Was the Sony hack foreign espionage, or an inside job?

AP Photo/Damian Dovarganes
AP Photo/Damian Dovarganes

It has long been suspected that the hackers who worked Sony Pictures over, ostensibly to punish it for insulting North Korean dictator Kim Jong Un in a satirical film called “The Interview,” involved some assistance from insiders.  The self-identified primary perpetrators were a group of hackers called the “Guardians of Peace,” widely suspected of either being aligned with, or controlled by, the North Korean government.

The most common theory of the hacking incident holds that disgruntled Sony employees helped the hackers crack into Sony’s network, causing immense financial damage by releasing sensitive company information, plus a few digital copies of motion pictures, onto the Internet.  When the release of “The Interview” was just a few days away, the Guardians of Peace escalated to threats of 9/11-style terrorist attacks on movie theaters – threats taken seriously enough to frighten several big theater chains out of showing the film.  This escalation into threats of violence was widely taken as conclusive proof that the hackers were a serious gang of foreign terrorists, although U.S. intelligence and law-enforcement services said they had no reason to believe the group could make good on its threat to murder theater patrons.

The Obama administration declared itself convinced that Pyongyang was behind the attack, announcing new retaliatory sanctions against Kim Jong Un’s regime as the New Year rolled in. As described by NBC News, this fresh round of sanctions is fairly serious:

The new sanctions target three entities — including the country’s primary intelligence organization — and 10 individuals as agencies or officials of the North Korean government, according to the Treasury Department.

In a statement, the White House called the sanctions “a response to the Government of North Korea’s ongoing provocative, destabilizing, and repressive actions and policies, particularly its destructive and coercive cyber attack on Sony Pictures Entertainment.”

Other organizations targeted by the new sanctions are Korea Mining Development Trading Corporation, which the Treasury Department classifies as North Korea’s primary arms dealer, and Korea Tangun Trading Corporation, a group tied to the nation’s defense research.

“We take seriously North Korea’s attack that aimed to create destructive financial effects on a U.S. company and to threaten artists and other individuals with the goal of restricting their right to free expression,” the White House added.

Even as the Administration grew more adamant in its conviction that the North Korean government attacked Sony (and evidently grew more sensitive to criticism that American authorities had not done enough to protect the company from espionage), skeptics advanced a theory that the Sony hack was entirely the work of company insiders. The FBI has not discussed its evidence for North Korean involvement with the general public, so some of the Administration’s cards have yet to be laid on the table.

The Norks have denied involvement in the same unconvincing way they deny involvement in everything, while applauding Sony’s misfortune in roughly the same way they applaud everyone’s misfortune. Much of the evidence against them looks to be circumstantial – they’re known to have invested heavily in cyber-espionage, hacking activity has been traced back to servers that likely could not have been used without the cooperation of North Korea (and possibly China), and in addition to punching Sony right in the digital kisser over their impudent comedy film, the North Koreans might have appreciated this opportunity to test out cyber-war techniques that intend to use for more serious purposes in the future.

The alternative theory offered by one cybersecurity firm has become known as the “Lena” hypothesis, after the name assigned to one of the key players.  The firm is called Norse, and its senior vice president, Kurt Stammberger, felt confident enough in his theory to present it to the FBI, along with some corroborating evidence that has not been made public.  Here’s the “Lena” story, as laid out by Sam Biddle at Gawker:

“Lena” was an employee of ten years at Sony in Los Angeles, working in a “key technical” position at the company, and axed during the company’s brutal layoffs this past May. Even if she’d departed the company months before the attack, she would have remained “very well placed to know which servers to target,” and “where all the sensitive information in Sony was stored.” (A preliminary search of my own through leaked Sony data reveals no one by the name of Lena, though Stammberger says it could’ve been an alias—he also could not tell me how he arrived at that name, or the names of any other suspected hackers.)

What drew this group together, Stammberger says, is a mutual hatred of Sony: “These were individuals that were connected with torrenting Sony movies and content online, were targeted by legal and law enforcement arms, and were irritated that basically they were caught.” A disgruntled Sony employee—or employees—who joined forces with contacts in the hacker community that were equally pissed for getting caught bootlegging movies. This sounds much more plausible to me than a crack North Korean cyber-commando squad, or whichever Tom Clancy wet dream has been floating between the White House and the New York Times.

It doesn’t appear that the Lena hypothesis caught fire with Administration officials, as they seem to have taken Norse’s data under advisement without relenting on their official position that North Korea was deeply involved.

As Biddle goes on to concede, the general public doesn’t have much to go on except how plausible each theory of the Sony hack sounds, because both the intelligence community’s evidence of North Korean involvement, and Norse’s data pointing to “Lena” as the primary perpetrator, are kept under wraps.  One of the few contrary tidbits of evidence that has been made public is that early emails to Sony from the hackers didn’t mention “The Interview” or North Korea at all. They weren’t calling themselves the “Guardians of Peace” back then, either – they appeared to be running an extortion scheme, not making a political statement.

Georgetown University’s Neal Pollard, writing at Politico, notes that seemingly massive acts of foreign cyber-espionage have been assessed incorrectly in the past:

Attributing this attack recalls some past lessons about cyber-attacks. One lesson is the caution corporations and governments should take against prematurely attributing, or even characterizing, cyber-attacks. In 1998, a cyber-attack on Defense Department systems, which DoD termed “Solar Sunrise,” was described by the then-deputy secretary of defense as the most organized and systematic attack to date, attributed to Iraq given some of the Gulf-based IP addresses used in the attack, as well as rising tensions and DoD mobilization in the Gulf against Iraq. In reality the attack was not terribly sophisticated—it exploited a known, unpatched Solaris vulnerability in a limited set of systems, and caused no outages or damage. The actual perpetrators were two teenagers in California and a teenage hacker in Israel, eventually uncovered by a U.S. law enforcement investigation.

Another point that this episode has highlighted is widespread confusion about both the difficulty and the importance of attribution. Attribution is sometimes challenging, but far from impossible, and important only to the extent dictated by retaliatory options. First, forensic investigation can turn an old cybersecurity adage on its head: an attacker may need only to get lucky once to breach a network, but once in, the attacker has to be vigilant most of the time to keep from being detected and attributed. The investigator need only get lucky once to find a fingerprint. Second, different responses require different standards of attribution, some easier than others. If one requires 100 percent scientific certainty in attribution, it will be impossible; criminal justice in a US court requires attribution beyond a reasonable doubt; civil judgments generally require a preponderance of evidence; frontier justice requires a little bit of evidence and a great deal of righteous indignation; and so on.

Attribution is the weapon of mass distraction in the First Cyber War. State-sponsored terrorism always profits from the difficulty of attributing responsibility; attacks that would clearly be acts of war, if responsibility could be firmly pinned to a nation-state, become perpetual annoyances and enduring mysteries when the link to foreign governments is not readily made.

Pollard also contends that big-ticket cyber attacks have been classified as “crime, terrorism, vandalism, acts of war, and nuisances,” but “they can’t be all five at the same time.” True, but is it inconceivable that a big hacker attack could begin as one of those things, and mutate into the others over time? Maybe the Sony caper began with a few disgruntled ex-employees looking for revenge, but international hackers and the North Korean government got involved as it snowballed into something bigger.  Such international agents of misfortune might be very interested in trading weaponized virus software and sensitive insider information with smaller freelance groups.  It’s a safe bet that every bad actor in the world learned something useful by studying how Sony and the U.S. government responded to the attack.

The public is also left to consider the Obama Administration’s ultimate response to the Sony hack and ask, Would they be acting so utterly convinced of North Korean involvement, to the point of leveling hefty sanctions against Pyongyang, if any serious doubt remained?

It was clear enough in the early days of the story that the Administration didn’t want to get involved. Now, after a confused response that featured President Obama publicly second-guessing Sony executives after the Christmas Day wide release of “The Interview” was scuttled, and the executives responding by saying they asked for his advice but got nothing useful, you’d think the White House would prefer to let this story sink into the history books. Instead, they kicked off 2015 by calling out Pyongyang in strident terms, leveling the sort of sanctions that rogue regimes typically depict as American acts of war. This Administration does everything for political reasons, and the “Lena” hypothesis would be considerably less politically explosive than pointing fingers at Kim Jong Un… unless the Administration doesn’t think it will ever be able to close the book on the crime or bag the perpetrators, so it’s less embarrassing to lay blame at the feet of foreign powers beyond the reach of American law enforcement…?

Until and unless all of the evidence is made public, along with convincing analysis from computer security experts, we can’t do much except round up the usual suspects, shore up our public and private defenses, and wait for the next action in the First Cyber War. The battlefield might be hosted on the most advanced technology mankind has ever created, but it’s actually a very old-fashioned war from a strategic perspective, with plenty of room for pirates, freebooters, mercenaries, false flags, and a thick fog of war.