14 DAY TRIAL // The investigation into the incident is not over yet, but from the clues found by its agents, the FBI has drawn the conclusion that the North Korean government is responsible for the attack on Sony network.
In late November, a group of hackers calling themselves Guardians of Peace activated the storage wiping procedure in malicious software planted on the computers of Sony Pictures Entertainment (SPE). This was done after infiltrating the network at an earlier date and exfiltrating large amounts of confidential information, both personal and commercial in nature.
The company reacted by hiring cyber incident response company Mandiant, of FireEye, and by also asking for assistance from the FBI, hours after learning about the intrusion.
Partial evidence revealed by the FBI
“As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” reads an official statement from the FBI made on Friday.
It appears that the Bureau has found plenty of evidence to support this theory, but disclosed only a part of it, in order to protect sensitive sources and methods.
The Bureau says it found lines of code, encryption algorithms, data deletion methods, and compromised networks that have also been used with other threats known to have been created by North Korean actors.
Furthermore, it is pointed out that part of the infrastructure used in the attack against SPE has been used in “other malicious cyber activity the U.S. government has previously linked directly to North Korea.” Evidence of this were several IP addresses hard-coded in the malware.
An indirect reference to the DarkSeoul operation launched against banks and media outlets in South Korea in March 2013 is also made, attributing it to North Korea. At that time, security researchers analyzing the attack did not associate it to any country, although theories involving a North Korean actor did exist.
Most of the information presented by the FBI had been disclosed previously by security experts in their own reports about the malware. Circumstantial evidence involving the Hermit Kingdom was presented, but the FBI is the first entity making a clear attribution.
Red herrings are sometimes included to hide trails
However, it is a known fact that the authors of a cyber-attack sometimes drop fake clues to throw investigators off track. For instance, commercial components were discovered in the malware used in both DarkSeoul and the Sony attack; but they were also employed in the Shamoon attack, which targeted Aramco oil company in Saudi Arabia, attributed to Iran.
Another example would be Cloud Atlas cyber-espionage operation, where the authors planted hints for false attribution by including in the malware code words and phrases in different languages.
Although the opinion of the FBI may not be shared by many security researchers, the Bureau may hold undisputed evidence to support its claims.