Cybereason Blog | Cybersecurity News and Analysis

The Sony Breach: Revealing Who's Behind the Attack is Impossible

Written by Lital Asher-Dotan | Jan 12, 2015 1:32:47 PM

In the latest FeedbackFriday, SecurityWeek featured Lior Div discussing speculations about the Sony Breach attribution to North Korea.

“When a company is attacked, it reduces the liability and blame of the attacked company if the public believes it is a nation state attack. This attack may have very well been done or aided by insiders, or other players, including North Koreans that are not nation state cyber attackers, but…certainly the legal and PR fallout for Sony will be less severe if it was believed the attack was state sponsored terrorism as opposed to a disgruntled insider.

From all that we’ve read so far, we haven’t seen significant hints for attribution to North Korea as a nation-state sponsored attack. The FBI stated that the attackers were negligent, leaving evidence that ties the attack to North Korea, but in my experience hackers with the capacity to exfiltrate the amount of data involved in the Sony attack are very far from being negligent. It is quite possible that any indicators pointing to North Korea were intentional, left or intentionally planted in order to mislead investigators.

So either the FBI knows things that were not shared with the media (possible) that clearly proves it in NK, or - somebody is leveraging it for his own political purposes. That includes the US government, Sony, the hackers…really, we may never know…”

In my latest Webinar: 6 Reasons why hackers are ahead of the game,  with Yonatan Striem-Amit, CTO of Cybereason, we discussed deception and how it is an essential component of any cyber-attack. Deception is particularly common in  APTs. For example, the attacker will intentionally deploy tools and techniques attributed to well-known hacking groups in order to evade detection and mislead incident investigation groups.

While the Sony hack proves how eager the public is to know who's behind the attack and the agenda leading to it, it is now clearer than ever that identifying the source of a breach is almost impossible.