Friday, December 26, 2014

Linguistic Analysis Proves Sony's Hackers Most Likely Russian, Not Korean

Taia Global's Chief Science Advisor Dr. Shlomo Argamon, one of the country's preeminent researchers in authorship analysis and stylometry, led a team that conducted native language identification (NLI) analysis on the 20 messages left by Sony's hackers. Their results do not support the U.S. government's charge that North Korea was responsible for the network attack against Sony Pictures Entertainment. This post is a mini-version of the full report, which can be downloaded from the Taia Global website.

The Problem

The specific question that we address in this report is to determine the (non-English) native language of the authors of the electronic messages (emails and forum posts) signed by the “Guardians of Peace,” putatively from the group that hacked into Sony Pictures Entertainment, stole their data, and posted some of it publicly.

The Data

For our analysis, we used twenty messages reported in the media and posted to Pastebin that have been attributed to the “Guardians of Peace” (GOP) group (see Appendix A in the report).

Assumptions and Caveats

To do our analysis, we must first rule out two alternate scenarios.

First, that a native English speaker or speakers wrote the messages and then intentionally inserted errors to make it appear as if a non-native English speaker(s) had written them.

Second, that the messages are the result of automatic translation of foreign-language original texts, in which case it would be difficult, if not impossible, to figure out the original language from the English texts (at least without knowing specifically what translation software had been used). See Appendix D in the report for examples of Google Translate.


We apply a two pronged methodology to analyzing the native language of the messages’ authors.
First, we examine a number of possible candidate languages, including Korean, to see if we can rule them out, and if not, which one does seem the most likely native language.
Second, as a further check, we perform an independent test for the messages’ similarity to English written by native Korean speakers to see how similar the non-fluencies are.

The Results

We conclude that it is unlikely that the messages were written by native Korean speakers, though it is not impossible. It is far more likely that they were written by native Russian speakers. It is virtually impossible, however, that they were written by native German or Mandarin Chinese speakers.

If You'd Like To Join Our Study

This study is limited by the small number of languages that were studied, as well as by the limited comparison with L2 English samples. We plan an expanded study of the messages, comparing against a wider sample of candidate languages as well as performing statistical comparisons against L2 samples in Korean and other languages.

Taia Global is looking for linguists with academic backgrounds to join this research project commencing in early January 2015. Interested candidates should contact Dr. Shlomo Argamon.


"New Study Adds To Skepticism Among Security Experts That North Korea Attacked Sony"
"Why You Should Demand Proof Before Believing The US Government About North Korea and Sony"
Sony, the DPRK, And The Thailand - Pyongyang Connection"

Sunday, December 21, 2014

Transcript of Kim Jong-Un's Discussions With His General About Sony

The following is a transcription which I'm certain has been captured by some agency somewhere and provided to me by an un-named, possibly government source. It takes place over several weeks and features private conversations between the DPRK Supreme Leader Kim Jon-un and the commanding officer of the DPRK's Army Unit 121.

Sony is making a movie about assassinating me called The Interview.
I want to destroy them. What are my options.

My people will do it.

Didn’t they attack the South Korean banks last year?

No that was South Korean Leftists.

 And weren’t your men responsible for the DDOS attacks against U.S. and South Korean government websites in 2009?

No, those were some Armenian kids.

So what exactly has your unit done, General?

We send our people to China where they steal trade secrets from the Americans and then sell them to the Russians, the Chinese, and the South Koreans. 

Good money doing that?

About fifty billion yuan a year.

And everyone thinks that it’s the Chinese! Brilliant! Now go attack Sony for insulting me. But make them think it’s not us.

Sir, who else would be offended that a movie was being made about killing you besides us?

It’s the entertainment industry. They steal from each other. They pay their people less than we pay ours just to say that they work in “the business”. Are you kidding me right now? They have more enemies than I do. 

But why say anything at all?


My men are highly trained soldiers. I give them targets and they destroy them. They don’t tell anyone, let alone the target, who they are or what they’re doing.

But I thought you make up funny names for yourselves like “Dark Seoul” and leave cryptic messages in your attack code.

No, that’s not us. That’s the South Korean Leftists. They’re crazy people.

ARGH. I have to think. Leave me, General. I’m about to invade Snowdown with my War Poros.

As the General leaves, Kim returns to playing League of Legends and forgets about the movie.

Weeks later.

General, someone called God’s Apostles or GOP has hacked Sony BIG TIME! Was that your people?

No sir. You never gave us the order. We think it was someone who used to work there for slave wages and wanted revenge. 

But why would they care about my movie?

Apparently they didn’t. They just wanted Sony to pay money to the victims of its oppression. Your movie wasn’t mentioned until later.

Good. Then your people can keep making me money and not waste their time on that stupid movie.

How’s the assault on Snowdown coming, sir?

There’s a sale on Legacy skins. What do you think - Bad Santa Vieger or Slay Belle Katarina?

Katarina. Definitely.

6 days later

Sir, the American President says that we are to blame for the Sony attack and that there will be repercussions.

General, did he really say that or are you just pulling the leg?

The General holds up his iPad and plays a clip from President Obama’s press conference.

Kim jumps up and dances around his desk.


Kim cracks open a bottle of Cristal and takes a swig.

Sir. It gets better. The Americans are asking the Chinese to help them stop us.

Kim looks at the general wide-eyed. Then bursts into a fit of laughter, spraying Cristal all over the general’s uniform.

“Oh, General. I am truly blessed by all the Buddhas. Not only has Sony been punished, but my greatest enemy the United States government has now shown the world how incompetent and vulnerable it is. Everything has fallen into place and I’ve had to do nothing!
Kim meditates for a moment on his many blessings.

General, I have an idea. Tell the American President that we didn't do this and that we'll help him find out who did. What the hell. I'm feeling magnanimous.

- END -


Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony
Sony, the DPRK, and the Thailand - Pyongyang Connection
"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Friday, December 19, 2014

Sony, the DPRK, and the Thailand - Pyongyang Connection

UPDATE (19DEC2014 1725PST)
I'm top-posting this update because I've just learned of some new information about Loxley Pacific which makes me believe that the Loxley-DPRK connection should be investigated in a more rigorous fashion. This comes from Don Sambandaraksa's Bloggery article "Loxley and the Thai way of doing things":
"(I)n April 2003 a company in Japan, Meishin, attempted to export parts for nuclear centrifuges to North Korea. The intermediary was a Thai telecom company, Loxley Pacific, and the consignment was declared as telecom equipment in an attempt to avoid scrutiny."
"The sad thing was that because of the proper and elite image of Loxley in Thailand, the news blackout was almost absolute within the country. Editors did not wish to make an enemy of Loxley as their owners, the Lamsum family, have a banking, food, commercial and advertising empire that is no less omnipresent than that of True and CP owned by the Chearavanont family. Only the Lumsums prefer to keep themselves to themselves unlike the publicity hungry Chearavanonts."
"No publication would risk losing their advertising income by pointing out that they were part of North Korea’s nuclear program. No politician would dare to lose party funding by taking them on - the Lumsums were the fifth largest official donor to the Democrat party. The Chearavanonts, meanwhile, topped the 2011 list."
"The Bangkok Post’s Post Database section ran the story, but what should have been front page news on every newspaper in the country was instead run as a story on the back page of the the technology section. Such was the scale of denial."
The above is just a snippet of Don's full article which discusses Loxley, its subsidiary Loxley Pacific, and its sale to North Korea of a GSM network and an ISP. If Don is correct in his assessment about Loxley's political influence in Thailand and its deal-making with insiders, then chances are good that Loxley's own network is extremely vulnerable to being breached (who would be brave enough to tell the CEO?). Post-breach, it could be used as a vector to access North Korea's mobile and Internet networks. Anything the attackers do after that would be blamed on Pyongyang - no questions asked.

[Original Post Begins Here]
The White House appears to be convinced through "Signals intelligence" that the North Korean government planned and perpetrated this attack against Sony:
In one new detail, investigators have uncovered an instance where the malicious software on Sony’s system tried to contact an Internet address within North Korea
There is a common misconception that North Korea's ITC is a closed system therefore anything in or out must be evidence of a government run campaign. In fact, the DPRK has contracts with foreign companies to supply and sustain its networks. Those companies are:
  • Lancelot Holdings
  • Loxley Pacific 
  • Shin Satellite Corp
  • Orascom Telecomms Holding
Each offers a different service, but Loxley Pacific, a Thailand joint venture involving Loxley (Thailand), Teltech (Finland), and Jarangthai (Taiwan). 

Loxley Pacific is a subsidiary of Loxley, a Thai public company that provides a variety of products and services throughout the Asia Pacific region. According to its 2013 annual report, Loxley has 809 permanent staff and 110 contract staff. 

Loxley Pacific provides fixed-telephone lines, public payphone, mobile phones, internet, paging, satellite communications, long-distance/international services, wire or wireless in the Rajin-Sonbong Free Economic and Trade Zone. Star JV is North Korea's internet service run as a joint venture between the North Korean government and Loxley Pacific.

One of the easiest ways to compromise the Internet backbone of a country is to work for or be a vendor to the company which supplies the backbone. For the DPRK, that's Loxley, based in Bangkok. The geolocation of the first leak of the Sony data on December 2 at 12:25am was traced to the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley offices.

This morning, Trend Micro announced that the hackers probably spent months collecting passwords and mapping Sony's network. That in addition to the fact that the attackers never mentioned the movie until after the media did pretty much rules out "The Interview" as Pyongyang's alleged reason for retaliation. If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific's network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK's network against any target that they wish. Every attack would, of course, point back to the hated Pyongyang government.

Under international law, "the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State" (Rule 8, The Tallinn Manual). The White House must responsibly evaluate other options, such as this one, before taking action against another nation state. If it takes such action, and is proved wrong later, which it almost certainly will be, the reputation of the U.S. government and the intelligence agencies which serve it will be harmed.


"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Sony, the DPRK, and the Thailand - Pyongyang Connection" by Jeffrey Carr
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Wednesday, December 17, 2014

Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony

Yesterday evening the New York Times reported that un-named American intelligence officials have concluded that the North Korean government was "centrally involved" in the massive breach against Sony (NYSE: SNE), and that the White House hasn't yet decided how it will respond.

Such a claim, if true, requires that two things should be done immediately:
  1. The identities of the intelligence officials need to be revealed, or at least the agency that they work for.
  2. Point to the proof that supports that finding.
Chances are better than 50/50 that the agency is DHS; the agency which since its inception has redefined the word incompetent.
Over the past four years, employees have left DHS at a rate nearly twice as fast as in the federal government overall, and the trend is accelerating, according to a review of a federal database. 
A parade of high-level departures, on top of other factors, has meanwhile helped slow the rollout of key cybersecurity initiatives, including a program aimed at blocking malicious software before it can infiltrate civilian government computers, former officials say.
The Inspector General's DHS report that came out last month was highly critical as well.

But even if the NY Times source wasn't DHS, the IC is rarely unified when it comes to intelligence analysis; especially cyber intelligence.The NASDAQ investigation as reported by Bloomberg is a great example.
In early January, the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb. The best case was that the hackers had packed their malware with a destruction module in case they were detected and needed to create havoc in Nasdaq computer banks to throw off their pursuers. The worst case was that creating havoc was their intention. President Obama was briefed on the findings. 
Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
Cyber Intelligence Can Be Contradictory and Unreliable
Federal agencies' demand for cyber threat intelligence is voracious and they pay well. That demand is frequently met by companies like Mandiant, now part of FireEye - the company handling Sony's incident response. The problem is that these companies have no oversight and no standardized vetting of sources.

A recent Carnegie Mellon report on cyber intelligence tradecraft reported:
"Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
It isn't hard to find examples.

Cylance's last report "Operation Cleaver" claimed that Iran is a sophisticated cyber adversary and pointed to Shamoon as proof. However, technical reporting by both Kaspersky Lab and Crysys Lab noted that Shamoon's author was incompetent; that due to "silly errors" the malware was only 50% effective. If you want to make the case that Iran is a sophisticated cyber warfare actor, you shouldn't point to poorly written malware as an example.

Crowdstrike's "Putter Panda" report made the claim that posts in a Chinese XCar forum were secretly coded messages used to convey information about hacking jobs when it was really just an online forum about cars. This mistake happened because Crowdstrike's researchers used Google Translate instead of native Chinese linguists. When researchers see hidden Chinese hacker messages where none exist, it makes it difficult to accept their analysis of North Korean language peculiarities.

According to Sophos, Dark Seoul malware is not particularly sophisticated and easy to detect. Symantec referred to Dark Seoul not as malware but as a hacker group responsible for four years of attacks against South Korean websites including the DDoS attack against some U.S. government websites over Independence Day weekend in July 2009.
McAfee referred to Dark Seoul as an operational name but then changed it to Operation Troy, extended the attack to a four year campaign and, unlike Symantec, added the claim of espionage as the campaign's purpose.

