What do you think? Leave a respectful comment.

Some experts question evidence North Korea is behind the Sony hack – Part 2

Read the Full Transcript

  • GWEN IFILL:

    So, when President Obama laid blame for the Sony hack squarely at North Korea’s door, some cyber-security experts were skeptical, and remain so.

    The debate continues in journals, blogs and here tonight, with two experts from cyber-security companies who have tracked breaches around the world. Marc Rogers is principal security researcher at CloudFlare, and joining us again, Dmitri Alperovitch, co-founder and chief technology officer at CrowdStrike.

    Dmitri Alperovitch, you came on the program last week and you made the case that the president was correct and that the FBI was correct and this was definitely, definitely North Korea. Why so certain? Remind people, why are we so certain of that?

  • DMITRI ALPEROVITCH, CrowdStrike:

    Well, I can’t speak for the FBI or U.S. government, who are very certain on this, but I can speak for CrowdStrike, who has done independent analysis of this attack.

    And we have tracked it back to a group that has been active since 2006, primarily South Korea, military networks in South Korea, U.S. Forces Korea, the U.S. military installations, they are looking for specific information related to military planning, exercises on the peninsula, things that would be of natural concern and importance to North Korea.

    We have also seen them engage in destructive attacks just like the Sony attacks, including the use of some of the same infrastructure. Some of the I.P. addresses that were used in the attack on Sony were also used in some of the past attacks. And parts of the malware, the malicious code that was used at Sony, has been shared across some of the previous attacks.

    So we have seen them attack South Korea destructively in 2009, 2011, 2013, so we have a tremendous amount of visibility into this group.

  • GWEN IFILL:

    Marc Rogers, that sounds pretty persuasive. What’s your problem with that?

  • MARC ROGERS, CloudFlare:

    The biggest problem with this is, a lot of this information is based on evidence that isn’t accessible to a lot of folks.

    So if you look at the evidence that the FBI passed out in its notice, on its own, it’s largely speculative and it’s not backed up by any really solid evidence. There are hints, however, that there may be things like signals intelligence and other information that they can’t disclose for national security purposes.

    Unfortunately, without being able to access that information, there’s no way for other security experts to really validate that. My colleague Dmitri from CrowdStrike has access to channels a lot of other folks don’t have, so, to me, it’s certainly interesting to hear the stuff that he’s talking about.

    But until I see some tangible stuff myself, things more than just correlations between certain pieces of malware, I’m going to remain skeptical.

  • GWEN IFILL:

    Let’s break it down a little bit, Dmitri Alperovitch.

    Let’s talk just about the I.P. address issue, in which the American government is making the case that we’re familiar with these I.P. addresses, that they have been used in other hacks. Is that part of the evidence you’re talking about?

  • DMITRI ALPEROVITCH:

    Well, what they’re actually saying is something a little bit different.

    There were certainly I.P. addresses that were used in the attack directly on Sony. But what the FBI has said is that they have observed, presumably through signals intelligence, that those machines were actually contacting North Korean infrastructure on the back end.

    So, it wasn’t the North Koreans reaching out directly into Sony. They were going through proxies, but they, through their intelligence, were able to observe the connections between those proxies and the North Korean infrastructure that was used in past attacks.

  • GWEN IFILL:

    Now, proxies, that is different from saying that North Korea itself is involved in these hacks. It’s saying somebody else was doing it on their behalf?

  • DMITRI ALPEROVITCH:

    By proxies, I mean the machines themselves, not necessarily the people. And this is who these attacks typically occur. You don’t attack directly from a country. You go through servers in Germany or servers in Thailand, so that you can obfuscate the attribution.

  • GWEN IFILL:

    How about that, Marc Rogers? Does that sound reasonable to you, that maybe it’s not the North Korean government as a state actor, but the North Korean government going through proxies?

  • MARC ROGERS:

    It’s certainly plausible.

    And I have said all along you can’t rule out North Korea as being behind this, but what we need is evidence that really ties them to it. The proxies that Dmitri mentioned are fairly well known. If you look up the I.P. addresses using I.P. reputation services online, you will see that they have involved in massive online spamming campaigns and in other malware campaigns.

    They’re being used by other cyber-criminals, so it’s no surprise to see that someone else is using those, potentially even the North Koreans. But, again, it means it’s not so conclusive to me. To say that there are bad guys are in that neighborhood doesn’t tell me who the bad guys are.

  • GWEN IFILL:

    But is this something that you would know? As you suggested, maybe the federal government, the FBI has access to information that backs this up that you wouldn’t have?

  • MARC ROGERS:

    That’s entirely possible, but it’s very difficult to be swayed by an argument where somebody says, we have absolute proof because we have signals intelligence that tells you — tells us this is it, but we can’t you about it.

