December 28, 2014

No North Korea behind the Sony Hack

Prabir Purkayastha

THE US, based on FBI reports, has blamed North Korea for hacking the Sony, the entertainment giant. In return, Obama threatened cyber attacks or what he called “proportionate response” against North Korea; the North Korean Internet did go down after Obama's threats. North Korea denied the US allegations and has called for an international enquiry to establish who are behind the Sony attack. Credible evidence is now emerging that the Sony hack was much more likely to be an insider job and rather than a North Korean cyber attack. Nevertheless, by claiming that North Korea is behind the hacking of Sony, the US now can attack North Korea in various ways. This is a repeat of the US stories of WMD's in Iraq and Sarin gas attacks by Syria. A fabricated story remains the basis of US policy, even when the fabrication is exposed. What stays in peoples minds is the original fabrication. Remember the polls that show that more than 40 percent of Americans still believe that Saddam Hussein was behind the 9-11 attacks? So what is the hacking of Sony servers and website all about? If you read the mainstream press anywhere in the world, it is all about a stupid movie –The Interview – that Sony was making whose storyline was about the assassination of the North Korean president. The US and the global media following the US believes that North Korea first penetrated the Sony internal network and servers, then took away huge amounts of information, and then threatened it with exposure of sensitive information if it did not withdraw the film. North Koreans have denied any connection, and as we write, there are reports that Sony is going ahead with its Christmas release of the film. Cynics have even commented that this must have been the biggest publicity that any film has ever received, making what an otherwise tasteless film on a terrorist attack on a head of state of another country a possible runaway hit. The real story is that Sony was essentially “nuked” by people who had detailed knowledge about its internal network, servers and even passwords. A group calling itself “Guardians of Peace” (GOP) “exfiltrated” (took away) a huge amount of data from Sony servers, some of which has been dumped in the public domain exposing Sony's gender bias, celebrity gossip (e.g., Angelina Jolie is minimally talented and a spoilt brat), Sony's war against Google, impending layoffs and even some unreleased films. They also wiped more than two-thirds of Sony servers clean, causing enormous dislocation of Sony's functioning. The threat held out was unless Sony fell in line and accepted the GOP demands, much more damaging information would be released. FLIMSY EVIDENCE Here is where the story diverges. The initial demand in the original threat letter sent via email to Sony read , “monetary compensation we want... pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.” In other words, it was about money, or plain and simple extortion. It was the media that linked the Sony hack to the film The Interview, which then the GOP took up, asking Sony to withdraw the film. They have now dropped this demand. Some others believe that this was neither criminal or political, but simply “lulz” – Internet slang “for fun” or “for kicks”. In this account, Sony is a company that hackers love to hate and therefore is always a favourite target. From the beginning, the security experts have been reluctant to believe the Obama administration's story of North Korea being the culprit. Even before the FBI statement blaming North Korea, Wired magazine found the evidence of a North Korean involvement flimsy at best. The former anonymous hacker Hector Monsegur or “Sabu” dismissed the government claims, reasoning that North Korea does not have the Internet infrastructure or the bandwidth to exfiltrate terabytes of data. The alternate of cyber criminals working with either existing Sony employees or sacked ones was a more likely scenario. The FBI then came into the picture with its “evidence” of North Korean involvement which could not be fully disclosed for security reasons. This of course makes the examining this evidence more difficult. Three extremely well-known experts on digital security have weighed in with why they believe that the North Korean storyline is bogus. Bruce Schierer, one of leading lights in the security world has said that he is “deeply skeptical” of the FBI announcement. The FBI's major arguments have been that the group used tools that have been used earlier by known North Korean cyber attacks. But as security experts have said, these tools have been widely used by other hackers as well. The second argument is that the hackers used networks and IP addresses used in earlier North Korean attacks. This is such a flimsy argument that Marc Rogers, head of security for Defcon (the largest hackers conference in the US), wrote (The Daily Beast, December 24, 2014), “To cyber security experts, the naivety of this statement beggars belief. Note to the FBI: Just because a system with a particular IP address was used for cyber crime doesn’t mean that from now on every time you see that IP address you can link it to cyber crime.” Rogers also said that the command and control addresses found in the malware show that they are known proxies and used widely by hackers. Again no clinching evidence against North Korea. So we are left with “believe us, we have evidence we cannot disclose and we are good guys”. Even to the US experts, this trust – after Iraq war and the US claims then “trust us, we know Iraq has WMD's” – is wearing a little thin. After all, unleashing a cyber war against another country is not fundamentally different from a kinetic (physical) war, particularly if it affects physical infrastructure such as the power grid, and water supplies. If it is not North Koreans, then who dunnit becomes the crucial question. Here, the evidence of extensive internal knowledge of Sony becomes relevant. Marc Rogers writes “Hard-coded paths and passwords in the malware make it clear that whoever wrote the code had extensive knowledge of Sony’s internal architecture and access to key passwords. While its (just) plausible that a North Korean elite cyber unit could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of a pissed-off insider. Combine that with the details of several layoffs that Sony was planning and you don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all.” Rogers also points out that if a State had access to such sensitive information, it makes no sense for it to dump it into public domain and not use it for extracting some benefits for itself. After all, knowledge is power. The most convincing voice is that of Kurt Stammberger, a senior vice president with cyber security firm Norse, who told CBS News, "We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history," said Stammberger. Stammeberger stated that data with Norse has identified a woman called "Lena", connected with the "Guardians of Peace" hacking group, as someone who worked in the Sony facility in Los Angeles. According to CBS, "This woman was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised" . So we have the other possibility, of a disgruntled or sacked employee with deep knowledge of Sony's network as the much more credible candidate behind the hacking of Sony. So why is the North Korean angle floated by the US administration and Sony? North Korea has been on the US cross hairs for a long time. It is not just the bitter past – the Korean war, the humbling of the US war machine there – but also that North Korea has shown the US the limits of its power. That a tiny nation with very little technical infrastructure can defy the US is an anathema to the US administration. Geo-strategically, North Korea serves the US purpose of keeping China and Japan at logger heads. Despite China's reservations on North Korea's adventurist policies, it is the guarantor of North Korea's security. Therefore, North Korea is a convenient beating-boy in the US pivot to Asia and its containment of China. For Sony, the reasons are far more mundane. It is at the receiving end of a dozen law suits already for its lack of security and the damage that public disclosure has cost third parties. Claiming that this was an act of war, indemnifies Sony against such claims. For those who are interested in the larger question of cyber attacks and cyber war, Sony case shows how important a treaty based regime is against cyber weapons and cyber attacks. And this is what the US has consistently fought against. It is the only country to have used a cyber weapon, the Stuxnet attack on Iranian centrifuges. The US believes that it has a huge lead over others in this sphere of war and looks upon all talk of cyber peace as an attempt to nullify this lead. That is why it has opposed all attempts by Russia and China to have even a UN resolution on this (or at least a resolution that has some teeth) and opposed introduction of cyber security in any multilateral forum including International Telecom Union (ITU). NEW TERRITORY The response by the US in taking down the North Korean Internet in “response” to the Sony attack shows that we are entering into new territory. Unregulated cyber attacks or weapons, new laws of war as applicable to the Internet will willingly change the very nature of the Internet. Unless the US allows a discussion on these issues with an aim to have a treaty based regime for the Internet, the only protection is that countries will have to build their Internet as independent space and then connect it to the global Internet very much on the lines of the existing telephone infrastructure. This was the proposal that India had made in Busan in the ITU plenipotentiary. We are already in the era of cyber war and cyber attacks. How we respond will determine the structure of the Internet. This is also what we need to bring into discussions on Internet governance. It is this expansion of Internet governance beyond how IP addresses and domain names are allocated that the US is opposing while complaining of cyber attacks. This cannot go on, not if we want an Internet for public good.