It’s fair to say there are plenty of security watchers who doubt that North Korea was responsible for historic November 2014 hack of Sony Pictures, mostly it seems because (a) whatever the US Government says is probably hiding something, and (b) it’s too obvious, too easy, too convenient.
It hasn’t helped that the US authorities have offered rather sketchy, circumstantial evidence to back up their certainty over North Korean involvement, which has in turn created a space for new and increasingly fringe claims to fill up the information vacuum.
The latest of these is by tiny DC beltway security consultancy Taia Global, which has released an analysis (From Russia with Love) based on a contact the firm's CEO had with a hacker called ‘Yama Tough’ who in turn claimed to know the Russian team that attacked Sony. To back up the claim, YT’s evidence included two apparently undisclosed Excel spreadsheets stolen from Sony, plus a clutch of other company emails and documents from various dates before and after the attacks were publicised.
The group that stole these documents had used spear phishing and an unknown remote access Trojan to burrow into Sony networks, an access they apparently had well into last month, said Taia.
How convincing is this? To borrow the smoking gun of cliché, this isn’t smoking because it isn’t a gun, more a pointed stick waved vaguely the right direction.
The files look genuine but there is no way of knowing where they came from. The group that so spectacularly breached Sony got its hands on a large number of files and it is impossible to say with any certainty where all of them ended up. The fact that attackers had access apparently long after November when Sony went public is interesting but not conclusive – the files are of a more trivial nature and could in principle have been taken from a small number of compromised machines (i.e laptops) outside the company’s network.
Taia infers from this mini-revelation that Sony is still breached (plausible), that the attacks were carried out by a Russian criminal group (possible but speculative) or that the attack it has evidence of was running in parallel to whatever North Korea (or another party) was up to (completely unsupported).
“The evidence gathered by Taia Global and presented in this report proves that one or more Russian hackers were in Sony Pictures Entertainment’s network at the time of the Sony breach and continue to have access to that network today,” the analysis concludes, optimistically.
Proof is a strong term for the fragmentary pieces of shrapnel Taia has assembled, the biggest hole being that it offers no motive. Why would Russian criminals set up an attack on Sony Pictures and then publicise it using a cover story that was going to hard for the defenders to prove? Why not just profit from what was a massive data theft? These were also, let’s remember, attacks that set out to be as destructive and vindictive as possible for no reason other than causing damage to Sony Pictures.
That’s the modus of ideologically-motivated attackers, whether state-backed or not, disinterested in the value of any stolen data. We are left having to swallow the notion that a shadowy Russian group hacked Sony for kicks, put the blame on someone else, then leaked barely enough data to throw that assumption into doubt.
This is the thing about security. It’s not how big you are that counts, it’s what you know. Security remains a fragmented industry full of small outfits that rank high on expertise, less so on PR budgets. That’s not an argument against Taia’s claims but the firm's latest evidence is more confusing than insightful.