Hidden Harmonies China Blog

As China Re-Awakens, Finding New Harmonies in a Brave New World...

Sony: the great propagandizer in the middle of its hacking scandal

by 13 Comments

Sony has a tumultuous month with its hacking scandal involving the embarrassing leaked emails, ncluding: Angela Jolie, Barack Obama, and Leaked Salaries.

Sony being sued because of the leaked data is not the worst part, but the potential loss of its business because Hollywood can no longer trust Sony is probably even worse. So at Sony’s darkest hour, Sony decides to deflect from its hacking scandal to North Korea. Western Propaganda ate this whole thing up: From FBI blames North Korea, Obama vows response, to North Korea Internet down.

Besides deflecting the criticism towards the North Korea, Sony seem to kill 2 birds with one stone and will get free publicity towards “The Interview” movie anyways as the movie is released in digital media and movie theaters in its Christmas Day release. It makes Americans as a ‘patriotic’ thing to do as a thumbs down against ‘censorship’ and North Korea to watch this otherwise mediocre movie.

The only problem is that alot of Security experts doubt that North Korea actually did the hack. There are plenty of articles that like this, this, and that.  I would like to add in my 2 cents.

First it is the type of data being stolen. Most of the “normal” hacking incidents is usually logins, passwords, addresses, credit card #’s which can be obtained from a compromised e-tailer’s web server like Home Depot and Target. However, the type of data being stolen in this hacking incidents are emails, computer inventory spreadsheets, and data that could not get stolen in an web server. The only incidents where this type of data was in the Bradley Manning and Edward Snowden, where a former insider was able to retrieve this kind of data.

Second it is amount of data data being stolen. yet how can 100 TB of data be stolen under the noses of the security engineers of Sony? Let’s face it, North Korea’s internet infrastructure won’t handle this much data and the speculation of some North Korea’s elite unit operating in Shenyang is just ludicrous.

Third it is the intent. the original intent from hackers was to extort money from Sony for not releasing the embarrassing emails, and not to stop the release “The Interview.”  An article from Wired best summarize this:

Nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack. Nor do they use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of GOP have done in media interviews. Nor do such attacks involve posts of stolen data to Pastebin—the unofficial cloud repository of hackers—where sensitive company files belonging to Sony have been leaked. These are all hallmarks of hacktivists—groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.

The only plausible explanation of this hack is from a current or former disgruntled employee with backdoor access was able to steal more than 100 TB worth of data under Sony’s nose.  Instead Sony being in turmoil, it seems to be able to save its own skin by blaming North Korea.

Reader Interactions

Comments

  1. This incident will probably go down as future case study subject for propaganda damage control in classes. It is a near virtuoso performance by whoever came up with the strategy. However, as the author point out it is simply a very successful deception.

    I doubt the affected parties in the leaked would forgive Sony but they can no longer do it in a high profile manner or risked backlash as unpatriotic or aiding a renegade state.

  2. It looks like many have doubts about a N. Korea attack…

    See, e.g., http://mobile.nytimes.com/blogs/bits/2014/12/24/new-study-adds-to-skepticism-among-security-experts-that-north-korea-was-behind-sony-hack/?_r=0&referrer=

    A number of private security researchers are increasingly voicing doubts that the hack of Sony‘s computer systems was the work of North Korea.

    President Obama and the F.B.I. last week accused North Korea of targeting Sony and pledged a “proportional response” just hours before North Korea’s Internet went dark without explanation. But security researchers remain skeptical, with some even likening the government’s claims to those of the Bush administration in the build-up to the Iraq war.

    Fueling their suspicions is the fact that the government based its findings, in large part, on evidence that it will not release, citing the “need to protect sensitive sources and methods.” The government has never publicly acknowledged doing so, but the National Security Agency has begun a major effort to penetrate North Korean computer networks.

    Because attributing the source of a cyberattack is so difficult, the government has been reluctant to do so except in the rarest of circumstances. So the decision to have President Obama charge that North Korea was behind the Sony hack suggested there is some form of classified evidence that is more conclusive than the indicators that the F.B.I. made public on Friday. “It’s not a move we made lightly,” one senior administration official said after Mr. Obama spoke.

    Still, security researchers say they need more proof. “Essentially, we are being left in a position where we are expected to just take agency promises at face value,” Marc Rogers, a security researcher at CloudFlare, the mobile security company, wrote in a post Wednesday. “In the current climate, that is a big ask.”

    Mr. Rogers, who doubles as the director of security operations for DefCon, an annual hacker convention, and others like Bruce Schneier, a prominent cryptographer and blogger, have been mining the meager evidence that has been publicly circulated, and argue that it is hardly conclusive.

