FBI agents were briefed Monday by one of the world’s leading cyber intelligence firms, who claim that the evidence being gathered in connection with the November 24 cyberattack against Sony Pictures Entertainment points to a former employee of the studio, rather than North Korea, as the perpetrator of the hack.
The cyber intelligence firm Norse told the FBI in the afternoon briefing that evidence suggests the hack, which saw thousands of sensitive company documents as well as five unreleased feature films leaked online, was a coordinated effort between a former Sony employee and hackers for piracy groups, according to Politico.
“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Norse senior vice president of market development, Kurt Stammberger, told Politico.
Stammberger added that the FBI was “very open and grateful for our data and assistance.”
The FBI issued a statement Monday reiterating its conclusion that North Korea was behind the cyberattack.
The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners, and the private sector. There is no credible information to indicate that any other individual is responsible for this cyber incident.
A hacking group called Guardians of Peace has claimed credit for the cyber attack. On December 16, the group posted a message threatening “9-11” style terror attacks on movie theaters that had signed up to screen the Sony Pictures comedy The Interview, which depicts the assassination of North Korean leader Kim Jong-un.
According to Politico, the FBI considered that a former Sony employee could be behind the attack, but ultimately rejected the possibility.
Other private security firms are reportedly questioning the FBI’s key evidence; namely, that the malicious code used in the attack against Sony was also used in a 2013 cyber attack against South Korea, and that the language settings of the computer used to write the code were set to Korean.
Errata Security’s Robert Graham previously called the FBI’s evidence “nonsense,” arguing that hacking groups were likely to share code with each other. CloudFare security researcher and DefCon official Marc Rogers agreed, writing that “while some of these similarities certainly strongly hint at a similar operation and a shared DNA between these pieces of malware, it is hardly a smoking gun.”
Norse’s Stammberger told Politico he agrees with his peers in the intelligence community.
“We think that we would have seen some key indicators by now in our investigation that would point to the North Koreans,” Stammberger said. “We don’t see those data points. So if they’ve got them, they should share some of them at least with the community and make a more convincing case.”
The FBI is reportedly still treating the incident as an “active criminal investigation,” and, as policy, will not comment further until the investigation is complete.