Sony Pictures Entertainment might have been compromised this fall by Russian attackers, who are still lurking within Sony's network now. These Russian criminals were probably not working with the North Korean government. Bad news: the intel about the existence of said Russian cybercriminals may not be reliable, in the opinion of a recently retired US Naval intelligence officer.
A report released by Taia Global reveals some new information about threats to Sony. While it doesn't provide a wealth of damning evidence pointing to any particular perpetrator, it does serve as a reminder of why attribution continues to be such a persistent problem in fighting cybercrime. Just because your organization was compromised in several ways at the same time doesn't necessarily mean the attacks were related. Just because two malicious parties have compromised you at the same time doesn't mean they're working together.
"The reason why it's so confusing [in the Sony case] ... is because the evidence is so conflicting," says Taia Global founder and CEO Jeffrey Carr.
In the report, Carr describes what he learned through conversations with a blackhat hacker who goes by the name "Yama Tough." Carr explains that he and Yama Tough have established a trusting relationship -- they've known each other a long time and Carr knows Yama Tough's true identity, says Carr.
Carr says he asked Yama Tough directly if he was personally involved with the attack. He said he was not, and Carr believes him. However, at Carr's request, Tough used his own contacts to find some information about the people behind the Sony attacks. Tough then related to Carr what he'd been told by an unnamed Russian hacker (referred to as "URH" in the report), who Tough described "as a long-time black hat hacker who does occasional contract work for Russia’s Federal Security Service." From the report:
URH told Yama Tough that he sent spear phishing emails to Sony employees in Asia and Russia and then used an advanced pivoting technique to move inside the SPE network... The email sent by URH and his 12 team members contained a .pdf attachment, which was loaded with a Remote Access Trojan (RAT) that isn’t in any AV signature database.
To back up his words, URH shared Sony documents that were not found in the big data dumps that other attackers had published on Pastebin. Among those documents were Sony emails dated as recently as Jan. 23.
The participation of Russian-speaking cyber actors fits with earlier research conducted by Carr and Taia Global. They conducted a linguistic analysis of all the messages (about 2,000 words in all) written by the "Guardians of Peace" -- the hacking group that took responsibility for at least some of the attacks on Sony -- and exposed all manner of sensitive Sony documents. That analysis indicated that the authors were native Russian speakers, according to the research.
This all leads Carr to the conclusion that either a group of Russian hackers and a group of North Korean attackers were running separate, simultaneous attacks against Sony, or perhaps North Korea was never involved at all, and it was simply another group that included at least one Russian individual. He does not think that a party of Russians and a party of North Koreans were working collectively.
"They said they had nothing to do with North Korea," says Carr of the unnamed Russian hacker. He further remarks that he can't see why North Korea would hire a group of Russian hackers to do their dirty work -- because the country already has its own state-sponsored cyber army and it had already damaged any attempt at plausible deniability when it made threats against Sony months before the attacks. "What I think is that there were multiple parties in there [in Sony]."
The next question then is, which party did what?
Carr doesn't think that URH was necessarily involved in the wiper attack that turned so much Sony hardware into bricks. The only malware URH discussed was a remote access tool, not a wiper. Then again, Guardians of Peace (GOP) took responsibility for the wiper -- their name was pasted on every locked computer screen -- so if the linguistic analysis of the GOP's messages is accurate, then the wiper was also used by Russian-speaking attackers, possibly, but not necessarily, including the individual URH referenced in Carr's report.
Carr says that one of the troubles with cyber crime attribution may be that the security industry has become too reliant on just analyzing signal data and machine communications, while forgetting the value of analyzing human communications.
On that point, retired U.S. Naval intelligence officer Tom Chapman, now director of the Cyber Operations Group at EdgeWave, agrees. Yet, Chapman is still skeptical about Carr's report, saying that there's "nowhere near enough" information to draw confident conclusions from it.
"It's possible, but it's weak," says Chapman. "Human sources are always the least credible."
Chapman is particularly suspicious about the motivations of Yama Tough and his source. Yama Tough is not taking credit for the attack himself, so he doesn't get hacker bragging rights. He could also be hurting his reputation in the black hat community, since he's sharing details given to him by another black hat. As for Tough's source, Chapman acknowledges that criminal hackers may trumpet their exploits more than other kinds of criminals, but says that professional, financially motivated hackers "stay quiet" (especially if they're going after Russian targets).
"When the [Sony] attack came out," says Chapman, "I was skeptical it was North Korea alone. I'm still a bit skeptical."
He says he believes the FBI's official word that the North Korean government was behind the attacks; but that they haven't publicly released enough supporting data for him to draw that conclusion himself.
Chapman says he puts more credence in some "official" statements than others, depending upon whose mouth the words are coming out of. For example, when FBI Director James Comey said “I have very high confidence in this attribution, as does the entire intelligence community,” Chapman believes it, because military and intelligence officials cannot, by law, lie to the American public.