Sony hack: Never underestimate the stupidity of criminals

Suspicions about who was behind the Sony attack have been all over the map. But knowing who might attack you does matter.

So who was really behind the Sony hack? And does it really matter?

We've certainly seen some amazing ups and downs in our efforts to answer the first question. Initially, everyone fixated on the previously unknown, Anonymous-like hacker group Guardians of Peace, which took credit for the hack. Then the media began speculating that the hack had something to do with the movie The Interview. Since the movie involved the assassination of North Korea's leader, Kim Jong Un, the suspicion arose that North Korea was the real culprit. There was a backlash against this suggestion, with many experts explaining why North Korea's involvement was unlikely. Ira was in this camp.

From there, things got really interesting. The hackers seemed to latch onto the media speculation, demanding that Sony not release The Interview, even threatening 9/11-style attacks against theater-goers. Theater owners panicked and refused to book the movie. Sony capitulated and canceled the Dec. 25 release. Then came another backlash, and in the name of patriotism, Sony put the movie out, mostly in smaller, independent theaters, as well as online.

Meanwhile, the U.S. government expressed confidence that North Korea was responsible for the attacks. The media reaction to that was to seek out computer security experts who would argue that the government was wrong.

Analysts at security consulting firm Norse, having performed independent research on some of the compromised data and looked at hacker message boards, came up with their own theory: that a former Sony employee provided information to former Lulzsec members, thus enabling the attacks. Norse noted that the malware used in the attacks included insider credentials. It also contended that North Korea would not act so childishly and would not have deployed the same command-and-control structure it had used in the past.

To be clear, it is possible that a laid-off, disgruntled employee sought out parties to exact revenge. That in no way means that this was the actual source of the attack in question. Sony, like all large organizations, is actively being targeted by many parties for many reasons.

The people second-guessing the U.S. government accusations essentially argued that it was more likely that the attackers were just malicious, if clever, script kiddies, and not representatives of an unpredictable, vindictive and destructive nation-state. In doing so, they completely discounted the fact that U.S. government has billions of dollars of surveillance technology, and that the National Security Agency over the past year has notoriously been accused of collecting and analyzing every bit of data in the universe.

After the new year, however, when President Obama announced sanctions against North Korea, the media generally got in line. It was clear that the U.S. government was confident enough in public and classified information to take action. We have also revised our early assessment, having recognized that the government wouldn't be so confident unless it had information that the rest of us aren't privy to. And having once worked at the NSA, he can well believe that's true.

But what about that second question: Is it important to know and understand your attacker? Yes, it is.

Then the question to ask is, How likely is it that an insider was involved? As various people, including the Norse analysts, have noted, the malware used in the Sony attack did have administrator credentials hardcoded into it. But that doesn't prove insider involvement.

A reasonably competent attacker can obtain insider credentials in a matter of hours. A skilled attacker can do it in less than an hour. But even minimally skilled attackers can launch spearphishing attacks, obtain low-level access into an organization, and then troll the network for elevated privileges. So the fact the Sony hackers had administrator credentials says little about the identity of the hackers, especially given that there were widespread vulnerabilities throughout the network, according to the leaked documents.

On the other hand, the malware did use the command-and-control infrastructure that was previously used by North Korea. The malware used in the attack was previously used in North Korean attacks. With the so-called Dark Seoul attack, North Korea did previously use destructive malware against South Korean financial organizations.

To some people, all of this argues against North Korean involvement. They figure that state-sponsored hackers wouldn't be so careless as to leave so many tracks that could allow for easy attribution. Well, if there is anything that we have learned in our combined four decades of investigating computer-related crimes, it's that you should never underestimate the stupidity of criminals.

Even the most advanced hackers will make mistakes. Many criminals are arrogant enough not to take significant steps to cover their tracks. But even when that is not the case, mistakes will be made. For example, while Stuxnet was the most advanced malware at the time, the lack of a kill switch caused the malware to spread well beyond the intended targets, allowing for its identification and the exposure of intelligence methods.

Also, even when attackers have a variety of tools and infrastructures available to them, they tend to use the ones that have provided repeatable success. Why deviate too far from a successful pattern? And Sony's lack of strong security apparently gave the attackers little reason to change their tried-and-true methodologies.

When you examine attack attribution, the details don't always point to a specific pattern, as nice as that would be. You must frequently look to the attack infrastructure and other attack fundamentals. In this case, the high-level patterns do match North Korea, and this is not even considering any classified data that might be available.

But is it possible that the attackers purposefully mimicked North Korean strategies to throw off investigators? Yes, it's possible. Still, is that possibility more likely than the attackers actually being agents of North Korea? Not at all.

Knowing what we know now, we would have to say that North Korea used its traditional attack infrastructure. Its hackers used malware they were very familiar with. Although the supposed extortion demand doesn't quite fit that scenario, everything else seems to point to a North Korean attack. And it is very difficult to discount the evidence that the U.S. government has intelligence sources that more definitively tie North Korea to the Sony attack.

Sony can move forward on a fairly strong assumption that the guilty party was North Korea. Chances are, though, that if your organization is attacked, the circumstances won't merit the involvement of the FBI and federal intelligence agencies. That being the case, you need to come up with a rational analysis of your likely attacker on your own.

In almost all cases, criminals leave enough clues, in their targets and methods, to identify them; never underestimate their stupidity. When you examine what the criminals have targeted and the methods they used, you can potentially extrapolate other attack elements. You can also go to peers at other organizations, or look to law enforcement or Infragard for advice.

Ideally though, you will have a proactive threat intelligence program. You should identify the most likely attackers and take steps to address the vulnerabilities they are most likely to exploit.

With or without a threat intelligence program, you still need to ensure that basic security precautions are taken. Sony was vulnerable to just about any attacker. The malware used on Sony's systems could have been detected with adequate anti-malware software. The fact that terabytes of data could be downloaded, supposedly including full-length movies, which constitute Sony's most prized intellectual property, demonstrates that Sony inadequately monitored critical assets and network traffic. North Korea may have thousands of cyberwarriors who were available to target Sony, but in fact it deployed nothing that an appropriate security program couldn't have stopped.

Enterprise-size organizations like Sony must assume that they are being targeted by everyone from script kiddies to nation-states. While no security program will provide perfect security to such an organization, enterprise organizations do require robust security programs that account for the most likely and most basic attacks. It would require a series of articles to outline the composition of such a program, but it certainly would include anti-malware software that should have prevented the malware used in the attack against Sony. Similarly, you would not see leaked memos documenting blatant and purposefully unmitigated security vulnerabilities.

A threat/security intelligence program would tell you where to enhance resources to the more critical and advanced threats that you face. There should always be some prioritization, based upon a reasonable expectation as to the likely nature of the attacks that you will face.

If Sony had implemented the appropriate security countermeasures, it could have at least detected the presence of malware on its network and prevented the destruction of its systems. This would have also given it the opportunity to proactively search its network for other signs of compromises.

Yes, understanding the threat does matter.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. Ira and Araceli Treu Gomes can be contacted through Ira's Web site,

Join the CSO newsletter!

Error: Please check your email address.

Tags Anonymousintrusionsecuritynorth koreaSony PicturessonyCybercrime & Hacking

More about FBINational Security AgencyNSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ira Winkler and Araceli Treu Gomes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts