A recent article raised the question if North Kora was actually the perpetrator of the cyber attacks against Sony Pictures in December 2014.  Despite the difficulties typically associated with such activities, the Federal Bureau of Investigation (FBI) quickly attributed (25 days) the attacks to North Korea, even though an enigmatic group calling itself “Guardians of Peace” took responsibility.  Nevertheless, once the FBI official blamed North Korea no one in the government appeared to question the call, getting behind the FBI’s claims.  The official FBI statement did not reveal any substantial evidence to substantiate its claims content to share that “technical analysis” saw similar tools and infrastructure used by suspected North Korea actors as solidifying its determinations.  Later, an article indicated that National Security Agency hacking operations against North Korea years prior to the Sony attack as providing further insight that incriminated the Hermit Kingdom.  Nevertheless, North Korea called the allegation slanderous, and was subject to sanctions and a possible shutdown of its Internet in retaliation for Sony.

Prior to this instance, North Korea’s cyber activities had been rather limited and while new capabilities are always being developed, the best way to predict future behavior is to look at past behavior, and in this instance, there had been little precedent that North Korea would execute an attack of this nature.  When it had felt maligned in the past, North Korea had traditionally turned to nuisance distributed denial-of-service attacks (DDoS) to express its discontent, reserving its most disruptive attacks for its southern neighbor.  North Korea has been pretty consistent with using its cyber capabilities to signal, conduct espionage, and make money with the latter two having really been developed since the Sony attack.  Disclosing stolen intellectual property and using wiper malware to hurt an adversary has not been a go-to form of cyber malfeasance that it did before, or has done since.

So, it’s not surprising that some have called into question whether North Korea was actually behind this attack, or at least, all facets of it., and have expressed skepticism of the FBI’s position on the subject.  Critics largely thought that the evidence that had been presented was largely “circumstantial and self-referential” relying at this point tools and resources that were easily obtained and modified.  The same source also offered that IP addresses and language settings within the malware did point to North Korea as it believed that it should.

Aside from the technical evidence, there were other pieces of information that cast doubt on North Korea having sole culpability in the attack.  The co-director and writer of the film was not targeted despite being instrumental in creating the content, an interesting choice for a government incensed over its depiction of its leader.  But perhaps the biggest red flag came from a threat researcher who received stolen documents both before and after the breach from a Russian hacker (who had done work for Russia’s Federal Security Service) and former FBI information.  What’s more, this occurred after the leak had been “allegedly” controlled.  Such evidence certainly suggested that at the very least two sets of attackers targeted Sony, not just North Korea.

This wasn’t the first incident where attribution may have been levied before a proper and thorough investigation occurred and is not the sole purview of incidents involving nation states with many notable incidents quickly but incorrectly attributed in a rush to place blame.  The following two notable examples exemplify rushed attribution that misidentified actors behind cyber attacks:

• Ransomware.  In 2022, two state-linked Chinese hacking groups used ransomware attacks to obfuscate the true intent of their operations – to steal intellectual property and other sensitive information from high-profile Japanese and western companies.  These actors used a leak site like established ransomware groups in order to further solidify the ruse.  One cybersecurity company thought the deployment of different ransomware variants over short periods of time and frequent changes to the ransomware were not consistent with traditional ransomware actors, pointing toward a possible state actor.  Regardless, the link to state-affiliated actors remains murky as the group could either moonlighting on the side of traditional cyber espionage work, or else be independent contractors looking to monetize their theft either by selling it to a state or competitor.

• Disruption.  In May 2015, threat actors executed an attack against TV5 Monde, a French television network, disrupting broadcasting for approximately three years and gaining unauthorized access to some of the network’s social media accounts.  The attackers called themselves the Cyber Caliphate and affiliated with the Islamic State.  French authorities reacted quickly determining that the attack was in retaliation for France’s efforts against ISIS.  However, several months later after conducting a more thorough investigation, other possibilities were explored with evidence pointing toward Russian military – not Islamic – threat actor culpability.  These later suspicions were later confirmed by Western governments.

The fact that attribution -especially against states – is even done with any confidence is surprising given that those that attributing both herald the sophistication associated with state actors while at the same time citing their carelessness as one of the reasons that they were able to be identified in the first place.  Not to say that this isn’t possible but given the current environment with so many companies and governments tracking and publishing material on state cyber activities, one would think that the more sophisticated cyber powers would be executing more disciplined operations.  But what is perhaps more interesting is that those that misattribute generally do not take responsibility or self-accountability for their mistakes.  Rarely are corrections or justifications provided to correct the record as to why determinations were flawed. 

Although some may claim that attribution has become easier due to technical and forensic capability advances, much of the technical analysis provided in publicly available reports remains the same, raising questions if all of the evidence is not being shared or that it may not exist in the first place.  When attribution comes under a more rigorous scrutiny, “trust us” is not enough to assuage skeptical observers, especially in today’s environment when there is overwhelming lack of trust in the government, with as many as 80% of respondents to a think study survey believing that tech companies have too much power and influence over the government.  Unfortunately, the rush to attribution has become commonplace largely because there are no repercussions for being wrong.  The government can hide behind classification issues while the private sector is not being held to any accountability for being wrong.

It’s interesting to note that states can and do regularly accuse others of cyber malfeasance, rarely sharing the evidence to support such claims or providing some but not at all of it.  This suggests that states can use cyber attribution in order to serve other capacities such as giving governments justification to execute certain courses of action that it might not have done otherwise, and without surrendering all of its evidence to protect “sources and methods.”  As the 2018 Office of Director of National Intelligence “A Guide on Cyber Attribution” states, “Cyber attribution, or the identification of the actor responsible for a cyber attack, therefore is a critical step in formulating a national response to such attacks.”  Barring any legal standard requirements frees up a state’s options considerably.  Depending on the cyber incident, governments can then levy sanctions, or in the case of defend forward operations, engage in offensive activities under the umbrella of protecting itself.  

As the cyber environment continues to facilitate state and nonstate actors to conduct attacks, it becomes increasingly important to be able to differentiate one group from another, particularly if a state is looking to make an informed action as a result.  And for this reason, there needs to be a higher bar other than what’s being provided to determine attribution and justify retaliations.  The longer the global community does not press for tighter Internet accountability on state actors the more liberties authoritarian and democratic states alike will take to pursue their own interests.  And without a substantial pushback from citizens, there will be no need for any government to alter what it’s doing, or how it is perceived by the very constituents they are mandated to protect.