And Who’s to Blame?

12364606868?profile=RESIZE_400xA recent article raised the question of whether North Korea was the perpetrator of the cyber-attacks against Sony Pictures in December 2014.  Despite the difficulties typically associated with such activities, the US Federal Bureau of Investigation (FBI) quickly attributed (25 days) the attacks to North Korea, even though an enigmatic group calling itself “Guardians of Peace” took responsibility.  Nevertheless, once the FBI official blamed North Korea, no one in the government appeared to question the call, getting behind the FBI’s claims.  The official FBI statement did not reveal any substantial evidence to substantiate the content of its claim to share that “technical analysis” saw similar tools and infrastructure used by suspected North Korean actors as solidifying its determinations.  Later, an article indicated that the National Security Agency (NSA) hacking operations against North Korea years before the Sony attack provided further insight that incriminated the Hermit Kingdom.  Nevertheless, North Korea called the allegation slanderous and was subject to sanctions and a possible shutdown of its Internet in retaliation for Sony.[1]

Before this instance, North Korea’s cyber activities had been somewhat limited. While new capabilities are always being developed, the best way to predict future behavior is to look at past behavior. in this instance, there had been little precedent that North Korea would execute an attack of this nature.  When it had felt maligned, North Korea had traditionally turned to nuisance Distributed Denial-of-Service attacks (DDoS) to express its discontent, reserving its most disruptive attacks for its southern neighbor.  North Korea has been consistent with using its cyber capabilities to signal, conduct espionage, and make money, with the latter two having been developed since the Sony attack.  Disclosing stolen intellectual property and using wiper malware to hurt an adversary has not been the go-to form of cyber malfeasance that it has been before or has since.

It is not surprising that some have called into question whether North Korea was behind this attack, or at least all facets of it, and have expressed skepticism of the FBI’s position on the subject.  Critics primarily thought that the evidence presented was essentially “circumstantial and self-referential,” relying at this point on tools and resources that were easily obtained and modified.  The same source also offered that IP addresses and language settings within the malware pointed to North Korea as it believed it should.

Aside from the technical evidence, other pieces of information cast doubt on North Korea having sole culpability in the attack.  The co-director and writer of the film was not targeted despite being instrumental in creating the content, an exciting choice for a government incensed over its depiction of its leader.  But perhaps the most giant red flag came from a threat researcher who received stolen documents before and after the breach from a Russian hacker (who had worked for Russia’s Federal Security Service) and former FBI information.  What’s more, this occurred after the leak had been “allegedly” controlled.  Such evidence indeed suggested that at the very least, two sets of attackers targeted Sony, not just North Korea.


This was not the first incident where attribution may have been levied before a proper and thorough investigation occurred and is not the sole purview of incidents involving the nation states, with many notable incidents quickly but incorrectly attributed in a rush to place blame.  The following two notable examples exemplify rushed attribution that misidentified actors behind cyberattacks:

In 2022, two state-linked Chinese hacking groups used ransomware attacks to obfuscate the true intent of their operations to steal intellectual property and other sensitive information from high-profile Japanese and Western companies.  These actors used a leak site like established ransomware groups to solidify the ruse further.  One cybersecurity company thought the deployment of different ransomware variants over short periods of time and frequent changes to the ransomware were not consistent with traditional ransomware actors, pointing toward a possible state actor.  Regardless, the link to state-affiliated actors remains murky as the group could either moonlight on the side of traditional cyber espionage work or be independent contractors looking to monetize their theft by selling it to a state or competitor.

In May 2015, threat actors executed an attack against TV5 Monde, a French television network, disrupting broadcasting for approximately three years and gaining unauthorized access to some of the network’s social media accounts.  The attackers called themselves the Cyber Caliphate and affiliated with the Islamic State.  French authorities reacted quickly, determining that the attack was in retaliation for France’s efforts against ISIS.  However, several months after conducting a more thorough investigation, other possibilities were explored with evidence pointing toward the Russian military, not Islamic threat actor culpability.  Western governments later confirmed these later suspicions.

The fact that attribution, especially against states, is even done with any confidence is surprising given that those that attribute both herald the sophistication associated with state actors while at the same time citing their carelessness as one of the reasons that they were able to be identified in the first place.  Not to say that this is not possible but given the current environment with so many companies and governments tracking and publishing material on state cyber activities, one would think that the more sophisticated cyber powers would be executing more disciplined operations.  But what is perhaps more interesting is that those who misattribute generally do not take responsibility or self-accountability for their mistakes.  Rarely are corrections or justifications provided to correct the record as to why determinations were flawed.

Although some may claim that attribution has become more accessible due to technical and forensic capability advances, much of the technical analysis provided in publicly available reports remains the same, raising questions about all the evidence not being shared or that it may not exist in the first place.  When attribution comes under more rigorous scrutiny, “trust us” is not enough to assuage skeptical observers, especially in today’s environment when there is an overwhelming lack of trust in the government, with as many as 80% of respondents to a think study survey believing that tech companies have too much power and influence over the government.  Unfortunately, the rush to attribution has become commonplace mainly because there are no repercussions for being wrong.  The government can hide behind classification issues while the private sector is not held accountable for being wrong.

It is interesting to note that states can and do regularly accuse others of cyber malfeasance, rarely sharing the evidence to support such claims or providing some but not at all of it.  This suggests that states can use cyber attribution to serve other capacities, such as justifying governments to execute specific courses of action that they might not have otherwise, and without surrendering all of their evidence to protect “sources and methods.”  As the 2018 Office of Director of National Intelligence “A Guide on Cyber Attribution” states, “Cyber attribution, or the identification of the actor responsible for a cyberattack, therefore is a critical step in formulating a national response to such attacks.”  Barring any legal standard requirements frees up a state’s options considerably.  Depending on the cyber incident, governments can then levy sanctions or, in the case of defending forward operations, engage in offensive activities under the umbrella of protecting themselves. 

As the cyber environment continues to facilitate state and non-state actors to conduct attacks, it becomes increasingly important to differentiate one group from another, particularly if a state is looking to take an informed action.  For this reason, there needs to be a higher bar other than what’s being provided to determine attribution and justify retaliation.  The longer the global community does not press for tighter Internet accountability on state actors, the more liberties authoritarian and democratic states will take to pursue their own interests.  Without a substantial pushback from citizens, there will be no need for any government to alter what it is doing or how the constituents perceive it they are mandated to protect.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or   




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!