Sony Pictures Hack: Is North Korea Innocent or Guilty?

January 11, 2015 by Pierluigi Paganini

Sony Pictures corporate network hacked

At the end of November, the corporate network of Sony Pictures was breached and taken offline by a malware-based attack. The attack caused the disclosure of sensitive data belonging to the company and its employees and the destruction of internal machines that were infected by a powerful wiper malware.

At the moment, the only certainty is the name of the hacking group that hit Sony Pictures, the Guardians of Peace (aka GOP), but there are several hypotheses on its origin and the real motivation behind the attack.

The US government, after the first round of investigations, accused North Korea of the attack, speculating that the GOP is a group of state sponsored hackers working for Pyongyang or a hacking crew hired by Korean authorities to hit the US company.

Why North Korea?

The situation is still not clear. The attribution of the attack is very complicated due to the lack of irrefutable evidence.

At the moment, it is very difficult to attribute the cyber attack to a specific threat actor or to understand the nature of the offense. Is the attack on Sony Pictures an act of cybercrime or a state-sponsored operation run by a foreign government?

Despite that the investigation is still ongoing, the director of the FBI has provided further details of the cyber attack on Sony Pictures, which claims that North Korea was responsible. The FBI linked the GOP to North Korea. Speaking at the International Conference on Cyber Security (ICCS) at Fordham University in New York last week, the director of the FBI, James Comey, confirmed the claim.

Comey has reported that according to further evidence collected by the Bureau, North Korea is involved in the massive cyber attack against Sony Pictures.

‘[he has] “very high confidence” Pyongyang was behind it and disclosed new details’ reported FoxNews. “He said U.S. investigators were able to trace emails and Internet posts sent by the Guardians of Peace, the group behind the attack, and link them to North Korea. Comey said most of the time, the group sent emails threatening Sony employees and made various other statements online using proxy servers to disguise where the messages were coming from.”

A screenshot of FBI Director Comey’s Tweet about the #Sony hack is shown below.

Figure 1 – Sony Pictures Tweet on Sony hack

Director Comey revealed that hackers failed to protect their identities in some cases. GOP members are relying on proxy connections to hide their real IP addresses each time they send threatening emails or messages to the authorities. On some occasions, they haven’t masqueraded their IP addresses, allowing the agents to track them.

Figure 2 – FBI Director Comey

The investigators have discovered that the IP addresses used by hackers belong to a range of IPs used exclusively by the North Korean government.

“In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.”

The information collected by the FBI gives a “very clear indication of who was doing this.”

It is the first time that the FBI has shared the results of its investigation. The Bureau claimed that North Korea was responsible for the attack after the analysis of wiper malware used by the GOP crew. The security firms that analyzed the malicious code discovered that it was written in Korean and presented many similarities with other malware used by the government of the North Korea in cyber attacks against the computer systems of South Korea.

Law enforcement is still investigating on the cyber attack. It is still not clear how hackers breached the Sony Pictures network to steal the confidential information. It is likely that the hackers used spear phishing attacks to gather precious information used for the attack.

Lizard Squad and GOP … the alleged alliance

While the FBI is admitting that further information is needed to better understand how hackers breached Sony Pictures’ systems, the disturbing news of a possible collaboration between Lizard Squad and GOP has been circulating around the web.

According to The Washington Post, the GOP hacking crew used a set of data that came from the Lizard Squad hacking team, whose members are all based in European nations.

Lizard Squad is the group of hackers that has run several DDoS attacks on the gaming networks of the Sony and Microsoft last Christmas. Lizard Squad brought down the Play Station Network and the Xbox live service on Christmas day.

In an interview with The Washington Post, a self-proclaimed Lizard Squad member revealed that the group provided the data stolen from Sony to the Guardians of Peace. The alleged member of Lizard Squad explained the popular hacking team had contact with the GOP team and that the two hacking groups shared data used in the attack against Sony Pictures. The member clarified that Lizard Squad members did not play a crucial role in the offensive against Sony, but the circumstance confirms the complexity of the underground ecosystem and the value assigned to stolen data that are exchanged or sold as precious commodities.

The Lizard Squad member did not provide details on how the group gathered the login information for Sony employees. It is likely the team found the data during a reconnaissance for an attack on the PlayStation gaming network.

Below an excerpt of the interview:

Some reports suggest you’ve got links to Guardians of Peace, and possibly to the Islamic State. Can you talk about that for a minute?

Well, we do know some people from the gop. We do not have any links to the IS.

But you didn’t work with Guardians of Peace to breach Sony’s network and gain access to the e-mails, etc.? In other words, you know some people but weren’t involved in the Sony hack surrounding ‘The Interview’?

Well, we didn’t play a large part in that.

What part did you play?

We handed over some Sony employee logins to them. For the initial hack.

The Lizard Squad member confirmed that his team “handed over some Sony employee logins” that were used by GOP to target Sony Pictures.

North Korea – The assumption of innocence

While law enforcement is accusing North Korea, part of the cyber security community raises many doubts on the arguments provided by the FBI.

