FBI evidence against North Korea gets stronger
The FBI has revealed that it was able to identify North Korea as the source of an attack on Sony Pictures after analysing the software used Kevork Djansezian/Reuters

When the FBI announced on 19 December that it believed North Korea was behind the devastating cyberattack on Sony Pictures, there were many in the security industry who doubted the validity of its assertion and questioned the evidence presented.

In the weeks since that initial announcement however we have been fed little morsels of additional information which has strengthened the FBI's case, and on 19 February, the head of the NSA gave us the clearest indication yet that the FBI's original assertion was true.

The director admiral of the National Security Agency, Matt Rogers, was speaking at a Canadian security conference when he revealed that his agency was able to identify the perpetrators after analysing the software used by the hackers - known as the Guardians of Peace:

"We ultimately ended up generating the signatures to recognize the activity ... used against Sony. From the time the malware left North Korea to the time it got to Sony's headquarters in California, it crossed four different commanders' lines or areas in the US construct."

Sony Pictures internal systems were hacked in November 2014, with hundreds of sensitive and embarrassing emails revealed, along with as-then-unreleased films leaked online.

However, it was the threats of violence against cinemas planning to show the film The Interview - a spoof story about the assassination of Kim Jong-un - which intensified the FBI's response.

Encryption keys

The evidence from Rogers lines up with something revealed by Dr. Thomas Rid, professor of security studies at King's College London, who told an audience at the Royal United Services Institute that the FBI had based its claim on the encryption keys used by the attackers:

"Another piece of evidence I have heard of from people who know, is that apparently some encryption keys were used... essentially somebody had insight into the encryption keys used by the North Koreans.

Amy Pascal has quit as head of Sony Pictures after hacking crisis revealed email barbs at Angelina Jolie
As part of the fallout from the hacking crisis, Amy Pascal quit as head of Sony Pictures after barbed emails directed at Angelina Jolie were revealed. Reuters

"An encryption mechanism that would be used to encrypt data before it is exfiltrated, that would be a unique identifier. Say you have the private key of the intruder, that is a signature basically. That's very high quality evidence. So a lot of people [have] come around to believing the FBI statement today."

Rid claims that one of the most vocal critics of the original FBI evidence, Marc Rogers from Cloudflare, "has changed his view" as a result of the new evidence which has emerged, though he remains sceptical.

The art of attribution

The FBI has a lot more evidence than it is revealing to the public, Rid says:

"Of course the FBI had far more evidence than they publicly revealed. Everyone who works in the field has to acknowledge they only gave us a glimpse at the evidence and they probably didn't provide the decisive evidence because it was classified."

Attribution in cyberattacks is inherently difficult and is as much an art as it is a science, according to Rid, while communicating how certain parties came to be blamed is a difficult balancing act.

Rid says the FBI was in a tricky situation and was faced with three options - they could have revealed nothing about the evidence, revealed everything, or something in-between. Rid believes that initially at least, the FBI "erred probably a bit too closely on the 'say nothing'".

Glimpses of information

Rid adds: "I would even say that the FBI probably could have done better in the initial communication, because they just give glimpses of information, just enough for people to ask questions but not answer them."

This may be the reason that we are now seeing more information trickle out to back up its initial assertion.

There are of course others who continue to claim that the attack was not carried out by North Korea, with anti-virus pioneer John McAfee among the most vocal in his claims. McAfee told IBTimes UK in January 2015 that he had been in contact with the hackers responsible and they were 100% not from North Korea.

Earlier this month, a report from security company Taia Global claimed that Russian hackers had breached the Sony Pictures network in November 2014, suggesting they were behind the Guardians of Peace, or they were inside the system at the same time as another group of hackers.