On a cloudy, moonless night somewhere in northeastern China, three men creep through a stand of Japanese Clethra trees. They carry no flashlights, and the sky is so dark that they hear the sound of the rushing Tumen River before they see it: They’ve arrived at the North Korean border. Earlier in the evening at […]
The post The Plot to Free North Korea With Smuggled Episodes of ‘Friends’ appeared first on WIRED.
The recent attack on Sony has publicly paraded one of the predominant problems in incident response. While the immediate issue in incident response is of course the remediation of compromised systems and bringing these systems and IT services back online, it is entirely human to look for somewhere to cast blame. Let’s begin by fleshing out the “why” of attribution before engaging with the “how”.
Why Attribution?
For an affected entity, and for the security professionals working within it, attribution of the attacker(s) is only an ancillary concern. Certainly steps taken (or not taken) during the direct remediation of the breach are important and even essential to the later attribution effort, but priority of work must be on restoration of service. After service is restored, and the breach points corrected, the attribution process begins. Here are some reasons to perform attribution:
1. Attacker Centered Defense– If the attacker can be identified or at least have their tactics, techniques and procedures characterized, it may be possible to take steps to make their next intrusion more difficult and time consuming.
2. Legal/Governmental Retribution– Bringing criminal charges or taking other action against the attacker may deter future attackers, or may have deterrence against the current attackers if they are in a jurisdiction where criminal charges cannot be brought, but are vulnerable to intergovernmental or other pressures.
3. “Hacking Back”– This is an operation pregnant with a host of legal and ethical concerns. It may appear advantageous in the midst of an attack to attack back, but the technical reasons for doing so need to be looked at carefully. There are two scenarios where hacking back could reduce the impact of an ongoing hacking attack. One of these is a DDOS attack, where hacking back into the command and control systems of the attributed botnet may be a viable method to stem the attack. In the second scenario, stolen data belonging to the attacked entity has been definitively located (through attribution efforts) on a server, and then the entity performs a hacking operation to delete that data before it can be copied or moved. Both of these operations are patently illegal in the U.S. due to the Computer Fraud and Abuse Act. Both also carry a low probability of success or advantage for the attacked entity. If a DDOS operation is disrupted, other botnets can be easily employed by the attacker at short notice, or they may regain control of the compromised botnet. The command and control servers may also be innocent bystanders who are unknowingly playing host to malware. Taking down the servers of a hospital or local government or foreign military could have extremely serious human and geopolitical downsides. In the second scenario, the attacked entity would have to be extremely proactive to get the toothpaste back into the tube. In fact, it is so difficult it may as well be regarded as functionally impossible, and there is little chance of getting all the data before it is further disseminated.
Looking at the limited reasons for attribution and given especially the weakness of the third reason, it may be entirely reasonable for an attacked entity to decide not to pursue attribution. In the end, even having your attacker arrested will not undo the damage caused in the attack. The process of attribution is also not cost free. Additionally, any major actions taken on the basis of the attribution performed may only result in more reputation damage for the entity as the original breach and security failure is further publicized.
Why Attribute the Sony Hack?
Obviously an attack as devastating as Sony’s–which will probably involve hundreds of millions of dollars in damage to Sony Pictures Entertainment, in addition to a substantial erosion of their reputation and personal damage to many of their prominent employees–should be answered. To decide to not attribute the attackers would make their actions seem tacitly permitted, and probably contribute to further devastating attacks against other entities. This Public Order justification is the purview of the FBI, who has taken a lead role in the investigation of the attack. Sony, of course, probably wishes nothing more than for this incident to go away and may be leaning more towards active disinterest in attribution. It isn’t as if any future lawsuit will recover their lost capital, and their threats of legal action against those who published the more tabloid-friendly portions of their internal emails are at serious risk of the Streisand Effect.
Of course, SPE is not the only actor involved. There are cyber security companies and the U.S. Government at work here as well. Attribution is in the interests of cyber security companies for reputation and prestige reasons, as a proof of their aptitude and ability. On the government side attribution can be a marker of aptitude as well, however, retribution is also a significant influence. In the global and domestic political arenas strong attribution can aid in the pursuit of other interests. Attribution has been used by the U.S. Government previously to pressure the Chinese Government in regards to their cyber espionage campaigns, and charges have been filed in the U.S. against a number of their operators. So it comes to this. The primary reasons for attribution are political, as support for past and future actions and as an instrument of geopolitical pressure. The actions supported by attribution may include legislative efforts, international sanctions, and even electronic and physical attacks.
