North Korea Hacked Sony? Don’t Believe It, Experts Say

Many computer-security experts are doubt the validity of the claim that North Korea is behind the Sony Pictures Entertainment hack, citing a lack of strong evidence and the possibility of alternate scenarios.

"There's no direct, hard evidence that implicates North Korea," Sean Sullivan, a security researcher at Finnish security firm F-Secure, told Tom's Guide. "There is evidence of extortion (the Nov. 21 email [to Sony executives which demanded money]) and the hackers only mentioned [the movie] The Interview after it was brought up in the press, which they then used to their advantage."

"Is North Korea responsible for the Sony breach?" wrote Jeffrey Carr, founder and CEO of Seattle cybersecurity consulting firm Taia Global. "I can't imagine a more unlikely scenario."

MORE: 12 Computer-Security Mistakes You're Probably Making

Rather than an international incident of "cyberwar," the Sony hack looks like an inside job, several skeptics say.

"My money is on a disgruntled (possibly ex) employee of Sony," Marc W. Rogers, a security researcher at San Francisco-based Web-traffic optimizer CloudFlare, wrote on his personal blog. "Whoever did this is in it for revenge. The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down."

For the most part, the doubters are undeterred by newspaper and television reports yesterday (Dec. 17) that a U.S. government agency, so far unnamed, would present its evidence for a North Korean connection today (Dec. 18). Kim Zetter, a longtime security reporter for Wired, posted a piece picking apart the Pyongyang hypothesis just before the leaks broke, yet continued to stand by her story.

"At risk of launching another Tweet storm, I'll point out that intel[ligence] sources also claimed Brazilian blackouts were caused by hacker extortion," Zetter tweeted yesterday, referring to a since-debunked allegation that was aired on CBS News' "60 Minutes" a few years ago.

Skeptics pointed out that the hackers seem very familiar both with Sony Pictures' internal network and with American news media — two things that would be unlikely in hackers operating from North Korea.

"To handle this sophisticated media/Internet campaign so well would require a handler with strong English skills, deep knowledge of the Internet and Western culture," wrote the pseudonymous vulnerability broker The Grugq. "I can't see DPRK [the Democratic People's Republic of Korea] putting this sort of valuable resource onto what is essentially a petty attack against a company that has no strategic value."

Even the few tidbits of evidence pointing to North Korea — malware with Korean encoding, and a server in Bolivia, that had been previously used in North Korean attacks — don't convince seasoned cybersecurity experts.

"It just doesn't feel right," wrote independent British security blogger Graham Cluley. "Trying to determine the location of Internet hackers can be as hard as nailing jelly to the ceiling. It's not uncommon at all for attackers to use compromised computers in other countries as part of their attack to throw investigators off the scent."

"So far, the information that's come out has pointed the finger at North Korean proxy groups, but it's been context-based," political scientist Peter W. Singer, a senior fellow at the Washington, D.C.-based think-tank the New America Foundation, told the tech blog Motherboard yesterday. "It wouldn't meet the level needed in a court of law."

To Singer, it certainly doesn't warrant the dramatic reaction by Sony Pictures, which canceled the release of the James Franco / Seth Rogen caper The Interview yesterday after an online posting attributed to the hackers obliquely threatened attacks on theaters that showed the movie.

"The attackers wonderfully understand the American psyche," Singer added. "This was a hack, but call it 'cyber' and 'terrorism,' and we lose our [stuff]. There's no other way to put it."

Even the language used by the hackers seems to contain tongue-in-cheek references. The group's self-determined name, Guardians of Peace, may be both a dig at the Republican Party and a nod to the summer hit Guardians of the Galaxy.

Cinema owners were scared by the threat to "remember the 11th of September," but that sounds like an allusion to "remember, remember the fifth of November" from the 2006 movie V for Vendetta, which spawned the craze for Guy Fawkes masks among supporters of the hacktivist movement Anonymous.

Unless North Korean leader Kim Jong Un declares that his minions did, indeed, carry out the attack, we may never know exactly who did it. Until then, it's best to take all claims with a grain of salt.

"My advice to journalists, business executives, policymakers and the general public is to challenge everything that you hear or read about the attribution of cyberattacks," Carr wrote. "Demand to see the evidence .... Be aware that the FBI, Secret Service, NSA, CIA and DHS rarely agree with each other, that commercial cybersecurity companies are in the business of competing with each other and that 'cyber intelligence' is frequently the world's biggest oxymoron."

• Scariest Security Threats Headed Your Way: Special Report

• Sony Pictures Hack: How to Avoid Identity Theft

• iOS 8 Security Tips to Keep Your Data Safe

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Copyright 2014 Toms Guides , a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.