It's been weeks since the unprecedented Sony hack was first made public, and still no one—not the FBI, or the White House, or Santa Claus—has publicly provided solid evidence that North Korea was behind the attack. But if not Pyongyang—who? One team of computer security experts has a compelling counter-theory: Sony was attacked by its own people.
Kurt Stammberger is a senior vice president at Norse, a firm that provides intelligence and protection strategies for clients with vulnerable computer networks. He and his team spend their time both watching internet attacks as they happen, and sifting through stores of data collected in the wake of a breach. Stammberger knows what a digital intrusion looks like, and doesn't buy the feds' North Korean angle: "Are there NK fingerprints? Sure," he told me over the phone earlier this week. "But when we run any of those leads to ground, they end up being dead ends."
Instead, Stammberger's team has been going through the many gigabytes of leaked Sony data in search of another possibility: that Sony wasn't attack from the other side of the world, but was raided by someone on the inside. Or, formerly on the inside: Stammberger says his team thinks they've identified the as-of-yet-unidentified Guardians of Peace: "a relatively ad-hoc, small group of individuals that is probably comprised of some ex-employees of Sony and some other people that did not work at Sony."
Stammberger and his team shared their raw data with the FBI yesterday, and agreed to not show his evidence elsewhere, so the theory as he described it to me is still sketchy. But it hinges on an ex-Sony employee that Stammberger calls "Lena."
"Lena" was an employee of ten years at Sony in Los Angeles, working in a "key technical" position at the company, and axed during the company's brutal layoffs this past May. Even if she'd departed the company months before the attack, she would have remained "very well placed to know which servers to target," and "where all the sensitive information in Sony was stored." (A preliminary search of my own through leaked Sony data reveals no one by the name of Lena, though Stammberger says it could've been an alias—he also could not tell me how he arrived at that name, or the names of any other suspected hackers.)
What drew this group together, Stammberger says, is a mutual hatred of Sony: "These were individuals that were connected with torrenting Sony movies and content online, were targeted by legal and law enforcement arms, and were irritated that basically they were caught." A disgruntled Sony employee—or employees—who joined forces with contacts in the hacker community that were equally pissed for getting caught bootlegging movies. This sounds much more plausible to me than a crack North Korean cyber-commando squad, or whichever Tom Clancy wet dream has been floating between the White House and the New York Times.
But if the Norse report isn't as far-fetched as the FBI's version, it's not a whole lot more substantiated, either. By the company's own admission, their counter-theory isn't a slam dunk: "We have indicators that connect [these suspects] to this attack," Stammberger told me, but "It's a long way from proof," and "a long way from something I think you could prosecute someone with."
The FBI, for its part, still publicly insists that North Korea was involved in the attack in some capacity. A New York Times report today cites Sony executives who say the agency believes hackers "used digital techniques to steal the credentials and passwords from a systems administrator who had maximum access to Sony's computer systems":
Once in control of the gateways those items opened, theft of information was relatively easy.
Government investigators and Sony's private security experts traced the hacking through a network of foreign servers and identified malicious software bearing the familiar hallmarks of a hacking gang known as Dark Seoul. Prodded for inside information at a social gathering — long before the F.B.I. announced any conclusions — Doug Belgrad, president of Sony's motion picture group, responded, "It's the Koreans."
It will always be easier for Sony to blame North Korea instead of blaming itself.