The declarations of the Lizard Squad member seem to exonerate North Korea, unless the hypothesis formulated by Reuters is true. Reuters News Agency reported that US investigators speculated that the government of Pyongyang “contracted out” some of the work involved, a circumstance that could explain the involvement of Lizard Squad.

“U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month’s massive cyberattack against Sony Pictures, an official close to the investigation said on Monday.

As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, U.S. investigators are looking at the possibility that Pyongyang “contracted out” some of the cyber work, according to the official, who was not authorized to speak on the record about the investigation.” states a blog post published by the Reuters.

One of the most interesting analyses of the details provided by FBI Director Comey was made by the popular cyber security expert Jeffrey Carr.

Carr commented on the words spoken by the director of the FBI, remarking on the similarity of the results of the investigation conducted by authorities on the alleged North Korean attack known as the Dark Seoul attack of March 2013:

“In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.”

While the findings of the analysis conducted in 2013 and disclosed by the law enforcement states:

“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”

Carr challenges the attribution based solely on the analysis of the IP addresses assigned to the range of IP addresses for the exclusive use of the North Korean government.

The argument might have been true prior to 2009, but today it is wrong because it is possible to access the same block of addresses through other countries where North Korea has strategic connections, including China, Thailand, Japan, Germany, and many others.

“For example, in 2007 Korea Central News Agency established a server in Japan to bypass blocking efforts by South Korea’s Ministry of Unification. North Korea’s Uriminzokkiri news website runs on a Chinese server. The Korea Computing Center maintains offices in Beijing and Dalian. TheGwang Myong IT Center, which is a spin-off from Korea Computer Center with offices in China sells network security solutions like anti-virus and data encryption to international clients including financial institutions in Japan,” explained Carr. Today the situation is quite different, because the North Korean firms have collaborations with many other companies operating in other countries. Carr also explained that North Korean ISP Star Joint Venture is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture – Loxley Pacific (Loxpac). Loxpac is the resultant of another joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).

An alleged attacker operating for a third-party could gain access to the range of IPs theoretically attributed to North Korea compromising one of the numerous connections linked to the country’s ISP.

According to HP’s North Korea Security Briefing (August 2014), it would be not so difficult to compromise one of the machines using the IP blocks involved in the Dark Seoul attacks (175.45.178. xx and 175.45.179. xx) because they are using “dated technology that is potentially susceptible to multiple vulnerabilities and consistently showed the same open ports and active devices on scanned hosts.”

The White House exacerbates economic sanctions on North Korea

In recent weeks, in response to the FBI analysis on the Sony Pictures breach, North Korea has refused the accusations and has proposed a joint investigation with US law enforcement, according to state news agency KCNA.

The government of North Korea confirmed that its support in the investigation would clarify the position of the country, excluding any involvement in the attack. In a statement reported by KCNA, the Korean authorities warn of “grave consequences” if the US refuses to cooperate in the investigation.

On the other side, the Obama administration has decided to exacerbate economic sanctions against North Korean entities.

Figure 0 – US President Obama

According to the White House, the sanctions will be applied to three entities and ten individuals considered by the US intelligence as “agencies or officials of the North Korean government.”

The entities are:

  • Reconnaissance General Bureau – North Korea’s primary intelligence organization.
  • Korea Mining Development Trading Corporation KOMID – The primary arms dealer and main exporter of military equipment and conventional weapons.
  • Korea Tangun Trading Corporation – Responsible for the procurement of technologies to support national defense research.

These sanctions established by an executive order concern the North Korean Reconnaissance General Bureau and officials in Iran, Russia and China. Anyway, security experts consider the act just a demonstrative position because the US authorities have always expressed their diffidence against the above entities.

“We take seriously North Korea’s attack that aimed to create destructive financial effects on a U.S. company and to threaten artists and other individuals with the goal of restricting their right to free expression,” added the White House Press Secretary Josh Earnest.

The US government gives a deeper meaning to the sanctions, considered the “first aspect of our response.”

The position of President Obama in a letter to Congress:

“The order is not targeted at the people of North Korea, but rather is aimed at the government of North Korea and its activities that threaten the United States and others.”

Many experts speculated that the recent Internet outage suffered by North Korea was a possible response of the US cyber units to the attack on Sony Pictures systems, but the US government has refused the accusation.

“Even as the FBI continues its investigation into the cyber-attack against Sony Pictures Entertainment, these steps underscore that we will employ a broad set of tools to defend U.S. businesses and citizens,” states

Secretary of the Treasury Jacob J. Lew.

The US government feels the need to assert its supremacy with a formal act expressing its dissent on what it considers an act of war.

“And administration officials insisted again that the Sony attack “clearly crossed a threshold,” in the words of one senior official, from “website defacement and digital graffiti” to an attack on computer infrastructure,” reports the New York Times.

Stay tuned for further information …



Posted: January 11, 2015
Pierluigi Paganini
View Profile

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.