other than intellectual agreement, trust in the Big News outlets is at an all-time low. It is on the internet where the fabrications of both the Obama Administration and its lap-dog agents in the press are torn apart by people with facts and experience, and people like Holder and Hillary and entities like the NYT and MSNBC are shown to be liars. So the assertion in the above citation is certainly plausible. To some of us, it is at least as plausible as the FBI’s proclamations of incontrovertible evidence of North Korea’s guilt in the Sony breach.