President Obama, after announcing that North Korea hacked Sony — according to the FBI — has followed with an attempt to calm the war rhetoric. He declared last Sunday on CNN that in his opinion it wasn’t an act of war, but an act of “cybervandalism” and promises a “proportional” response. But you don’t have to look far to find a lot of skepticism about North Korea’s role in the attack from a lot of cybersecurity experts.

These experts have picked apart the FBI’s evidence, which was described in a public memo followed by a much more detailed alert circulated to corporation security departments, and found it lacking. Here’s a sampling:

Marc W. Rogers, whose anti-hacking credentials are impeccable (he helps screen papers for presentation at DEF CON, the leading hacker conference), says the FBI blamed North Korea in part because the software used in this Sony hack is similar to the software purportedly used by North Korea in two previous major hacks. However, those attacks were not definitively proved to be by North Korea. After a lengthy and very technical description of the differences and similarities, Rogers writes,

Lastly, it’s pretty weak in my books to claim that the newest piece of malware is the act of a nation state because other possible related pieces of malware were *rumored* to be the work of a nation state. Until someone comes up with solid evidence actually attributing one of these pieces of malware to North Korea I consider this evidence to be, at best, speculation.

In another article, Rogers lists 10 Reasons Why the FBI Is Wrong. Among them,

• The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect, in other words it reads to me like an English speaker pretending to be bad at writing English.
• The fact that the code was written on a PC with Korean locale and language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden.
• Whoever is doing this is VERY net and social media savvy. That, and the sophistication of the operation, do not match with the profile of DPRK up until now.

Rogers’ opinion is that the hack may be an “inside job” by a disgruntled (possibly ex) employee of Sony.

Here is an additional opinion from Kurt Stammberger, a senior vice president with cybersecurity firm Norse via CBS, who says his company has data that doubts some of the FBI’s findings.

We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history. Norse data is pointing towards a woman who calls herself “Lena” and claims to be connected with the so-called “Guardians of Peace” hacking group. Norse believes it’s identified this woman as someone who worked at Sony in Los Angeles for ten years until leaving the company this past May. This woman was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised.

Graham Cluley is skeptical, too. (Graham Cluley is an independent computer security analyst who used to work for security software developer Sophos. Until last year he was also the head of corporate communications, and the editor and main writer of Sophos’s award-winning Naked Security site, which typically receives 1.5 million pageviews each month.)

Attributing internet attacks to a particular country is extremely difficult, as it’s so easy for hackers to cover their tracks or point investigators in the wrong direction. It’s not uncommon at all for attackers to use compromised computers in other countries as part of their attack to throw investigators off the scent, and allegations of where hackers might be based is often founded on the flimsiest of “evidence.”

Cluley lists a few reasons to be skeptical, especially of retaliation for The Interview movie as a motive.

• The hackers initially emailed Sony executives days before the “skull attack,” and demanded money. No mention of “The Interview,” no mention of North Korea.
• The hackers then plastered grisly skull images over Sony computers, and threatened to release the company’s data unless their demands were met. No mention of “The Interview,” no mention of North Korea.
• What proof do the US authorities have that North Korea is behind the attack?
• How do the US authorities explain the malware and the demands not making a reference to the movie or North Korea?

The anti-hacker community hasn’t ruled out North Korea. Many also acknowledge that it is possible the FBI has stronger evidence against North Korea than it has made public. And keep in mind that disdain for the FBI — and for the government in general — runs deep in the anti-hacker community.

We should take very seriously these experts’ warnings that it may be premature to declare the case closed and the culprit identified, if for no other reason than if it was not North Korea behind the hack, the hacker(s) are still running loose and capable of much more serious damage.

Photo by Joseph L. Ridgway II, licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license.