In an exclusive interview with GotNews.com one of the world’s leading cyber crime fighters doubts that North Korea was behind the Sony hack.
“I have specialized in investigating and catching cyber criminals for nearly 15 years. This just doesn’t make sense,” says Christopher Davis, a cyber security expert and the only Canadian and one of the few non-FBI employees to receive an FBI Director s Award.
Gotnews.com interviewed Davis over gchat. “Well 99.99% of breaches like this involve getting malware on a system and using the door that opens to work from there. So physical access wouldn’t be needed no. However it does seem to me that the attackers either knew the network really well, or took a long time to learn it. I would lean more towards they knew the network, but that is just my gut and a guess.”
Asked to speak generally about companies like Sony’s weak internal security, Davis said, “They care about checking off boxes on a compliance list, not actually securing their networks. At least that is what I have seen over and over in my 20+ years in the security industry.”
Davis continued. “So that is mostly why I am confused. All the activity that was reported screams Script Kiddie to me. Not advanced state sponsored attack. However I know and respect the people saying it was NK. So.. well”
The timeline of the demands also makes Davis doubt North Korea. “So from what I have heard, the attackers initially didn’t even mention the movie in their demands,” Christopher notes. “It was only after… The Wall Street Journal reported that it was maybe North Korea that the movie demands popped up.”
The modus operandi of the hackers also makes him doubt a North Korean angle.
Well the stupid skeleton pic they splashed on all the screens on the workstations inside Sony.. that is not something a state sponsored attack would do.. That wasn’t public. That was blackmail demands giving Sony a couple days to pay up or whatever.. The image they used on the workstations.. have you seen it? Would ANY self respecting state sponsored actor use something as dumb as that?
In Davis’s circles, “The prevalent theory I am seeing in the closed security mailing lists is an internal group of laid off Sony employees.”
Davis is also suspicious of any claims offered that trace the attack back to North Korea.
The compile language and timestamps are so damn easy to set manually when you compile the code.. That shouldn’t be considered evidence of anything IMHO
So one of the evidence pieces they are focusing on is that the malware/trojan/backdoors whatever you want to call the code.. was compiled using a korean language pack, and the timezone matches Pyongyang. That is pretty weak evidence
I could compile malware code that used Afrikaans and where the timestamp matched JoBerg in about 5 seconds.
The C2 (command and control) IPs are all over, and are simply previously compromised systems.
Davis concluded, “I don’t know anything about the internals of that attack outside of what has been reported and shared within the security community. However based on my experience I would say it feels very much unlike a state sponsored NK attack.”
As a guy that works with the FBI on cyber crime fairly often, I still can't help but feel like they got this wrong. NK lacks this ability.
— Christopher M Davis (@DavisSec) December 19, 2014