:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/FW52UKIIISKH42OLWNERQ7P65A.jpg)
Security experts investigating the devastating hack against Sony Pictures appear to be moving away from the theory that the attack was carried out by North Korea, focusing instead on disgruntled former employees.
Researchers at cybersecurity firm Norse claim that six former employees could have compromised the company’s networks, arguing that accessing and navigating selective information would take a detailed knowledge of Sony’s systems.
Norse was not part of the official FBI investigation, but did brief the government on Monday, the company said. Though noting that the findings were "hardly conclusive", Norse senior vice-president Kurt Stammberger told the Security Ledger that nine researchers had begun to explore the theory that an insider with motive against Sony would be best placed to execute a hack.
Leaked database
The team had started by examining a leaked database of employees made redundant during a restructuring in May.
Of six people Norse claim had involvement with the hack, one was a former staffer made redundant in May after 10 years at the firm. She had a technical background and used social media to berate the company after losing her job, it is claimed.
Working with pro-piracy activists in the US, Asia and Europe, she may have used secretive discussion forums and IRC (chat) to co-ordinate the attack, researchers claim.
“We see evidence for those two groups of people getting together,” Mr Stammberger said.
Meanwhile, FBI investigators are exploring whether hackers outside North Korea were hired for the attack, a source told Reuters on Monday. North Korea lacks some of the capability required to carry out the attack, the agency believes, so may have contracted out some of the work.
Scepticism
The development indicates that the FBI may be shifting from its previous official position, which stated that “the FBI now has enough information to conclude that the North Korean government is responsible for these actions”, while US president
Barack Obama
described it as “an act of cybervandalism”. North Korea has denied any involvement.
However, the FBI’s statement has been met with scepticism by the security community who have pointed to inconsistencies and conflicting evidence in the case against North Korea.
Marc Rogers, head of security for Defcon, said that the malware used in the hack would have required extensive knowledge of Sony’s systems.
“While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider,” he wrote. “It also fits with the pure revenge tact that this started out as.”
Former “Anonymous” hacker Hector Monsegur, known as Sabu, also said he doubted North Korea was responsible.
"They don't have the infrastructure [to download that volume of data]. They do have state-sponsored hackers, but so does China, so does the US."
He told CBS News it was more likely a former employee downloaded and then sold the data from Sony.
“The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks,” said writer Bruce Schneier.
“This sort of evidence is circumstantial at best. It’s easy to fake and it’s even easier to interpret it wrong. In general, it’s a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the ‘evidence’ to suit the narrative they already have worked out in their heads.”
Mr Schneier also said that diplomatically it may suit the US government to be “overconfident in assigning blame for the attack” to try and discourage future attacks by nation states.
– (Guardian service)