STUCK

12.30.14 10:55 AM ET

FBI Won’t Stop Blaming North Korea for Sony Hack -- Despite New Evidence

The Bureau keeps publicly condemning Pyongyang for the Sony hack. But privately, it is listening to other theories, including those about an inside job.

In spite of mounting evidence that the North Korean regime may not have been wholly responsible for a brazen cyberassault against Sony—and possibly wasn’t involved at all—the FBI is doubling down on its theory that the Hermit Kingdom solely bears the blame.

“We think it’s them,” referring to the North Koreans, an FBI spokesperson told The Daily Beast when asked to respond to reports from private investigators that other culprits were responsible. The latest evidence, from the cyberanalysis firm the Norse Corp., suggests that a group of six individuals, including at least one disgruntled ex-Sony employee, is behind the assault, which has humiliated Sony executives, led to threats of terrorist attacks over the release of a satirical film, and prompted an official response from the White House.

The FBI said in a separate statement to journalists on Monday that “there is no credible information to indicate that any other individual is responsible for this cyberincident.” When asked whether that left open the possibility that other individuals may have assisted North Korea or were involved in the assault on Sony, but not ultimately responsible for the damage that was done, the FBI spokesperson replied, “We’re not making the distinction that you’re making about the responsible party and others being involved.”

But even though the FBI is publicly adamant that the regime of Kim Jong Un is behind the cyberattack, FBI agents met Monday with analysts from Norse, who’ve spent the past few weeks investigating alternative theories, suggesting that the bureau is quietly entertaining other theories in the case.
FBI officials from the bureau’s Los Angeles field office met in Norse’s offices in St. Louis on Monday and listened to the analysts’ argument that the Sony attack was partly an inside job, and that no signs pointed to North Korean involvement, Kurt Stammberger, a senior vice president at Norse, told The Daily Beast. (Other FBI officials joined the discussion via conference call, he said.)

“They basically said thanks a lot and shook our hands and took off,” Stammberger said. “It sounds like from the PR [public relations] perspective they are sticking to their guns.”


That said, the FBI apparently wasn’t shutting down the inside-job theory, either. “I have not gotten the impression that they have their minds made up or they are not open to new information,” Stammberger said. “If they weren’t, they wouldn’t take a meeting with us.” Other investigators also have concluded that ex-Sony employees may have been involved in the attack because the intruders knew the names of particular computers on Sony’s internal networks.

Stammberger said that the FBI officials politely heard Norse out, but that they gave no indication whether the company’s analysis had changed the bureau’s opinion—at least its public one.

But the FBI didn’t attempt to refute the company’s theory of the case, Stammberger said, nor did they offer any additional evidence of North Korea’s culpability than what the government has made public since President Obama blamed the regime for the attack in a news conference on Dec. 19.

“It’s possible that they have some crazy smoking gun that they haven’t shared with the community,” Stammberger said. He added that Norse has good relations with the FBI and has consulted with them on other crime cases.

Even before the FBI and Obama pointed the finger at North Korea, a parade of security experts had been raising doubts about the administration’s official position that North Korea, and only North Korea, was behind the cyberattack. They’ve pointed out that the public evidence is largely circumstantial and not enough to conclude that North Korea is the only bad actor.

The FBI said in a statement that technicians had linked the malicious computer code used in the attack to others “that the FBI knows North Korean actors previously developed,” and through specific Internet addresses. And the FBI also found “similarities to a cyberattack” North Korea is believed to have launched in March against South Korean media companies and banks. But experts note that this could also indicate that some other group was behind the Sony hack and wanted to pin it on North Korea as cover.

That may be, but experts say that “similarities” to other attacks is hardly a slam dunk. The Sony attackers also used well-known proxy Internet addresses that are commonly used by cybercriminals to cover their tracks and mask their real locations. Any number of malicious actors could have used those addresses. And leaked Sony human-resources documents, including information about a series of layoffs in 2014, have led investigators at Norse to track the online activities of an ex-Sony employee on an “underground forum where individuals in the U.S., Europe, and Asia may have communicated prior to the attack,” the company said in a blog post. The company believes that the former employee—or employees—“may have joined forces with pro-piracy hacktivists” who have a longstanding grievance with the company about its aggressive stance against online piracy. 

That the FBI was so emphatic in its public conclusions, and that Obama was allowed to go on national television and blame North Korea, was taken by many observers as a sure sign that the government must have some additional evidence that it wasn’t sharing with the public. If not, why would the administration risk public humiliation by making unsubstantiated claims, particularly when Obama promised to retaliate for the assault on Sony? Twice since Obama’s public remarks, North Korea has inexplicably lost all access to the Internet, raising questions about whether the United States launched a counteroffensive, and whether it would be legal.

On Monday, an anonymous official told Reuters that government investigators now think North Korea may have “contracted out” the Sony hack to other individuals. But Stammberger said that his company’s analysis doesn’t support that theory, either.

“The data that we have doesn’t show that,” he said, adding that there was no indication that North Korea had “put the word out, masterminded it, contracted for it.” Stammberger said that the analytic capabilities and the sources that Norse and other private intelligence companies have are similar to the government’s, so if there is some piece of evidence that puts the blame squarely on North Korea, it’s coming from a source that only the government can see.

Stammberger said that Norse’s analysis is now pointing toward an attack against Sony by disgruntled employees that was conducted in stages and over the course of several months, beginning as early as July, and that North Korea opportunistically praised the attack only after it was discovered.