Over the weekend, we got two new reasons to think North Korea was behind the Sony attack — one from security researchers and one from the attackers themselves. But even as the evidence piles up, it’s seeming more and more likely that that attackers will get away clean.
Whoever leaked the files was working out of Bangkok
First, there are reasons for thinking North Korea is to blame. On Sunday, Bloomberg reported that one of the core IP addresses involved in leaking the Sony files belongs to the private network of the St. Regis Hotel in Bangkok, Thailand. For practical reasons, it seems unlikely that anyone was running a VPN or a Tor node out of a hotel room, so it strongly suggests whoever leaked the files was operating out of the St. Regis. That's been taken as evidence that the attackers were aligned with North Korea, since the country's Korea Computer Center has branches in China, Syria, and the UAE and has a history of working out of hotels. The strongest competing theory is that the attack is the work of Anonymous-style activists with a grudge against Sony, but it would be a remarkably sophisticated tactic for such groups, which tend to rely on Tor and VPN services for anonymity.
Then, there's been the ongoing work of whoever was behind the attacks. On Friday, Sony Pictures employees received an unsettling mass email threatening their families if they did not publicly renounce the company. As with previous messages, there was no stated goal besides "removing Sony Pictures on Earth." The email addresses have been circulating over torrent sites, so it could have been a particularly foolhardy 4channer, but given similarities to previous messages, it seems unlikely — and if this is an Anonymous-style activist group, they're a lot more cryptic and a lot more bloodthirsty than anything we've seen before.
There was no stated goal besides "removing Sony Pictures on Earth."
Whoever is behind the attacks has a specific grudge against Sony, and is more interested in revenge than making money or gathering information. After the public spat over The Interview — which came with specific warnings of retaliation — it’s hard to think of anyone but North Korea that fits the profile. The North Korean government has also issued a string of less-than-convincing denials, ranging from an early "wait and see" to a more recent statement in which a spokesman called the hack an "act of justice," denying official involvement but admitting that it may have been carried out by the country's supporters.
The news comes on top of previous evidence that the specific program that wiped Sony's computers was written in Korean. The attack also bears a striking resemblance to previous North Korean attacks, in both the specific details of the code and the previously unknown hacker group claiming responsibility. Bloomberg points to three previous attacks linked to North Korea that purported to be from previously unknown activist groups, one of which actually shares a server with the current attack.
That pileup of evidence has led many observers (including me) to conclude that North Korea is almost certainly behind the attacks — but not everyone is convinced. Digital attacks rarely leave a smoking gun, particularly when the target is as defenseless as Sony Pictures was, so it's unlikely that we'll get any evidence that's more definitive than what we already have.
Digital attacks rarely leave a smoking gun
Even with the abundance of circumstantial evidence, North Korea probably won’t face real repercussions from the attack. Last week, Sony seemed primed to accuse North Korea directly, only to back off at the last minute. North Korea has inched around the topic in its statements, offering less-definitive denials than anyone expected. The country is already a diplomatic pariah, so there's not much the State Department or the United Nations could do even if they wanted to retaliate. Naming the country directly would just be forcing an already awkward issue. Besides, there's no political upside in antagonizing a dictatorship. Better to leave it unsaid.
We've heard this line before after a mysterious digital attack. Stuxnet is generally assumed to be American, although it would be difficult to prove it in court. The surveillance malware that targeted The New York Times last year almost certainly came from the Chinese government, but the proof was circumstantial enough that it was hard to enforce any repercussions from the attack. There are others: Ghostnet from China, Turla from Russia, The Mask from Spain. Each did real damage, but did so with enough deniability that no one knew exactly how to respond.
The breathtaking attack on Sony Pictures seems poised to join that pile. We know what happened, and we know where to look to find the people behind it, but we still don’t know quite enough. It's a frightening fact about digital attacks: for the most part, people still get away with them.