    For one, skeptics note that the few malware samples they have studied indicate the hackers routed their attack through computers all over the world. One of those computers, in Bolivia, had been used by the same group to hack targets in South Korea. But that computer, as well as others in Poland, Italy, Thailand, Singapore, Cyprus and the United States, were all freely available to anyone to use, which opens the list of suspects to anyone with an Internet connection and basic hacking skills.

    For another, Sony’s attackers constructed their malware on computers configured with Korean language settings, but skeptics note that those settings could have been reset to deflect blame. They also note the attackers used commercial software wiping tools that could have been purchased by anyone.

    They also point out that whoever attacked Sony had a keen understanding of its computer systems — the names of company servers and passwords were all hard-coded into the malware — suggesting the hackers were inside Sony before they launched their attack. Or it could even have been an inside job.

    And then there’s the motive. Government officials claim the Sony attacks were retaliation for “The Interview,” a feature film about two bumbling journalists hired by the C.I.A. to assassinate North Korea’s leader. In a letter last June, North Korea’s ambassador to the United Nations called the film “an act of war.” But naysayers point out that, as far as they can tell, Sony’s attackers did not mention the film as motivation until that theory percolated in the media.

    The simpler explanation is that it was an angry “insider,” Mr. Rogers wrote. “Combine that with the details of several layoffs that Sony was planning, and you don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all.”

    On Wednesday, one alternate theory emerged. Computational linguists at Taia Global, a cybersecurity consultancy, performed a linguistic analysis of the hackers’ online messages — which were all written in imperfect English — and concluded that based on translation errors and phrasing, the attackers are more likely to be Russian speakers than Korean speakers.

    Such linguistic analysis is hardly foolproof. But the practice, known as stylometry, has been used to contest the authors behind some of history’s most disputed documents, from Shakespearean sonnets to the Federalist Papers.

    Shlomo Argamon, Taia’s Global’s chief scientist, said in an interview Wednesday that the research was not a quantitative, computer analysis. Mr. Argamon said he and a team of linguists had mined hackers’ messages for phrases that are not normally used in English and found 20 in total. Korean, Mandarin, Russian and German linguists then conducted literal word-for-word translations of those phrases in each language. Of the 20, 15 appeared to be literal Russian translations, nine were Korean and none matched Mandarin or German phrases.

    Mr. Argamon’s team performed a second test of cases where hackers used incorrect English grammar. They asked the same linguists if five of those constructions were valid in their own language. Three of the constructions were consistent with Russian; only one was a valid Korean construction.

    “Korea is still a possibility, but it’s much less likely than Russia,” Mr. Argamon said of his findings.

    Even so, Taia Global’s sample size is small. Similar computerized attempts to identify authorship, such as JStylo, a computerized software tool, requires 6,500 words of available writing samples per suspect to make an accurate finding. In this case, hackers left less than 2,000 words between their emails and online posts.

    It is also worth noting that other private security researchers say their own research backs up the government’s claims. CrowdStrike, a California security firm that has been tracking the same group that attacked Sony since 2006, believes they are located in North Korea and have been hacking targets in South Korea for years.

    But without more proof, skeptics are unlikely to simply demur to F.B.I. claims. “In the post-Watergate post-Snowden world, the USG can no longer simply say ‘trust us’,” Paul Rosenzweig, the Department of Homeland Security’s former deputy assistant secretary for policy, wrote on the Lawfare blog Wednesday. “Not with the U.S. public and not with other countries. Though the skepticism may not be warranted, it is real.”

    Mr. Rosenzweig argued that the government should release more persuasive evidence.

    “Otherwise it should stand silent and act (or not) as it sees fit without trying to justify its actions. That silence will come at a significant cost, of course — in even greater skepticism. But if the judgment is to disclose, then it must me more fulsome, with all the attendant costs of that as well.”

    Or this – http://www.thedailybeast.com/articles/2014/12/24/no-north-korea-didn-t-hack-sony.html.

    No, North Korea Didn’t Hack Sony

    The FBI and the President may claim that the Hermit Kingdom is to blame for the most high-profile network breach in forever. But almost all signs point in another direction.

    So, “The Interview” is to be released after all.

    The news that the satirical movie—which revolves around a plot to murder Kim Jong-Un—will have a Christmas Day release as planned, will prompt renewed scrutiny of whether, as the US authorities have officially claimed, the cyber attack on Sony really was the work of an elite group of North Korean government hackers.

    All the evidence leads me to believe that the great Sony Pictures hack of 2014 is far more likely to be the work of one disgruntled employee facing a pink slip.

    I may be biased, but, as the director of security operations for DEF CON, the world’s largest hacker conference, and the principal security researcher for the world’s leading mobile security company, Cloudflare, I think I am worth hearing out.

