Cyber-security firms are increasingly pointing the finger of blame for last week's hack of Sony Pictures at North Korea – just as the rogue state now denies it had any involvement.
Both Kaspersky and Symantec have analysed the Destover malware used to wipe the film and TV company's files, and found it uses the Korean language and has “glaring similarities” and “several links” with prior attacks on South Korea - which the South Korean Government said came from North Korea.
But the two firms stop short of definitively blaming North Korea – and experts agree it is too early to be sure of the attack's attribution, even though the country has the “means, motive and opportunity”.
North Korea is suspected of the hack because Sony Pictures is soon to release ‘The Interview', a comedy film in which Seth Rogen and James Franco play two reporters granted an audience with North Korean leader Kim Jong-un who are then approached by the CIA to assassinate him.
In a 4 December blog titled “Mystery North Korean actor's destructive and past network activity”, Kaspersky researcher Kurt Baumgartner confirms the Sony Destover attack malware uses Korean language packs and has “glaring similarities with some of the suspect group's previous activity” – namely the DarkSeoul and Shamoon attacks.
The DarkSeoul campaign in March 2013 targeted South Korean TV broadcasters and major banks and the South Korean Government said it was carried out by North Korea, though this was not definitively confirmed.
The 2012 Shamoon attacks were against oil and energy companies including Saudi Aramco.
Kaspersky connects the three campaigns based on the their shared methods of overwriting and restoring data, the type of wiper drivers they use, the “pseudo-political messages” they espouse, the tight timeframe between being complied and deployed, and even the similar skeletal artwork used by the DarkSeoul ‘Whois' and Destover ‘GOP' groups (see pictures below and right).
Baumgartner says: “The list of commonalities does not prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover. But it should be noted that the reactionary events and the groups' operational and toolset characteristics all carry marked similarities – and it is extraordinary that such unusual and focused acts of large-scale cyber-destruction are being carried out with clearly recognisable similarities.”
But directly asked by SCMagazineUK.com, a Kaspersky Lab spokesperson said the company does not talk about attribution, and gave SC this brief statement: “Kaspersky Lab does not comment or speculate on the origins of attacks, but provides factual analysis of the threats and any subsequent impact on people, organisations and infrastructure.”
Meanwhile in a 4 December blog, Symantec says the “Destover destructive malware has links to attacks on South Korea”, specifically the Volgmer and Jokra campaigns, as well as Shamoon. Jokra is the Trojan used in the DarkSeoul campaign.
Symantec says: “Destover shares several links to earlier attacks directed at targets in South Korea. Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets. The shared C&C indicates that the same group may be behind both attacks.”
Symantec says the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers.
It confirms: “The Destover attackers use techniques and components, such as file names, that are similar to those used in the Jokra (DarkSeoul) attacks. The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired. Destover is also configured to perform a delayed wipe.”
But Symantec too is cautious, saying: “Destover share some techniques and component names with the Jokra attacks against South Korea in 2013. However there is no hard evidence as yet to link the attacks and a copycat operation can't be ruled out.”
Meanwhile, an unnamed North Korean diplomat in New York this week told US broadcaster Voice of America that claims the state was responsible for the attack were a "fabrication".
Analysing the conflicting evidence, UK cyber-security expert Alan Woodward, a visiting professor at Surrey University and a Europol adviser, says it is too soon to make a judgement.
He told SCMagazineUK.com: “I don't think it's totally conclusive at the moment. if it's a criminal court case it's certainly not beyond a reasonable doubt.
“Things are starting to point in North Korea's direction - they have the means, motive and opportunity. It may very well be North Korea, but they have actually now come out and said ‘look it just wasn't us'. That's actually quite an unusual step in itself.
“There are similarities, but sometimes that's done in order to implicate people falsely. I think Sony have got the right approach at the moment - which is let's wait for the forensics to come in which Mandiant are doing and that might tell us a bit more.”
Woodward added: “It is notable that the FBI haven't come out and given any definitive statement. I would wait for the FBI to come out and say something, because if they do you can probably assume there's further intelligence behind it.”
He also pointed out: “We may never know. That's the thing about a lot of these attacks, they lead the headlines but actually it's never quite resolved as to who did it.”
Meanwhile an analysis by security firm BlueCoat found the Destover malware was designed specifically for Sony's network and had a Korean language resource section.
The company “won't speculate one way or another” as to whether North Korea are the culprits, but damningly it says the “attack was simple but effective”, had “no binary packing, obfuscation of the samples, or anti-debugging techniques” and so “could have been prevented”.
As we previously reported, Sony Pictures was infiltrated due to its weak password policy. The attackers wiped data and leaked thousands of confidential documents such as salary details, security certificates and private keys for accessing servers, as well as a number of pre-release films including ‘Annie'.