Yesterday, The Los Angeles Times
published a piece arguing that a Sony insider -- not North Korea -- pulled off the Great Sony Hack.
Respected voices in the online security and anti-hacking community say the evidence presented publicly by the FBI is not enough to draw firm conclusions.
They argue that the connections between the Sony hack and the North Korean government amount to circumstantial evidence. Further, they say the level of the breach indicates an intimate knowledge of Sony's computer systems that could have come from someone on the inside.
This week, prominent San Mateo, Calif., cybersecurity firm Norse Corp. — whose clients include government agencies, financial institutions and technology companies — briefed law enforcement officials on evidence it collected that pointed toward an inside job.
Kurt Stammberger is a VP at Norse.
Leads suggesting North Korea as the culprit turned out to be red herrings and dead ends, he said.
Instead, the data pointed to a former employee who may have collaborated with outside hackers. The employee, who left the studio in a May restructuring, had the qualifications and access necessary to carry out the crime, according to Stammberger.
Moreover, names of company servers and passwords were programmed into the malware that infiltrated the studio's network, suggesting hackers had inside knowledge of the studio's systems, Stammberger said.
Ralph Echemendia directs another cyber firm called Red-e Digital. He says that the hackers tried to "monetize" their hack, and only when that attempt failed did they make any mention of The Interview
. In other words: When they couldn't get the $$$, they went for the lulz.
A disturbing parallel.
The FBI continues to insist that North Korea did it. Emptywheel
points out the disturbing parallels between the FBI's work on this case and the job they did on the great anthrax scare.
So 13 years ago, anonymous sources blamed Iraq for the attack, 12 years ago they blamed Steven Hatfill, and 6 years ago, they started blaming Bruce Ivins. Probably, none of those claims are true.
The problems with the Ivins claim stem entirely (says Marcy) from the FBI's bizarre refusal even to consider the possibility of a criminal conspiracy.
Her argument, vis-a-vis Ivins, derived largely from this piece
by Jim White, published on Marcy's site in 2011 (and based on documents released to Marcy Wheeler).
The 2011 article offers a remarkable reconstruction of events. One key document: A 1999 assessment by USAMRIID (the U.S. Army Medical Research Institute of Infectious Diseases, which really needs to come up with a shorter name). The report speaks of the threat of stolen infectious agents, and of possible thefts perpetrated by insiders.
White thinks that the 2001 anthrax strain came from a biowarfare facility located somewhere within the Nevada Test Site. (The Nevada Test Site is that weird, empty landscape you pass by when driving from Vegas to Mercury, Nevada.) The whole incident may have been a deliberate ploy to secure funding for a massive new Defense Threat Reduction Center in Fort Belvoir, Virginia, which opened in 2005.
Well, that's one
theory. There's a lot more to the anthrax story (and I won't be surprised if one of my readers decides to send in a riff on that topic).
The important take-away here is that the FBI has been wrong before. Hatfill didn't do it, and Ivins too may have been innocent. (PBS, not normally critical of the government, looked into the Ivins case
in 2011.) Are the feds wrong now, on North Korea?
Let's return to Marcy's new story. The claim against NK was made not just by the FBI but by a firm called Mandiant, which specializes in cybersecurity. Mandiant has close ties to the American intelligence community, as you can see for yourself with a little googling.
There’s one more factor that deserves notice here: the role of cybersecurity firms in laundering government propaganda.
One of the most pregnant observations in Zetter’s Countdown to Zero Day comes after Symantec published the first details implicating the US and Israel in the StuxNet attack. The Symantec team expected a bunch of others to jump in and start validating their work. Instead, they were met with almost complete silence. While Zetter didn’t say it explicitly, the implication was that the security industry is driven by its interest in retaining the good will of the US Government.
And while in this case there is no lack of experts willing to push back against US claims, I just wonder whether at least some of the initial credulity on the North Korea claims arose because of the dominance of USG contractors among the earliest reports on the hack?
Under the circumstances, I'm surprised that so many cybersecurity firms are voicing their distrust of the FBI's findings.
Yes, it is very possible that the Bureau has information that they cannot share with the general public. Our intelligence community may have an "inside" source within NK.
But that's why we have intelligence committees, right? Isn't it time for the Bureau to present the full story to Congress?