US government reportedly blaming North Korea for Sony hack

News by Tim Ring

US officials have concluded that North Korea was "centrally involved" in the cyber-attack on Sony Pictures, according to American national media and TV reports.

The New York Times and Wall Street Journal, together with CNN TV News and others, have quoted senior Obama administration officials as saying that Pyongyang was behind last month's hack on the Californian TV and film company, carried out by the so-called ‘Guardians of Peace'.

The officials “strongly suspect” North Korea's Unit 121 cyber-espionage team, part of the country's General Bureau of Reconnaissance, carried out the hack.

The reports have met a mixed response from Europe's information security community - as has Sony's decision earlier this week to cancel its planned release of ‘The Interview', a comedy about a CIA plot to kill North Korean leader Kim Jong-un which is believed to have sparked off the cyber-attack.

This followed the refusal of the US main cinema chains to screen the film, raising concerns at an apparent surrender to a rogue nation-state attack on free speech.

According to Thursday's New York Times: “American officials have concluded that North Korea was “centrally involved” in the hacking of Sony Pictures computers. Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was debating whether to publicly accuse North Korea of what amounts to a cyber-terrorism attack.

“Officials said it was not clear how the White House would respond.”

Likewise, the Wall Street Journal reported: “US officials' conclusion that Pyongyang was behind the hacking attack on Sony Pictures has raised the difficult question of how Washington should respond to an aggressive act by a foreign government.

“Investigators strongly suspect the attack was carried out by Unit 121. That team has previously been linked to other cyber-attacks against South Korean targets.

“US officials are still gathering evidence and are trying to build a clearer picture of who directed the hacking and how.”

If confirmed, the US government's verdict builds on evidence gathered two weeks ago by Symantec and Kaspersky who both analysed the Destover malware used to wipe Sony's files, and found it used the Korean language and had “glaring similarities” and “several links” with the earlier Dark Seoul campaign against South Korea - which the South Korean Government insisted came from North Korea.

However, both companies stopped short of directly accusing North Korea.

Asked about the latest reports based on unnamed sources, UK cyber-security expert and Europol adviser Professor Alan Woodward was sceptical.

“This has more credibility than the speculation before. It suggests they have some intelligence other than electronic intelligence, because proving attribution from a purely electronic point of view is very difficult,” he told

Woodward said Unit 121 is synonymous with North Korea - so any evidence of hacking by North Korea would inevitably mean this Unit was involved.

But he added: “What I would say is that Unit 121 does active hacking. So if there is evidence pointing at them, it would suggest that North Korea itself has done it, rather than getting some other group to do it on its behalf.”

Another cyber-expert, Brian Honan, director of BH Consulting in Ireland, also remained unconvinced by the latest reports.

He told SC: “Unfortunately anonymous briefings and undisclosed sources don't really hold a lot of weight. We've had issues before where anonymous sources have made claims that were subsequently found to be untrue.

“The jury's out. The Korean language being used, wiper software being re-used – that's all circumstantial evidence.

“Unless there is other evidence that reinforces their belief that North Korea is behind it, it's very difficult for us to say whether they did it or not.”

But Honan was concerned at Sony's decision to drop ‘The Interview', telling SC: “The implications are quite serious. It sends a message that if you have an agenda and want something done, then maybe a cyber-attack is one way to do it.

“It doesn't bode well for free Western democracy that companies can be bullied into doing the will of those who have some hold over them.”

However, he suggested: “If Sony wants to send a message to whoever's behind the attack, they should release the film online at a dollar a view or something like that, and let people stream it and look at it online.

“Therefore you're not putting any physical assets or people at risk. And let's face it, what other movie has had this type of publicity?”

Woodward understood Sony's pull-out: “The Guardians of Peace has said it would attack cinemas. Sony and the cinema owners have tried not to put the public at risk.

“From Sony's perspective its reputation is already pretty damaged. The last thing it wants to be seen as doing is distributing a film that then resulted in people getting hurt.”

Like Honan, he too saw a positive way forward for Sony: “This film has now had more publicity than you could shake a stick at. When it finally does come out – and it will – everyone's going to go and see it, and see what all the fuss was about. Sony is not going to lose out in the long term.”

Doubts about North Korea's culpability have also been raised by Marc Rogers, director of SecOps at DEF CON and a principal security researcher with CloudFlare.

In an 18 December blog post, he said: “Everyone seems to be eager to pin the blame for the Sony hack on North Korea. I think it's unlikely. Here's why: the broken English looks deliberately bad and doesn't exhibit any of the classic comprehension mistakes you actually expect to see in ‘Konglish' - it reads to me like an English speaker pretending to be bad at writing English.

“The fact that the code was written on a PC with Korean locale and language actually makes it less likely to be North Korea. Not least because they don't speak traditional ‘Korean' in North Korea, they speak their own dialect and traditional Korean is forbidden.”

In an email to press, Eugene Kaspersky, CEO,Kaspersky Lab commented: "The Sony hack is probably the first one that's been so globally high-profile. The most worrying aspect for me is that this hacker group is threatening to stage terror attacks. I don't know if there really is a link between this group and terrorists, but the threat does show that politically-motivated hackers may be embracing terrorists' methods. A merger between groups of hacktivists and traditional terrorist organisation has been a fear of mine for years.

“Of course, such an attack on the entertainment industry is very damaging and costly, but it's probably not as dangerous as an attack on critical infrastructure. In any case it's a very strong signal that even the most advanced hi-tech companies are not immune to hacker attacks, and we have to prepare ourselves for very serious and painful attacks in the future. Sadly, it's not easy to say which industry or company will be the next target.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews