If DPRK was really behind the Sony hack, “proportional response” is pointless.

It looks like the great cyber-war with North Korea has begun, at least by proxy. The entirety of North Korea was knocked off-line today by a distributed denial of service attack—not a difficult feat, considering that all of North Korea is connected to the global Internet by a single connection. And while Americans are undoubtedly carrying out the attacks, it’s doubtful that they are taking direction from the government at this point (unless you think Anonymous and Lizard Squad are directed by the National Security Agency).

It’s an interesting dichotomy, because the evidence presented thus far by the US government that North Korea is indeed responsible for the attack is extremely weak. None of the Internet Protocol addresses embedded in the malware used in the attack were in North Korea, and most of them were exploited systems that could have been (and probably were) used by any number of cybercriminals and black hat hackers. All of the IP addresses were clearly acting as proxy servers, and some were used for spam and malware distribution.

Only the similarity to other attacks that were apparently launched by North Korea, the apparent motive, and Occam's Razor suggest that the Guardians of Peace were in the employ of the Democratic People’s Republic of Korea, rather than some random group of laid-off employees or supporters of Kim Dotcom. But if what was done to Sony Pictures Entertainment was in fact North Korean directed cyber-terrorism, it was extremely effective.

“By doing this, they’ve already won,” said Steve Sin, senior researcher at the National Consortium for the Study of Terrorism and Responses to Terrorism (START), a research center based at the University of Maryland, in an interview with Ars. “By a terrorist doing something, and us responding to it, the terrorist has already won.”

The Sony Pictures attack has had an immediate effect on the corporate and popular culture universes. It has likely damaged in the long-term the reputations of Sony Pictures, its executives, and partners. No matter what Sony does now, the precedent is set—corporations, which up until now have mostly been targeted by for-profit cybercrime, are now the designated soft target of everyone from script kiddies to state-funded cyber-armies.

Even now that the US government has attributed the attack to North Korea—an accusation North Korea denies, and in a stroke of propaganda genius has offered to help prove is false—there’s pretty much nothing that the government can do about it. The US is now asking China for help in blocking attacks from North Korea. And an apparent denial of service attack has knocked North Korea temporarily off the Internet. But given that most of the members of North Korea’s Unit 121, the cyber-espionage group blamed for the attack, reside not in North Korea but elsewhere in the world, it’s doubtful that such assistance would go far. And it’s even more doubtful that China would offer that help right now.

APT pupil

Though law enforcement and security firms investigating the Sony Pictures hack seem to agree that the attack came from North Korea, the fact is that the components and techniques used are in common with other operations previously attributed to Iranians and to criminal hackers. The only thing that distinguishes this attack from those is the apparent motive and the apparent extortion efforts that followed.

All around the world, there are regimes and organizations that have learned the same lessons that the Sony Pictures attackers have learned: corporate networks are soft, risk-free targets. And there’s an underground marketplace where the tools needed to create wiper malware and other attacks are readily available, as ubiquitous as AK-47s are in the conflict zones of the physical world and often provided for free. The only thing separating digital jihadis and state-sponsored guerillas based in this “Axis of Cyber-Evil” from profit-minded cybercriminals is their motive—and in some cases, it may only be who’s writing the paycheck.

The tools and skills used by the attackers—regardless of whether they were North Korean or not—are accessible to just about anyone with the time, determination, and Internet access. The irony is that the US has developed a massive Internet surveillance capability over the past decade to support the war on terrorism. Yet as powerful as the tools of the National Security Agency and FBI are in scouring the Internet, they’re impotent when it comes to delivering “proportional responses” to attacks on corporate targets by mercenary and state-actor-funded digital foot soldiers in places where the US can only ask pretty please for help from indifferent governments.

The penetration technique used for the Sony Pictures attack—gaining access to the network through stolen credentials, and working deeper into systems to spread malware, possibly with administrative tools—is similar to a number of criminal breaches. That’s because there’s a ready supply of freelance cybercriminals and hackers willing to lend a hand to any enterprise looking to break into networks if the price is right.

Financial fraud rings have developed their own software tools specifically for “long game” hacks intended to slowly siphon data from commercial targets in a way that reduces the risk of them triggering widespread breach investigations. “Phishing” attacks against carefully selected individuals based on thorough intelligence collection gave hackers access to credentials that were used to gain entry into the corporate networks and then the point-of-sale systems of Target and Home Depot.

And hackers hired by a Belgian drug ring used the same approach to gain access to the network of the port of Antwerp starting in 2011. The drug-ring’s freelance hackers sent malware-laden e-mails to port employees to steal their credentials and used them to gain access to IT systems that allowed the hackers to track containers they’d used to smuggle drugs into the country. As a result, the drug ring could produce manifests that their own drivers could use to pick the containers up before their actual owners did. The port’s management only realized something was wrong when containers started going missing.

The cyber-attack on the Las Vegas Sands casino company earlier this year demonstrates just how little is required to yield the sort of results that the Sony Pictures hackers achieved—by persistently seeking for a vulnerable system, hackers got onto a development server at a slots casino in Bethlehem, Pennsylvania, and were able to use an open-source tool to steal Windows Active Directory credentials. Then they fashioned a wiper program using Visual Basic, and simply logged in remotely to deliver it.

That’s not to say that Visual Basic is a sign of a lack of sophistication. It’s just evidence that low-cost commercial and open source tools that are readily available can be applied by a determined attacker to yield the same sort of damage as might have once been associated with a state-sponsored attack.

Heads I win, tails you lose

Taking on these sorts of attackers is not something the US is prepared to do. The FBI and NSA do not do corporate protection; only the companies in the Defense Industrial Base get any sort of government cyber-defense help, and it has not been terribly effective against APTs in the past.

And when a state actor can be pegged to an attack against a corporate target—especially a nation like North Korea—there’s not a lot that can be done to deter future behavior, let alone extract some sort of concession from the attacker.

“Overall, no matter what we do or don’t do, we will end up playing into North Korea’s hands,” Sin, who spent several years as an Army intelligence officer studying North Korea, and continues to track developments in the country, explained. A failure to do anything gives North Korea the signal that it can launch cyber-attacks with impunity, while a response that has any teeth to it simply becomes fodder for more propaganda about how the US is a bullying superpower and the cause of all the Democratic People’s Republic of Korea’s ills.

In the physical world, a proportional response usually means taking out some sort of infrastructure valuable to the party that attacked. Given that the infrastructure used to actually attack Sony Pictures is outside North Korea and was likely hijacked by the attackers without the knowledge of its owners, there’s not exactly an physical target for a response that wouldn’t cause collateral damage. An attack on infrastructure in China or Russia would escalate the situation.

The only long-term answer to this sort of asymmetric threat is to make it increasingly harder to find vulnerabilities in systems, and reduce the risk associated with a successful attack. That means that companies and academic institutions—and software and hardware companies that supply their IT departments—are going to have to step up to actually make their networks less vulnerable to these sorts of attacks.

Of course, the other option is to let government exercise more control over the security of the Internet. But that’s exactly what media companies like Sony wanted in the first place when the MPAA and RIAA pushed for legislation like SOPA and PIPA.