AP source: US probe links NKorea to Sony hacking
By ERIC TUCKER and TED BRIDIS, Associated Press
Dec 17, 2014 9:28 PM CST
This photo provided by Columbia Pictures - Sony shows, Seth Rogen, center, as Aaron, and James Franco, as Dave, arriving in North Korea to a welcoming crowd in a scene from Columbia Pictures' "The Interview." (AP Photo/Columbia Pictures - Sony, Ed Araquel)   (Associated Press)

WASHINGTON (AP) — Federal investigators have now connected the hacking of Sony Pictures Entertainment Inc. to North Korea, a U.S. official said Wednesday, though it remained unclear how the federal government would respond to a break-in that exposed sensitive documents and ultimately led to terrorist threats against moviegoers.

The official, who said a more formal statement could come in the near future, spoke on condition of anonymity because the official was not authorized to openly discuss an ongoing criminal case.

Until Wednesday, the Obama administration had been saying it was not immediately clear who might have been responsible for the computer break-in, with FBI Director James Comey last week saying there was still more work to be done. North Korea has publicly denied it was involved.

The unidentified hackers had demanded that Sony cancel its release of the movie "The Interview," a comedy starring Seth Rogen and James Franco that included a gruesome scene depicting the assassination of North Korea's leader. Sony on Wednesday canceled the Dec. 25 release, citing the threats of violence at movie theaters showing the movie, and the studio later said there were no further plans to release the film.

The disclosure about North Korea's involvement came just after Sony hired FireEye Inc.'s Mandiant forensics unit, which last year published a landmark report with evidence accusing a Chinese Army organization, Unit 61398, of hacking into more than 140 companies over the years.

Tracing the origins of hacker break-ins and identities of those responsible is exceedingly difficult and often involves surmise and circumstantial evidence, but Mandiant's work on its highly regarded China investigation provides some clues to its methods.

Investigators will disassemble any hacking tools left behind at the crime scene and — similar to bomb detectives — scour them for unique characteristics that might identify who built or deployed them. Hints about origin might include a tool's programming code, how or when it was activated and where in the world it transmitted any stolen materials.

In some cases, investigators will trace break-ins by hackers to "command and control" computers or web servers, and logs in those machines or information in Internet registration records might provide further clues about who is behind the hack. Sometimes, hackers using aliases are identified on social media networks or in chat rooms discussing targets or techniques. Mandiant named three Chinese Army hackers, including one known as "Ugly Gorilla."

The most sophisticated tools or specialized techniques are generally attributed to the work of governments — such as the U.S. role in releasing a tool known as Stuxnet to cripple Iran's nuclear program — because it can be expensive and time-consuming for experts to build them. But governments wouldn't use their most sophisticated tools against unsophisticated targets, because of the risk that valuable tools would be discovered and rendered useless for future attacks.

It wasn't immediately clear how the U.S. government was preparing to respond. Bernadette Meehan, National Security Council spokeswoman, said the United States was "considering a range of options."

The options against North Korea are in some ways limited given that the U.S. already has a trade embargo and almost certainly wouldn't consider military action, said Martin Libicki, a cybersecurity expert at the U.S. Naval Academy and a Rand Corp. scholar.

In May, the Justice Department took the highly unusual step of announcing indictments against five Chinese military officials accused of vast cyberespionage against major American corporations. But months later, none of those defendants has been prosecuted in the United States, illustrating the challenge of using the American criminal justice system against cybercriminals operating in foreign countries.

Jonathan Zittrain, a professor of law and computer studies at Harvard University, said Sony was unquestionably facing anger over the breach and the resulting disclosure of thousands of sensitive documents. But the movie studio may be able to mitigate that reaction and potential legal exposure if it's established that North Korea was behind the attack.

"If Sony can characterize this as direct interference by or at the behest of a nation-state, might that somehow earn them the kind of immunity from liability that you might see other companies getting when there's physical terrorism involved, sponsored by a state?" Zittrain said.