In Part Two of this work, having established the interests of the actors involved in attribution, we will look at the “How” of the SPE hack attribution as far as it is known publicly.
The US began looking into North Korea’s computer network in 2010, reports claim
Citing anonymous sources in and close to the US government, The New York Times reports that the fingering of North Korea as responsible for the attack on the network of Sony Pictures Entertainment was through evidence gathered by National Security Agency surveillance. This includes software taps into networks associated with North Korea’s network warfare and espionage unit, Bureau 121, among others. The actual evidence, however, will likely never see the light of day because of the highly classified nature of how it was obtained.
David Sanger and Martin Fackler of the Times report that the NSA started to ramp up efforts to penetrate North Korea’s networks in 2010 to monitor the growth of Bureau 121 and the rest of the country’s “computer network exploitation” capabilities:
A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.
The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified NSA operation.
The NSA’s Tailored Access Office, according to the report, “drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers, and penetrated directly into the North with the help of South Korea and other American allies.” According to NSA documents released by Der Spiegel, some of South Korea’s initial assistance was not voluntary—the NSA secretly exploited South Korea’s existing hacks of North Korea to gain intelligence information. But despite the level of access they gained, according to an unnamed investigator into the Sony Pictures attack, the NSA and other US agencies “couldn’t really understand the severity” of the attack that would be launched against Sony when they began on November 24.
Read on Ars Technica | Comments
A new wave of documents from Edward Snowden’s cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations’ hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.
The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Spiegel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea’s networks—which initially leveraged South Korean “implants” on North Korean systems, but eventually consisted of the NSA’s own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.
Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out “Tailored Access Operations” on a variety of targets, while also building the capability to do permanent damage to adversaries’ information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed by the NSA and possibly other members of the “Five Eyes” intelligence community, which was also included in the dump. The code appears to be from the Five Eyes joint program “Warriorpride,” a set of tools shared by the NSA, the United Kingdom’s GCHQ, the Australian Signals Directorate, Canada’s Communications Security Establishment, and New Zealand’s Government Communications Security Bureau.
Read 8 remaining paragraphs | Comments
A security researcher examining the website of North Korea’s official news service, the Korean Central News Agency, has discovered that the site delivers more than just the latest photo spread of Democratic Peoples’ Republic of Korea leader Kim Jong Un inspecting mushroom farms. There’s a little extra surprise hidden in the site’s code—malware. The news site appears to double as a way for North Korea to deliver a “watering hole” attack against individuals who want to keep tabs on the “activities” of the DPRK’s dear leader.
Ars has independently verified a reference within part of the site’s JavaScript code called from the home page to a download named “FlashPlayer10.zip.” The file, which is set as a JavaScript variable “FlashPlayer” on the site’s main page and on other site pages, contains two files labeled as Windows executable installers containing updates for the long-since obsolete Flash Player 10—one for an alleged ActiveX control, and the other for a browser plug in. Both are identical files, and they contain a well-known Windows malware dropper, based on an analysis through the malware screening site Virustotal.
Read 3 remaining paragraphs | Comments
North Korea is a technological island in many ways. Almost all of the country’s “Internet” is run as a private network, with all connections to the greater global Internet through a collection of proxies. And the majority of the people of the Democratic People’s Republic of Korea who have access to that network rely on the country’s official operating system: a Linux variant called Red Star OS.
Red Star OS, first introduced in 2003, was originally derived from Red Hat Linux. In theory, it gave North Korea an improved level of security against outside attack—a Security Enhanced Linux operating system based on Red Hat that could enforce strict government access controls on the few who got to use it.
However, because Red Star has had so few people with access to it, one of the ironic side effects has been that security holes in the operating system may have gone undetected. And as a security researcher who tested the latest release of Red Star’s desktop version reported today, one flaw in the system would allow any user to elevate their privileges to those of the system’s root account and bypass all those security policies put in place by the North Korean regime.
Read 6 remaining paragraphs | Comments
If the FBI’s revelations on Wednesday about the sloppiness of North Korea’s hackers was meant to silence critics who doubt the government’s attribution for what happened to Sony, it failed. Despite assertions from FBI Director James Comey that he has very high confidence in the attribution to North Korea and a statement by Director of […]
The post Critics Say New Evidence Linking North Korea to the Sony Hack Is Still Flimsy appeared first on WIRED.