    The FBI was very clear in its press release about who it believed was responsible for the attack: “The FBI now has enough information to conclude that the North Korean government is responsible for these actions,” they said in their December 19 statement, before adding, “the need to protect sensitive sources and methods precludes us from sharing all of this information”.

    With that disclaimer in mind, let’s look at the evidence that the FBI are able to tell us about.

    The first piece of evidence described in the FBI bulletin refers to the malware found while examining the Sony Picture’s network after the hack.

    “Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

    So, malware found in the course of investigating the Sony hack bears “strong” similarities to malware found in other attacks attributed to North Korea.

    This may be the case—but it is not remotely plausible evidence that this attack was therefore orchestrated by North Korea.

    The FBI is likely referring to two pieces of malware in particular, Shamoon, which targeted companies in the oil and energy sectors and was discovered in August 2012, and DarkSeoul, which on June 25, 2013, hit South Korea (it was the 63rd anniversary of the start of the Korean War).

    Even if these prior attacks were co-ordinated by North Korea—and plenty of security experts including me doubt that—the fact that the same piece of malware appeared in the Sony hack is far from being convincing evidence that the same hackers were responsible. The source code for the original “Shamoon” malware is widely known to have leaked. Just because two pieces of malware share a common ancestry, it obviously does not mean they share a common operator. Increasingly, criminals actually lease their malware from a group that guarantees their malware against detection. Banking malware and certain “crimeware” kits have been using this model for years.

    So the first bit of evidence is weak.

    But the second bit of evidence given by the FBI is even more flimsy:

    “The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

    What they are saying is that the Internet addresses found after the Sony Picture attack are “known” addresses that had previously been used by North Korea in other cyberattacks.

    To cyber security experts, the naivety of this statement beggars belief. Note to the FBI: Just because a system with a particular IP address was used for cybercrime doesn’t mean that from now on every time you see that IP address you can link it to cybercrime. Plus, while sometimes IPs can be “permanent”, at other times IPs last just a few seconds.

     It isn’t the IP address that the FBI should be paying attention to. Rather it’s the server or service that’s behind it.

    As with much of this investigation our information is somewhat limited. The FBI haven’t released all the evidence, so we have to go by what information is available publicly. Perhaps the most interesting and indeed relevant of this is the C2 (or Command and Control) addresses found in the malware. These addresses were used by whoever carried out the attack to control the malware and can be found in the malware code itself. They are:

    ● 202.131.222.102—Thailand

    ● 217.96.33.164—Poland

    ● 88.53.215.64—Italy

    ● 200.87.126.116—Bolivia

    ● 58.185.154.99—Singapore

    ● 212.31.102.100—Cyprus

    ● 208.105.226.235—USA

    Taking a look at these addresses we find that all but one of them are public proxies. Furthermore, checking online IP reputation services reveals that they have been used by malware operators in the past. This isn’t in the least bit surprising: in order to avoid attribution cybercriminals routinely use things like proxies to conceal their connections. No sign of any North Koreans, just lots of common, or garden, internet cybercriminals.

    It is this piece of evidence—freely available to anyone with an enquiring mind and a modicum of cyber security experience—which I believe that the FBI is so cryptically referring to when they talk about “additional evidence” they can’t reveal without compromising “national security”.

    Essentially, we are being left in a position where we are expected to just take agency promises at face value. In the current climate, that is a big ask.

    If we turn the debate around, and look at some evidence that the North Koreans might NOT be behind the Sony hack, the picture looks significantly clearer.

    1. First of all, there is the fact that the attackers only brought up the anti-North Korean bias of “The Interview” after the media did—the film was never mentioned by the hackers right at the start of their campaign. In fact, it was only after a few people started speculating in the media that this and the communication from North Korea “might be linked” that suddenly it did get linked. My view is that the attackers saw this as an opportunity for “lulz”, and a way to misdirect everyone. (And wouldn’t you know it? The hackers are now saying it’s okay for Sony to release the movie, after all.) If everyone believes it’s a nation state, then the criminal investigation will likely die. It’s the perfect smokescreen.

    2. The hackers dumped the data. Would a state with a keen understanding of the power of propaganda be so willing to just throw away such a trove of information? The mass dump suggests that whoever did this, their primary motivation was to embarrass Sony Pictures. They wanted to humiliate the company, pure and simple.

    3. Blaming North Korea offers an easy way out for the many, many people who allowed this debacle to happen; from Sony Pictures management through to the security team that were defending Sony Picture’s network.

    4. You don’t need to be a conspiracy theorist to see that blaming North Korea is quite convenient for the FBI and the current U.S. administration. It’s the perfect excuse to push through whatever new, strong, cyber-laws they feel are appropriate, safe in the knowledge that an outraged public is fairly likely to support them.

