Home / Blogs

Did the DPRK Hack Sony?

My Twitter feed has exploded with lots of theorizing about whether or not North Korea really hacked Sony. Most commentators are saying “no”, pointing to the rather flimsy public evidence. They may be right—but they may not be. Worse yet, we may never know the truth.

One thing is quite certain, though: the “leaks” to the press about the NSA having concluded it was North Korea were not unauthorized leaks; rather, they were an official statement released without a name attached. Too many major news organizations released their stories more or less simultaneously. To me, that sounds like an embargoed press release. (One is tempted to imagine multiple simultaneous brush passes from covert operatives to journalists, but I suspect that emails and/or phone calls from individuals known to the reporters are much more likely.)

Before going further, let me add a disclaimer: I have no idea if North Korea is actually involved. I also have no idea how the intelligence community actually did come to its conclusions. What follows is speculation, not fact.

Nick Weaver has given a good explanation of how the NSA could have made the determination, just based on SIGINT. However, it wasn’t necessarily done by SIGINT alone. Suppose, for example, that the CIA (or perhaps the South Koreans) had an agent in North Korea’s Unit 121. In an era when the head of foreign operations for Hezbollah was supposedly a double agent for the Mossad and the CIA had a mole in Cuban intelligence, one can’t rule out such scenarios.

There are many more possible ways to do attribution (I like this one), but most are based on sensitive sources and methods. Translation: they’re not going to tell us, and they’re right not to do so.

It’s also very possible that their attribution is simply wrong:

In the words of a former Justice Department official involved with critical infrastructure protection, “I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of an attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.”

People can jump to conclusions. Worse yet, in intelligence (and unlike the criminal justice system), you never get proof beyond a reasonable doubt, and that’s even if you’re being honest. If someone doesn’t like your answers and wants better ones—well, think Iraqi WMDs. Besides, there’s always the chance that the government is lying.

Let me sum up.

  • Drawing positive conclusions from the public evidence is incorrect. The NSA and the CIA may (or may not) have many other details they’ll never disclose. The much-ballyhooed language setting, for example, is completely useless. Externally observable behavior and behavioral or code similarities to other attacks can be more useful. (See Kim Zetter’s wonderful book on Stuxnet for a description of how some of the forensic analysis was done, e.g., don’t rely on compilation dates, but do look for when a file was uploaded to a virus company’s database.)
  • Similarities (and especially reuse) of code, infrastructure, and techniques to other attacks can be a very strong indicator. The FBI did cite exactly these aspects in their overt press release blaming North Korea.
  • There are many other information sources that intelligence agencies use. We don’t know what they are, and they won’t tell us.
  • They could still be wrong—but we probably won’t know why.

Bottom line: it’s plausible, but not publicly provable.

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com