If The Sony Hack Was An Inside Job, When, Why, And How Did North Korea Decide To Plant A Spy At Sony?

There are a lot of loose ends with the Sony hack that bother old IT guys like me. Kim Zetter in the article, The Evidence That North Korea Hacked Sony Is Flimsy, makes the point that nation-state attacks are not normally this noisy. This attack was public and filled with revenge-filled rhetoric that sounded distinctly non-North Korean.

Marc Rogers in the article, Why the Sony hack is unlikely to be the work of North Korea, goes a step farther and says an insider is the likely culprit.

3. It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.

So if we are to assume that the attack is from North Korea, we have to ask when, why, and how did they plant a spy at Sony? The mainstream news media seems to be proceeding under the premise that the North Koreans could walk into Sony either literally or electronically and collect extensive knowledge of Sony’s architecture including key passwords in a relatively short period of time. I think this supports main stream media’s agenda that this is technology problem all we need to do is install the latest and greatest firewall. The reality is that this type of hack is typically an inside job so it is a primarily a personnel rather than a technology problem. In most major corporations this type of broad access requires lots of time since security is compartmentalized and transferring passwords to new people is dependent on developing trust. Password management in a large corporation like Sony can be further enhanced by delegating password control to different people. In this case the passwords for administering email, human resources and accounting systems are probably controlled and periodically changed by the people who have operational control of those systems. So if the insider working for the North Koreans is a new hire or contractor then they must have been inserted into Sony months ago. This begs the question of why did the North Koreans target Sony months ago, develop such a sophisticated operation, and then release detailed information about this operation to the world. All of this work for a movie! The North Koreans may be crazy but I do not think they are stupid!

If this hack is not North Koreans consumed by revenge over a movie, we have to conclude the insider was a long time employee or contractor who got the data directly off the servers or via malware installed on certain key computers. We are looking for a person with a Edward Snowden profile. Although some people who are skeptical of the North Korea explanation see a government conspiracy, my guess is our law enforcement agents are temporarily feeding the public misinformation to buy more time to complete the investigation and arrest the suspect while still in the United States.

For a detailed list of the Sony hack events check out the Riskbased Security article, A Breakdown and Analysis of the December, 2014 Sony Hack.