    When it comes to laying blame at a foreign government, we have to be pretty careful. I’m no fan of the North Korean regime. And, to be honest, if they are responsible, I hope this gets hung around their neck. But I think we have to make sure that we have absolute solid evidence. And I believe the evidence should be dealt with in a transparent way as possible.

    And, obviously, you don’t want the NSA to destroy any leaks or sources that they use. But, at the same time, we would give a certain amount of evidence before convicting a person of a crime. Why doesn’t a country deserve the same level of evidence?

  • GWEN IFILL:

    Dmitri?

  • DMITRI ALPEROVITCH:

    If I can add, one of the pieces of evidence we can’t ignore here is the statements from North Korea themselves.

    They came out in the summer, long before the movie was released, saying that the release of this movie would be an act of war.

    I think we should take them at their word. And in the past, when they have made such inflammatory statements, they have often followed up. They have sunk South Korean ships. They have massacred American servicemen back in the ’70s on the DMZ with axes. They do pretty outrageous things.

    And one of the things that is really interesting here is, when they hacked into Sony and they released a bunch of information, stolen e-mails, they also released pre-released movies like “Annie” and “Fury.”  The one movie they didn’t release was “The Interview.”

  • GWEN IFILL:

    Well, but here’s an interesting point that Marc Rogers just made is, which is that, if you’re going to make such a serious allegation, if you’re going to lay that kind of allegation at the — right at the door of an enemy government, of a hostile government, shouldn’t there be more revealed about why we know that?

  • DMITRI ALPEROVITCH:

    Well, I think they revealed some things. And certainly security companies like ours have revealed other information.

    My guess is that they’re biding their time, that there can come a point where they will reveal more. They don’t feel like they need to at the moment.

  • GWEN IFILL:

    Marc Rogers, I want to ask you about a little bit another point that Dmitri Alperovitch just made, which is that some of these movies that were released online and some weren’t and the threats were made. Is it possible that the knowledge that was on display here was actually something that came internally from someone within Sony?

  • MARC ROGERS:

    Again, you can’t rule that out either.

    If you look at the way the malware was distributed throughout the network, how many machines it took down, how they were able to set up the edge of Sony’s network to distribute Sony’s own private data later on, when they turned some of their edge servers into BitTorrent servers, a P2P file-sharing system, that required a certain level of access.

    Now, that access could have come from attackers who had been sitting in that network for many, many months. But that access could also have just as easily — perhaps even easier — have come from somebody inside it.

    And when Dmitri says that the one film that didn’t get released was this one, we don’t know that. We don’t know how many films Sony is working on. So we don’t actually know how many films didn’t get released. And, also, with respect to the messages that North Korea makes, having spent four and a bit years living in South Korea myself, I’ll tell you, North Korea makes these kinds of threats all the time.

    They’re telling us constantly that they’re going to obliterate us. If you do this, we will obliterate you. I think the number of their threats that have actually come true is actually quite the lower percentage, rather than the higher percentage.

    And that’s not to dismiss some of the atrocities that they have committed, which are absolutely terrible.

  • GWEN IFILL:

    Well, since we’re talking about threats, we now see that this film is going to be in limited release probably later this week.

    Do we — if I were running the independent theater in Austin, Texas, that’s going to begin showing this film at midnight on Christmas Day, should I be afraid? Are they taking a risk at this point?

  • DMITRI ALPEROVITCH:

    Well, Gwen, you can be absolutely certain that the companies that are involved in the distribution of this movie are taking this threat very seriously and working with companies like CrowdStrike to make sure that they’re doing threat assessments in advance, because a second wave of attack may very well come and they need to be prepared.

  • GWEN IFILL:

    What do you think about that, Marc Rogers?

  • MARC ROGERS:

    I think it’s — I think it’s highly unlikely that a cinema in Texas is going to face much threat from a regime or from a group of hackers.

    There is — yes, there is some stuff that these guys could do, but I think it’s unlikely. It’s not something that’s been seen before. And when those threats start saying that they’re going to create 9/11 within a cinema, I — my skepticism rating goes all the way through the roof.

  • GWEN IFILL:

    OK.

  • DMITRI ALPEROVITCH:

    And I actually agree with Marc on the physical threat. I don’t think that’s realistic. But on a cyber perspective, I think it’s quite real.

  • GWEN IFILL:

    OK.

    Marc Rogers of CloudFlare and Dmitri Alperovitch of CrowdStrike, thank you both very much.

  • DMITRI ALPEROVITCH:

    Thank you.

  • MARC ROGERS:

    Thank you very much.

Listen to this Segment

Latest News