Names Are Collections Of Technical Indicators, Not People
Names given to hacker groups by cyber intelligence companies don't refer to actual people (with a few notable exceptions). Instead they refer to technical indicators or TTPs (tools, techniques and procedures) that attacks have in common. There's no way to tell who belongs to any group, or if you can identify one member of a group from a certain year, where that member is today. Further, different companies assign different names to the same groups which is why you end up with names like Comment Crew, APT1, Soy Sauce, GIF89a, Shanghai Group, and Comment Panda on the unclassified side, and "Bravo Charlie" on the classified side.

This feeding of commercial cyber intelligence which hasn't been subjected to any critical scrutiny or source validation to intelligence agencies where it gets a new code name and classification is a disaster waiting to happen.

Challenge Everything
Is North Korea responsible for the Sony breach? I can't imagine a more unlikely scenario than that one, and for many of the same reasons that Kim Zetter detailed in her excellent article for Wired.

My advice to journalists, business executives, policymakers, and the general public is to challenge everything that you hear or read about the attribution of cyber attacks. Demand to see the evidence, not scrubbed "indicators of compromise" that can't be validated. Be aware that the FBI, Secret Service, NSA, CIA, and DHS rarely agree with each other, that commercial cyber security companies are in the business of competing with each other, and that "cyber intelligence" is frequently the world's biggest oxymoron.


"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Sony, the DPRK, and the Thailand - Pyongyang Connection" by Jeffrey Carr
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Friday, December 5, 2014

"Measure Twice. Bite Once" - Suits and Spooks DC 2015 Supports The Warrior Dog Foundation

You have 5 days left before the Early Bird rate for Suits and Spooks DC/Pentagon City ends on December 10th. For the first time, we'll be holding this event at the Ritz Carlton Pentagon City and we're going to honor the work of the Warrior Dog Foundation by hosting a dinner for them on February 4th.

Normally the tickets for the dinner are sold separately from the Suits and Spooks registration but between now and December 10th, if you register for Suits and Spooks DC/Pentagon City, we'll buy you your ticket to the dinner.

Everyone who registers for Suits and Spooks, whether you register for the dinner or not, will receive an awesome t-shirt which shows a modified Suits and Spooks playing card logo that has been integrated with the Warrior Dog Foundation "paws" and ribbon and the tag line:


Visit the brand new Suits and Spooks website to learn more, and register before December 10th to take advantage of this great offer.

Wednesday, December 3, 2014

The One Statement That Changes Everything For A Corporation That's Been Breached

Imagine that you're a publicly-owned company that has just been hacked in a BIG way. You're now in damage control mode. You've made a preliminary announcement. You've hired a high profile and very expensive Incident Response company. That's all SOP. After a reasonable amount of time goes by there is one statement that you can make which will change the game entirely. Guess which one it is:

THE INSIDER STATEMENT: A former ACME Corporation employee named Wiley E. Coyote stole the company's plans for a Jet-Propelled Unicycle by tricking a security guard into thinking it was just a big lunch box.

THE HACKTIVIST STATEMENT: The ACME Corporation's network has been breached by a fast-running ground cuckoo called RoadRunner.

THE NATION STATE STATEMENT: The ACME Corporation is the victim of a highly sophisticated cyber attack by an elite State-sponsored group of hackers.

If you guessed The Nation State Statement, you're right. Here's why.

Companies that get pwned by hacktivists like Anonymous or LulzSec look like they're incompetent because hacktivists launch low-level attacks against low-hanging fruit that shouldn't be there in the first place. Plus, hacktivists frequently get caught and then flip on their compadres. Bottom line, your multi-billion dollar multinational corporation has just been breached by some low-rent kid with no balls and your CEO looks like a jerk.

If, on the other hand, your company was breached by an insider, it opens a huge can of worms for your General Counsel because you hired the guy and malicious insiders always, ALWAYS, give early warning signs before they rip you off, which you clearly missed. With the hacktivist, you may look like a jerk but at least you can blame someone else. If you're the victim of an insider, heads are going to roll.

But imagine if you could point the finger at foreign government; especially one that everyone hated like Iran or North Korea. For many years, China was the go-to culprit but now it's more impressive to be hacked by Russia or the DPRK. If you can blame a nation state by calling the actors "state-sponsored", then you cannot be held responsible. You'd be the victim of a military organization or an intelligence service with vast funding and sophisticated capabilities that could overcome any corporate network. Plus, everybody wins! By blaming North Korea for example you have instantly created a news story which focuses attention on that idiot in Pyongyang instead of your CEO. You've have helped the White House and Congress further their DPRK policies. Your Incident Response company's CEO is now in love with you because you've guaranteed him international headlines which might result in a lucrative acquisition down the road.

