So, was it North Korea that breached Sony Pictures Entertainment (SPE)? The FBI, Whitehouse, and a pile of other people are telling you it is. But if you were to ask me my position on the matter…simple answer, unlikely.
- This was a coordinated attack targeting Sony Pictures Entertainment (SPE) and utilized a Server Message Block (SMB) Worm Tool to conduct cyber exploitation.
- This SMB Worm Tool is equipped with a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.
- The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure.
- The malware has the ability to propagate throughout the target network via built-in Windows shares – this is what makes it a worm.
- Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems.
- There are no callback domains associated with this malware since connections are inbound only on a specified port number.
- 220.127.116.11 / Thailand
- 18.104.22.168 / Poland
- 22.214.171.124 / Italy
- 126.96.36.199 / Bolivia
- 188.8.131.52 / Singapore
- 184.108.40.206 / Cypress
- 220.127.116.11 / United States
As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
- Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
- The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
- Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
- The wording is carefully and purposefully used:
- “the FBI now has enough information to conclude that the North Korean government is responsible for these actions.” – note, this does not clarify whether the Republic of North Korea launched, ordered, encouraged, or simply commented on the action. The use of the word “responsible” is purposefully vague.
- Correlation forcing causation:
- “there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.” – bad guys share code and are notoriously lazy. They will use whatever it takes to get the job done. As such, code is borrowed from other attackers, purchased in underground markets, etc.
- “significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea.” – If you’ve ever seen a movie or television show where ‘hacking’ is depicted, you already know that attackers “hop” from server to server to conduct their nefarious activities. This is as much to hide their tracks as it is to leverage distributed resources.
- “the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.” – again, similarities in tools and code are not enough to assign attribution.
The evidence provided thus far, or lack thereof, makes parroting and perpetuating this information irresponsible, at best, and potentially dangerous in extreme circumstances.
SMB Worm Tool:
Destructive Hard Drive Tool:
Destructive Target Cleaning Tool:
Network Propagation Wiper: