Did North Koreans Even Hack Sony In The First Place?

Maybe not. At the very least, they probably didn’t do it alone:

According to an anonymous government source, Reuters report​s, the FBI is now considering the possibility that North Korea contracted the job out to foreign hackers. The source told Reuters that North Korea “lacks the ability” to pull off such an extensive cyber attack. Norse, Inc., a cybersecurity firm based in California, claims to have un​covered evidence that links the hack not to North Korea, but to an ex-employee laid off this year among thous​ands of other Sony workers.

Sam Biddle talks to Kurt Stammberger, the Norse exec whose team identified the “Guardians of Peace” hackers as including several ex-Sony employees:

Stammberger and his team shared their raw data with the FBI yesterday, and agreed to not show his evidence elsewhere, so the theory as he described it to me is still sketchy. But it hinges on an ex-Sony employee that Stammberger calls “Lena.”


“Lena” was an employee of ten years at Sony in Los Angeles, working in a “key technical” position at the company, and axed during the company’s brutal layoffs this past May. Even if she’d departed the company months before the attack, she would have remained “very well placed to know which servers to target,” and “where all the sensitive information in Sony was stored.” … What drew this group together, Stammberger says, is a mutual hatred of Sony: “These were individuals that were connected with torrenting Sony movies and content online, were targeted by legal and law enforcement arms, and were irritated that basically they were caught.”

The experts at Norse aren’t the first to question the FBI’s assertion that Pyongyang did the hacking:

Brian Martin of Risk Based Security, for example, told Motherboard that the malware used in the attack communicating with North Korean IP addresses likely indicates nothing more than the hackers cleverly routing their attack through North Korean proxies. Marc W. Rogers, principal security researcher for CloudFlare, told us that the malware used in the attack—which the FBI claims is similar to previous attacks that have been linked to North Korea—was likely shared among many hackers and built using code from previous malware.

And security expert Bruce Schneier has called the evidence “circumstantial at best”. But the FBI is sticking to its story for the time being. Meanwhile, the hackers are now threatening an unnamed American news organization:

Referring to Sony only as “USPER1”and the news organization as “USPER2,” the Joint Intelligence Bulletin, dated Dec. 24 and marked For Official Use Only, states that its purpose is “to provide information on the late-November 2014 cyber intrusion targeting USPER1 and related threats concerning the planned release of the movie, ‘The Interview.’ Additionally, these threats have extended to USPER2 —a news media organization—and may extend to other such organizations in the near future.”

The bulletin doesn’t identify “USPER2”, but Matthew Keys ventures a guess:

The Desk is identifying the news organization as CNN based on copies of messages posted to Pastebin on December 20. The messages have since been removed from Pastebin. In one message, the group mockingly praised CNN for its “investigation” into the attack on Sony’s computer network and offered a “gift” in the form of a YouTube video titled “You are an idiot.” The message closed with a demand that CNN “give us the Wolf,” a likely reference to CNN news anchor Wolf Blitzer.