Blaming a nation state for your company's attack is WIN - WIN - WIN.

There is one caveat, however.

Because it is so wonderful to be able to claim to be the victim of hackers employed by a foreign government, you have to be careful that the evidence supports your claim. If it looks like an inside job and you claim nation-state, it might have the opposite effect. Then your "win" will vanish faster than a RoadRunner's "beep beep".

Monday, December 1, 2014

The Latest Sony Breach And Its Potential SEC Problems

Sony's (NYSE: SNE) latest network breach is also potentially one of its worst when it comes to financial impact on the company. The attackers (Guardians of Peace) stole five movies including Brad Pitt's "Fury" and released them online. "Fury" alone has had over 1.2 million downloads in the last three days according to Variety, which makes it the second most downloaded movie currently being pirated. The other movies stolen by hackers include "Annie", "Mr. Turner", "Still Alice", and "To Write Love on Her Arms".  The hackers also stole multiple terabytes of internal company financial and personal data which they released today on Pastebin. Depending upon what was stolen, this could make Sony liable for millions of dollars in penalties if includes controlled PII data.

The company's PlayStation unit had been repeatedly and successfully breached by attackers in 2011 which cost it an estimated $171 million and "affect revenues for its fiscal 2011 year" according to its IR group (investor relations). Page 8 of its 2011 Annual Report dedicated one paragraph to that event, 90% of which spoke about how "sophisticated" the hackers were (they actually weren't sophisticated at all) and how they have reinforced their security, blah blah.

The current attack against Sony Entertainment Pictures has potentially done more damage and may involve one or more insiders. Sony has engaged an IR firm to investigate the attack and is cooperating with the FBI, which is pretty standard procedure.

I looked at Sony's annual reports since 2011 and the language used in describing its cyber risk factors remains pretty much the same as this quote from its 2014 20F filing:
"Moreover, as network and information systems have become increasingly important to Sony’s operating activities, the impact that network and information system shutdowns may have on Sony’s operating activities has increased. Shutdowns may be caused by events similar to those described above or other unforeseen events, such as software or hardware defects or cyber-attacks by groups or individuals." 
"Similar events in the future may result in the disruption of Sony’s major business operations, delays in production, shipments and recognition of sales, and large expenditures necessary to enhance, repair or replace such facilities and network and information systems. Furthermore, Sony may not be able to obtain sufficient insurance in the future to cover the resulting expenditures and losses, and insurance premiums may increase. These situations may have an adverse impact on Sony’s operating results and financial condition."
"Sony makes extensive use of information technology, online services and centralized data processing, including through third-party service providers. The secure maintenance and transmission of customer information is a critical element of Sony’s operations. Sony’s information technology and other systems that maintain and transmit such information, or those of service providers or business partners, and the security of such information possessed by Sony or its business partners may be compromised by a malicious third-party or a man-made or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, customer information may be lost, disclosed, misappropriated, altered or accessed without consent. For example, Sony’s network services, online game business and websites of certain subsidiaries have been subject to cyber-attacks by groups and individuals with a wide range of motives and expertise, resulting, in some instances, in unauthorized access to and the potential or actual theft of customer information."
"In addition, Sony, third-party service providers and other business partners process and maintain proprietary Sony business information and data related to Sony’s business, commercial customers, suppliers and other business partners. Sony’s information technology and other systems that maintain and transmit this information, or those of service providers or business partners, and the security of such information possessed by Sony, third party service providers or other business partners may also be compromised by a malicious third-party or a manmade or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, Sony’s business information and customer, supplier, and other business partner data may be lost, disclosed, misappropriated, altered, or accessed without consent."

This is pretty generic stuff, evidenced by the fact that the language doesn't contain anything specific to Sony that wouldn't apply to every other public company. SEC regulations on risk disclosure require that the language to be non-generic so Sony like all registrants will need to find a way to accurately estimate their risk of a cyber attack without providing actionable intelligence to potential attackers (which I believe is entirely possible).

Sony never filed an 8-K on the 2011 breach and to date they haven't filed one on this breach (8-Ks are to be filed on material corporate events that shareholders should know about). I've left a message for their IR desk to call me back so that I can ask them why that is but so far, no joy.

A Taia Global white paper on the SEC and Cyber Risk Factors was just published last Monday and is available for download at the company website.