The FBI will hear evidence on Monday that six individuals, including one or more former employees, were behind the cyberattack on Sony Pictures.
The bureau has publicly blamed North Korea for sponsoring the attack, but security experts have since questioned the official story, arguing they cannot find a solid link between those suspected in the attack and the reclusive East Asian government.
The U.S. believes the hit was retaliation for Sony’s comedy, “The Interview,” which depicts the assassination of North Korean leader Kim Jong Un.
{mosads}Cybersecurity firm Norse believes it has identified a narrow set of people across the U.S., Canada, Singapore and Thailand who launched the assault. The firm is presenting its findings to the FBI late Monday afternoon, said Kurt Stammberger, a Norse senior vice president, in an interview.
“The picture that the data trail is painting,” he said, “is very different from the claims of attribution that the FBI made.”
One of the individuals Norse identified is a 10-year Sony veteran who was laid off in May. Others have previously been harassed by Sony’s lawyers for pirating activities. There is no link of financial compensation or communication between the individuals and Pyongyang, Stammberger said.
The group had a “common cause, means, motives and methods to carry out the attack,” he said.
But that doesn’t discredit the FBI’s accusation, Stammberger cautioned.
“It’s entirely possible that the FBI or the administration has some key pieces of data that they have not shared with us,” he said. “But at the same time, their [intelligence] collection methods are not terribly different from ours or from those in the corporate community.”
The White House has vowed a proportional response against North Korea for the incident, which has escalated tensions between the two nations. Pyongyang has consistently denied involvement in the attack while praising the hackers’ actions.
Stammberger acknowledged that attribution in a cyberattack “is the single hardest part of intelligence, and it’s the last part that gets done.”
So it surprised him when the FBI moved on a public accusation with evidence most in the security community found uninspiring — particularly that the attack code was similar to prior North Korean cyber efforts.
Using that evidence, “you wouldn’t be able to … attribute the attack to anybody,” Stammberger said.
Security researchers were expecting some evidence of a transaction, such as a message or bank exchange, between the hackers and Pyongyang.
“It’s always something that’s hard to find, but it is routinely found,” Stammberger said.