Did they or didn't they? Experts weigh in on North Korea, Sony hack
The White House said Thursday that the recent attack on Sony Pictures, which led the company to cancel the scheduled Christmas release of its movie "The Interview," was a "destructive activity with malicious intent that was initiated by a sophisticated actor." But it stopped short of naming North Korea as the suspect.
As the FBI continues its investigation in conjunction with the National Security Division of the Department of Justice, it appears to be moving closer to officially blaming North Korea for the attack.
Sources tell CBS News Homeland Security Correspondent Bob Orr the FBI has definitively traced the attack back to the regime of North Korean leader Kim Jong-Un. Evidence shows hackers directed by North Korea's cyber unit used aggressive "data-wiping" malware to steal Sony's corporate secrets and then erase the company's computer files.
Yet some experts have expressed doubts about North Korea's capabilities, and see conflicting evidence among the clues.
Sources have reported that some of the malware code used in the attack was written in Korean. Experts say this could be a telltale sign, or a red herring.
Programming code often contains comments or elements called variables that are not technically part of the code, but act as annotations or explanations. Unlike universal programming languages, these can be written in the native tongue of the programmers themselves, which can be an indicator of the source of a piece of software. But it's very easy to write comments in another language, perhaps deliberately diverting attention elsewhere, cyberwarfare expert David Gewirtz told CBS News.
"A variable for a name and address program might be first name, last name," he explained. "In Spanish that's nombre, apellido, in Russian it's imya, familiya and in Korean it's ileum, seong. So if you see a variable named ileum seong, you have a feel that that might be Korean. The thing is, I don't speak Korean, I'm using Google Translate for that. I just gave you three different languages, none which I speak."
In an interview with "CBS This Morning," a former American hacker named Hector Monsegur, who worked under the code name Sabu and has also attacked Sony in the past, echoed doubt about the meaningfulness of the Korean text.
"Well, it doesn't tell me much. I've seen Russian hackers pretending to be Indian. I've seen Ukrainian hackers pretending to be Peruvian. There's hackers that pretend they're little girls. They do this for misinformation, disinformation, covering their tracks," he said.
North Korea has a known history of cyber attacks. South Korea has accused the North of engaging in over 6,390 cyber attacks against South Korean targets since 2010, including attacking websites, spreading malware and hacking emails.
In 2013, cyber attacks targeted South Korean banks and destabilized the servers and computers of South Korea's major TV networks. According to Orr, investigators found similarities between the Sony hack and those 2013 assaults. Sources say the digital fingerprints in both of those cases have been traced back to the North.
Mike Morell, CBS News' senior security contributor and former CIA deputy director, told CBS News' Charlie Rose, "North Korea has significant cyber capabilities. They use them quite frequently against South Korea. For a backward state that might be a little surprising, but they also have a nuclear weapon. So they're capable of achieving things when they focus on them."
When malware is used to perpetrate an attack, it may delete itself after deployment, but it often leaves a residue, pieces of itself that remain on an infected computer. Forensic investigators can use these traces to see if they match elements of past attacks. If in the Sony case there are similarities to other attacks attributed to North Korea, that could be a powerful indication of culpability.
"I don't think we'll be able to say absolutely that it came from North Korea," Gewirtz cautioned. "It's totally possible, though."
It is estimated that the North Korean government has employed at least 3,000 and possibly as many as 10,000 hackers. And the country is "almost undoubtedly" working with someone else, Gewirtz said. That could be another nation state, any of a massive network of organized crime groups around the world, or individual agents in other countries.
He is confident that at least with regard to the release of reams of embarrassing and reputation-ruining Sony emails to the public, North Korea would have needed outside help. "The North Koreans don't have enough cultural knowledge to know where all the juicy stuff is."
Monsegur was doubtful that North Korea has the technical capabilities to have pulled off the Sony attack. "It could be. In my personal opinion, it's not," he told "CBS This Morning." "Look at the bandwidth going into North Korea. I mean, the pipelines, the pipes going in, handling data, they only have one major ISP across their entire nation. That kind of information flowing at one time would have shut down North Korean Internet completely."
But Gewirtz countered that the country has more than enough bandwidth to initiate the so-called "command and control signal" to set off the attack, essentially the equivalent of hitting send on an email. According to Gewirtz, initiation can be done over a cellphone.
And while it might take a long time to download the massive amounts of data over North Korea's limited Internet infrastructure, he continued, it would certainly be possible. Possible, but perhaps not necessary. If the intent were to sift through it to find information useful, say, for blackmail purposes, "They don't need to do that from North Korea. They could have someone in Seoul -- or Seattle."