In a speech at the International Conference on Cyber Security (ICCS) today in New York, FBI Director James Comey reiterated the bureau’s confidence that North Korea was involved in the cyber attack on Sony Pictures Entertainment. “There’s not much I have high confidence about,” Comey said, as reported by the FBI New York field office’s official Twitter feed. “I have very high confidence… on North Korea.” And he downplayed suggestions by outsiders that others might be responsible, saying that critics “don’t have the facts that I have, they don’t see what I see.”
In a separate speech today at the ICCS, Director of National Intelligence James Clapper said that the attack on Sony demonstrated a new type of threat posed by North Korea. During a meeting last year with a North Korean general to negotiate the release of two American prisoners in North Korea, Clapper said that the general told him the regime is “deadly serious” about perceived insults by the US to its “supreme leader” and that North Koreans feel that the US has put their country under siege.
While the Sony attackers had largely concealed their identity by using proxy servers, Comey said that on several occasions they “got sloppy” and connected directly, revealing their own IP address. It was those slip-ups, he said, that provided evidence linking North Korea to the attack on Sony’s network. Comey also said that analysts at the FBI found the patterns of writing and other identifying data from the attack matched previous attacks attributed to North Korea. Additionally, there was other evidence, Comey said, that he could not share publicly.
Read 3 remaining paragraphs | Comments
Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to the North Korean government.
The post FBI Director: Sony’s ‘Sloppy’ North Korean Hackers Revealed Their IP Addresses appeared first on WIRED.
A report published by South Korea’s Defense Ministry on December 6 estimates that North Korea has further increased its focus on network and electronic warfare over the last year, doubling the size of its “cyber forces” to 6,000 soldiers. The report also warned that North Korea has made significant advances in its nuclear weapons technology and could now have the capability of threatening the mainland of the United States with a nuclear strike.
The report, the ministry’s 2014 Defense White Paper, is a biennial review of South Korea’s defense policy similar to the US Department of Defense’s Quadrennial Review, intended to define the government’s defense policy. Defense Ministry officials stated in the report that North Korea’s efforts in cyber-warfare and other “asymmetric” capabilities are part of an effort to cause “physical and psychological paralysis inside South Korea such as causing troubles for military operations and national infrastructures.”
The Defense Ministry report also claimed that North Korea had made advances in miniaturization of nuclear warheads, which
would allow them to be mounted more readily on intercontinental ballistic missiles. “The ability to miniaturize nuclear weapons seems to be at an early but significant level and is estimated as having the ability to threaten the US mainland through a long-range missile,” a Defense Ministry spokesperson said in a summary of the report. The assessment is based on estimates of North Korea’s production of highly enriched uranium.
Read on Ars Technica | Comments
On Friday, President Obama signed an executive order allowing new sanctions against individuals and companies in North Korea as the first part of the U.S. response to the Sony hack.
The post What We Know About the New U.S. Sanctions Against North Korea In Response to Sony Hack appeared first on WIRED.
We examine the evidence for an against North Korea as the nation-state cyber attacker in the Sony case, and explore whether it’s likely the U.S. was behind cutting off its internet.
The post Experts Are Still Divided on Whether North Korea Is Behind Sony Attack appeared first on WIRED.
The breach exposed two things the movie industry loathes — the piracy of films and details about executive compensation — and sent a ripple of dread across Hollywood.
More evidence has emerged that makes the Sony Pictures hack look similar to a suspected attack on South Korean companies over a year ago. And a spokesperson for the North Korean government, rather than denying his country’s involvement, is playing coy as the damage to Sony appears to be growing daily.
When contacted by the BBC, a spokesperson for North Korea’s mission to the United Nations said, “The hostile forces are relating everything to [North Korea]. I kindly advise you to just wait and see.”
Sony Pictures’ computers were reportedly the victim of wiper malware which erased all the data on infected PCs and the servers they were connected to. As Ars reported yesterday, this is similar to the attack on two South Korean broadcasters and a bank that was launched in 2013. As security reporter Brian Krebs reports, the FBI sent out a “Flash Alert” to law enforcement warning of a cyber attacker using “wiper” malware this week—malicious software that erases the entire contents of the infected machine’s hard drives as well as the contents of the master boot record of the computer. The FBI shared a Snort intrusion detection signature for the malware file, and as Krebs noted, “the language pack referenced by the malicious files is Korean.”
Read 7 remaining paragraphs | Comments
2 September 2014- ZDNet
North Korea cyber warfare capabilities exposed
6 July 2014- Channel NewsAsia
“N Korea “doubles cyber war personnel””
15 January 2014
May 19, 2013 – The Washington Post
North Korea may have secretly engineered computer games to launch mass cyber attack