Evidence linking North Korea to hacking still not proven

WASHINGTON -- The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial.

The conclusion of a Korean role is based on subtle clues in the hacking tools left behind and the involvement of at least one computer in Bolivia traced to other attacks blamed on the North Koreans.

Experts cautioned that hackers notoriously use disinformation to throw investigators off their tracks, using borrowed tools, tampering with logs and inserting false references to language or nationality.

The hackers are believed to have been inside the network at Sony Pictures Entertainment Inc. since at least the spring, based on computer forensic evidence and traffic analysis, a person with knowledge of the investigation said.

If the hackers hadn't made their presence known by making demands and destroying files, they probably would still be inside because there was no indication their presence was about to be detected, the person said. This person, who described the evidence as circumstantial, spoke only on condition of anonymity because he was not authorized to talk openly about the case.

Still, the evidence has been considered conclusive enough that a U.S. official said federal investigators have connected the Sony hacking to North Korea.

In public, White House spokesman Josh Earnest on Thursday declined to blame North Korea, saying he didn't want to get ahead of investigations by the Justice Department and the FBI. Earnest said evidence shows the hacking was carried out by a "sophisticated actor" with "malicious intent."

All this has led to a dilemma for the Obama administration: How and whether to respond?

An earlier formal statement by the White House National Security Council also did not name North Korea but noted "criminals and foreign countries regularly seek to gain access to government and private sector networks" and promised "we are considering a range of options in weighing a potential response. " The U.S. official who cited North Korea spoke on condition of anonymity because that official was not authorized to openly discuss an ongoing criminal case.

U.S. options against North Korea are limited. The U.S. already has a trade embargo in place, and there is no appetite for military action. Even if investigators could identify and prosecute the hackers believed to be responsible, there's no guarantee any one of them who is overseas would face trial in a U.S. courtroom. Hacking back at North Korean targets by U.S. government experts could escalate the cyberconflict by encouraging new attacks against vulnerable American targets.

"We don't sell them anything, we don't buy anything from them and we don't have diplomatic relations," said William Reinsch, a former senior U.S. Commerce Department official who was responsible for enforcing international sanctions against North Korea and other countries. "There aren't a lot of public options left."

Sony canceled the Dec. 25 release of its comedy "The Interview," which the hackers had demanded partly because it included a scene depicting the assassination of North Korea's leader. Sony cited the hackers' threats of violence at theaters that planned to show the movie, although the Homeland Security Department said there was no credible intelligence of active plots. The hackers had been releasing onto the Internet huge amounts of highly sensitive -- and embarrassing -- confidential files they stole from inside Sony's computer network.

North Korea has publicly denied it was involved, though it has described the hack as a "righteous deed."

The episode is sure to cost Sony many millions of dollars, though the eventual damage is anyone's guess. In addition to lost box-office revenue, the studio faces lawsuits by former employees angry over leaked Social Security numbers and other personal information.

And there could be damage beyond the one company.

Sony's decision to pull the film has raised concerns that capitulating to criminals will encourage more hacking.

"By effectively yielding to aggressive acts of cyberterrorism by North Korea, that decision sets a troubling precedent that will only empower and embolden bad actors to use cyber as an offensive weapon even more aggressively in the future," said Sen. John McCain, R-Ariz., who will soon become chairman of the Senate Armed Services Committee.

McCain said the Obama administration had failed to control the use of cyber weapons by foreign governments, and he called the Sony case "the latest in a long and troubling list of attempts by malign actors to use cyber to undermine our economic and national security interests."

Homeland Security Secretary Jeh Johnson said on MSNBC that the Obama administration wasn't ready to name the attacker but was "actively considering a range of options that we'll take in response to this attack."

Evidence pinning specific crimes on specific hackers is nearly always imprecise, and the Sony case is no exception.

Sony hired FireEye Inc.'s Mandiant forensics unit, which last year published a landmark report with evidence accusing a Chinese Army organization, Unit 61398, of hacking into more than 140 companies over the years. In the current investigation, security professionals examined blueprints for the hacking tools discovered in Sony's network, the Korean language setting and time zone, and then traced other computers around the world used to help coordinate the break-in, according to the person with knowledge about the investigation.

Those computers were located in Singapore and Thailand, but a third in Bolivia had previously been traced to other attacks blamed on North Korea, the person told the AP. The tools in the Sony case included components to break into the company's network and subsequently erase all fingerprints by rendering the hard drive useless.

"The Internet's a complicated place," said Adam Meyers, vice president of intelligence at CrowdStrike Inc., a security company that has investigated past attacks linked to North Korea. "We're talking about organizations that understand how to hide themselves, how to appear if they're coming from other places. To that end, they know that people are going to come looking for them. They throw things in the way to limit what you can do attribution on."

Another agreed. "If you have a thousand bad pieces of circumstantial evidence, that doesn't mean your case is strong," said Jeffrey Carr, chief executive of Taia Global Inc., which provides threat intelligence to companies and government agencies.

An FBI "flash" bulletin sent to some companies with details of the hacking software described it as "destructive malware, a disk wiper with network beacon capabilities." The FBI bulletin included instructions for companies to listen for telltale network traffic that would suggest they had been infected.

Other movie studios aren't taken chances. Warner Bros. executives earlier this week ordered a companywide password reset and sent a five-point security checklist to employees advising them to purge their computers of any unnecessary data, in an email seen by The Associated Press.

"Keep only what you need for business purposes," the message said.