The charges this week against North Korea for the devastating hack of Sony Pictures four years ago didn’t just finally illuminate what happened, it also revealed just how much the public's reaction has changed when the US government accuses another country of a cyberattack.
The Justice Department’s 179-page complaint, issued Thursday, carefully lays out the forensic analysis that led to the accusation that North Korean military intelligence was behind a series of high-profile hacks like those against Sony and the Bangladesh Bank, and the WannaCry ransomware worm that paralyzed tens of thousands of computers around the world.
But when Sony was hacked in 2014, and the FBI blamed North Korea only a month later, a number of supposed experts not only publicly doubted the FBI’s evidence — it provided very little — but insisted its conclusion was wrong.
“There was this narrative for a while that nobody knows you’re a dog on the internet, so how can anyone have any idea who someone could be?” said Ben Read, who at the time of the Sony hack worked at FireEye, the cybersecurity company that handled the Sony case and supported the FBI's conclusions. He's now FireEye's manager of espionage analysis, though he won't say if he was involved in the Sony case.
Others involved in investigating the Sony attack said such criticism never shook their confidence in the original attribution of the attack to North Korea.
“It was mildly annoying but we knew that the people making those assertions either had alternate motivations or did not know what they were talking about,” said a former intelligence official directly familiar with the Sony attack and who requested that they not be named to freely discuss a classified operation.
“I know people said [otherwise] but the US government never makes public attribution unless it is high confidence and supported by all agencies,” the former official said.
A number of purported experts publicly refuted the FBI’s claim at the time. Jeffrey Carr, who then ran a cybersecurity company called Taia Global and was widely cited by reporters, said that because then–FBI director James Comey referenced the hackers using a North Korean IP address, the FBI mistakenly jumped to the conclusion the government was responsible. “As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn't commit,” he wrote.
Another early critic of the FBI's conclusion was Kurt Stammberger, a senior vice president with cybersecurity firm Norse. He told CBS News then that his firm was “very confident that this was not an attack masterminded by North Korea." Instead, he said, the most likely suspects were "insiders" who "were key to the implementation of one of the most devastating attacks in history." Norse, which was not involved in analyzing the Sony hack, believed it had found a woman named Lena who was involved.
Marc Rogers, who then was the director of security operations for the hacker conference DEF CON and the principal security researcher for the security company Cloudflare, wrote an analysis for the Daily Beast at the time that also suggested an insider was responsible. “Occam’s razor suggests the simpler explanation of a pissed-off insider," he wrote. "Combine that with the details of several layoffs that Sony was planning and you don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all,” he wrote.
Carr, who didn’t immediately respond to questions from BuzzFeed News for this article, has since left the cybersecurity industry and works in cryptocurrency. Stammberger has also left cybersecurity, he told BuzzFeed News, and blamed the bad analysis on Norse, which later went out of business.
“I was acting as a spokesman for my company, rather than that being my personal opinion,” he told BuzzFeed News. “I don’t have anything relevant or current to add, because I haven’t really worked in this space in the past 18 months. And as you know, cyber moves very quickly. I just don’t have any data for you."
Rogers, now the vice president of cybersecurity for Okta, the login management company, told BuzzFeed News that while he speaks less to reporters these days than he did around the time of the Sony hack, he stands by his assessment and remains unconvinced that North Korea was definitely behind the attacks. He calls the evidence “circumstantial.”
“The thing I’ve said right at the start is attribution is hard. In fact, it’s probably one of hardest things in cybersecurity. All of the advantages lie with the attacker,” he said.
“Our democracy is based on the right to due process. And it’s based on ... a certain amount of evidence, otherwise the other party is presumed to be innocent. I don’t see why cybersecurity is presumed to be any different,” Rogers said.
But for analysts who work for cybersecurity companies that do publicly attribute and whose conclusions are often in line with the US government’s, it’s been frustrating to watch the idea take hold that their work is invalid — epitomized by President Trump's assertion that the hackers of the Democratic National Committee's computers "could be somebody sitting on their bed that weighs 400 pounds,” a remark he made after the US intelligence community had concluded that Russian agents were behind the hack.
“That was promulgated by a group of people who had no business even talking about it in the first place, the people who were like, 'Oh, attribution’s impossible,'” said Adam Meyers, vice president of Crowdstrike, the company that handled the DNC's incident response when it was hacked. “Attribution is definitely not impossible. It’s difficult, and you have to be measured in it, but the biggest challenge is people saying that wanted to get a picture of the person doing it on the computer.”
Since the Sony hack, the industry has gotten better, in part because “the charlatans have been wrong again and again. Some are completely out of business,” said John Hultquist, FireEye’s director of intelligence.
“I think there was some hesitation by experts to believe that (North Korea) would cross the Rubicon so to speak by hacking Sony,” said Jake Williams, a former National Security Agency officer who founded his own cybersecurity company, Rendition Infosec.
The situation is different now, he said. “We have better data in the industry now than we did then. There's more data sharing and less data hoarding. We are definitely seeing a more complete picture today.”
Meyers doubts, however, that that will prevent attribution claims from being challenged.
"Look at the Kennedy assassination," he said. "Almost 60 years later, people are still debating: Was it a single shooter? Was it the mafia? The Cubans? The Russians?"