Alex Constantine - January 13, 2015
January 6, 2015
WASHINGTON -- A Silicon Valley cybersecurity firm is doubling down on its claim that at least one former Sony employee was involved in hacking Sony. Some former employees of the company are expressing that sentiment as well, even as the U.S. government stands by its conclusion that North Korea orchestrated the massive cyberattack.
Kurt Stammberger, senior vice president at Norse, which provides cyber intelligence to customers in financial services, technology and government, told The Huffington Post that the company remains "pretty confident" that "at least one ex-employee was involved, probably more" in the Sony hack.
As evidence, Stammberger said that Norse has samples of malware used in the Sony hack that existed as early as July, "completely in English with no Korean whatsoever." Sony credentials, server addresses and digital certificates were already built into the malware, he added.
"It's virtually impossible to get that information unless you are an insider, were an insider, or have been working with an insider," he said. "That's why we and so many other security professionals are convinced an insider played an important role."
The information doesn't discount the fact that North Korea "definitely benefitted from this hack," Stammberger said. However, he added, "There's no credible evidence that [North Korea] initiated, directed, masterminded or funded this attack."
Norse's research underscores the mysteriousness surrounding the hack -- an event that rattled that studio, almost derailed a movie's release and sharpened U.S. policy against one of its main adversaries.
Last month, the FBI announced that North Korea was solely responsible for the cyberattack. President Barack Obama was confident enough in the attribution last week to slap North Korean officials and companies with economic sanctions. Senior administration officials said on a recent conference call with reporters that cybersecurity firms "don't have the same access" to intelligence that the government does, and quelled concerns by noting that it is "extremely rare for the U.S. government to take this step" of implementing sanctions in response to a cyberattack.
Debate over the identity of the attack's perpetrators has split the cybersecurity community, with some experts remaining doubtful about the scant information the FBI has released. The skepticism reached a fever pitch when the FBI briefly met with Norse late last month to discuss the firm's findings. Following that meeting, a U.S. official familiar with the matter told Politico that the company’s analysis “did not improve the knowledge of the investigation.” A source who had been briefed on the FBI’s investigation also told Politico that the agency had considered the inside job theory, but there wasn't sufficient evidence.
Other cybersecurity researchers have questioned Norse as well. Andrew Komarov, the CEO of IntelCrawler, a cyber threat intelligence company, said, "This attack can be done absolutely remotely, and we don't think any insiders played [a] role in it."
Marc Rogers, head of security at Defcon, a hacker conference, took a slightly different view. "I have the same problems with Norse's claims that I do with the FBI's. Their evidence is extremely thin," he told HuffPost. Rogers pointed out that another scenario that meets all of Norse's evidence could be an attacker who breaks in and spends time exploring the Sony network, using the company's own computers to compile the malware.
"I agree with them that an insider is the likely scenario given the amount of Sony-specific information used in carrying out the attack and the complexity of the attack, but there isn't enough information to conclusively say who did it," he said.
Like Norse claims, some former employees of the company think that there may have been inside help -- potentially, as Norse has speculated, a disgruntled employee who was hit by mass Sony layoffs last spring.
A former Sony executive, who wished to remain anonymous to protect his relationship with the company, told HuffPost that about 100 former employees in a private Facebook group participated in an informal survey about the hack in December. "By a vast majority, former employees believe it was an inside job," he said.
The Sony executive, who does not have internal knowledge of the company or FBI's investigations into the hack, said that it's "possible that a former employee was involved," but said he believed "this wasn't a one-person job." He added, "Whether it was North Korea, or a hacker group, or an individual from Sony Pictures, these are not mutually exclusive."
Another former Sony employee, who wished to stay anonymous because he doesn't want to compromise his planned participation in a class-action lawsuit over the leaked information, said, "If you were a full-time employee, the security they had in place wasn't exactly tight. You could imagine somebody could have walked out of there with data."
The former employee, who also does not have any direct knowledge of investigations into the hack, added that in his division, "there's dozens of people who are very, very pissed off at the company. ... That somebody could have been pissed enough to do this? Yeah, absolutely, I think it's possible."
Both Sony and the FBI declined to comment about the status of any investigation into the hack. The FBI referred HuffPost to previous statements it has made on the hack.
Stammberger, the Norse executive, could not comment on whether the company plans to have any further meetings with the FBI regarding Sony. The firm has turned all of its data over to the FBI, and the investigation is now with them.
"Norse in its everyday business operations routinely meets with state and federal law enforcement officials, because of the type of work that it does, and there's no reason to believe those meetings won't continue in the future," he said.