    5. Hard-coded paths and passwords in the malware make it clear that whoever wrote the code had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s (just) plausible that a North Korean elite cyber unit could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of a pissed-off insider.  Combine that with the details of several layoffs that Sony was planning and you don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all. 

    I am no fan of the North Korean regime. However I believe that calling out a foreign nation over a cybercrime of this magnitude should never have been undertaken on such weak evidence.

    The evidence used to attribute a nation state in such a case should be solid enough that it would be both admissible and effective in a court of law. As it stands, I do not believe we are anywhere close to meeting that standard.

  3. About the “freedom of speech” issues here: the media is rife with the narrative that Sony is a victim here and that N. Korea is out to silence everyone’s freedom to speech. Even if the facts underlying these allegations are presumed true, the logic does not. I like to see a movie / comedy made about the assassination of Barack Obama. But even that doesn’t compare to N. Korea’s situation. N. Korea is under siege by the U.S. led block of advanced-economy nations. It has fighting for its survival for a while. More like it is to have a movie made about the assassination of Churchill during England’s darkest hours in WWII. Will such a movie be billed as the “freedom of speech”?

    Freedom of speech – as billed today – is about freedom to mock the society, culture, beliefs, ideals, yearnings, religion of the weak. For the strong, such an act would not even be talked about as freedom, it would be talked about as an attack on civilization, society, “law,” “liberty,” national security, public safety, etc. Any talks of freedom would be ridiculed and discounted as insane.

    Thinking about writing a post on this…

  4. Stuff like this has been done before. Remember the canceled Bob Dylan concert in China? The promoter BBH blamed the Chinese government censors for not issuing permit in order to get out of paying the gauranteed touring fee. However later it was revealed BBH never applied for concert permit:

    http://www.pollstar.com/news_article.aspx?ID=718152

    And Dylan himself eventually responded (and performed in China):

    http://www.bobdylan.com/us/news/my-fans-and-followers

    In this case, blaming NK gets Sony off on many potential corporate liability issues.

  6. The whole thing stinks like a false flag operation and Sony went along with it. Sony is a Japanese corporation. It has alot to benefit in chiming in along with their feudal masters in Washington with anti-North Korea hysterics.

  8. Following up on Comment #3 above.

    Don’t know if people realized, but on Christmas (and a couple of days afterwards), Google had this blurb up on google’s homepage: “Our mission is to make the world’s information accessible — yes, even Seth Rogen movies.”

    Click on the image above to see a full screen shot and note the message in the place that usually says “I feel lucky”. (For more see also this USA Today article).

    Talk about Sony propaganda – let’s think Google propaganda while we are at that!

    Even Microsoft – which is also participating to show the movie online – didn’t do that on its homepage, or xbox page, or bing.com page…

    Now we know why Google is so “treasured” by the ideologues of today. It is an important opiate for the masses.

    Hey Google, why don’t you show the beheading of Americans … or the comedies about beheading or Americans or American leaders? Google is not only engaged in censorship, but is often the final arbiter of censorship!

  10. The minute FBI accused North Korea, I knew they were full of BS.

    Why does the FBI make such accusations?

    The other day I was watching the movie about Jackie Robinson, the first black baseball player. In the movie, during a game, the opposing team had a manager who kept hurling racist verbal insults at Robinson, knowing that Robinson can’t fight back, verbally or physically.

    FBI is pretty much doing the same thing. In absence of actual evidence, hurl accusations against those who can’t fight back.

    North Korea actually does insult back, hence, it only makes North Korea look more guilty.

  11. It’s interesting that China has downplayed the whole incident and that the coverage has largely been neutral. I wonder if it’s because the Chinese leadership is largely confused or if they’re trying to distance themselves from the DPRK.

  12. Here’s the latest round of propaganda on this, “Bureau 121”:

    http://www.cnn.com/2015/01/06/asia/north-korea-hackers-shenyang/

    Except what our media doesn’t mention is Prof. Kim has has financial tie with the US government. Prof. Kim is the director of North Korea Intellectual Solidarity which is a grantee of NED. Kim’s work with NED-funded Human Rights Foundation also makes him beholden to our government.

  13. Charles Liu :

    Here’s the latest round of propaganda on this, “Bureau 121″:

    http://www.cnn.com/2015/01/06/asia/north-korea-hackers-shenyang/

    Except what our media doesn’t mention is Prof. Kim has has financial tie with the US government. Prof. Kim is the director of North Korea Intellectual Solidarity which is a grantee of NED. Kim’s work with NED-funded Human Rights Foundation also makes him beholden to our government.

    EditMore OptionsModerateSpamTrashMoveE-mailBlacklist

    This is funny. The CNN propagandist went to Shenyang to this ethnic Korean Restaurant and Hotel and found hostesses in there but could not find a single hacker den and their only ‘source’ is this defector from North Korea.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.