The media has been active the last few days regarding the Sony breach and publishing claims that North Korea may be connected to the breach.
The source of the attribution is from a post on Re/code, stating an anonymous source provided information that Sony and security analysts were “actively exploring the theory” that North Korea was involved in the attack. The source also stressed that the “link to North Korea hasn’t been confirmed, but has not been ruled out.”
I believe whoever the source was regarding this statement is incredibly irresponsible, or is actually not part of the active investigation. Attack attribution is not something that starts at the early phase of an investigation. Given that Sony is still actively involved in the clean up phase, I doubt enough data has been collected to even begin the process of identifying the point of the intrusion and scope of breach, let alone attribution.
This is also not a task Sony and an outside incident response team would be involved in, but also federal law enforcement agencies, who would also not reveal anything in terms of attribution until the investigation is completed.
The statement from the anonymous source has the makings of a sensationalistic story, a connection to North Korea and a controversial movie (The Interview) that just happens to be coming out on Christmas. Another possible unconfirmed theory is that statement is marketing spin to deflect accountability for security lapses within the organization and promote a new film in the process—double win. Another could be that the article itself is based on an unreliable source, or comments were taken out of context.These are just theories, I can’t confirm them, but they also have not been ruled out.
Regardless, the unconfirmed connection to North Korean and the Sony attack is being reported even by reputable news outlets, further propagating the misleading information to the general public. This type of journalism is dangerous on many levels, has a negative impact on the security industry and can actually impede an investigation.
Identifying who is responsible for an attack requires a thorough investigation and just like a murder, it takes time to gather evidence before suspects can be identified. Particularly with the complexity of cyber investigations, the possibility of false flags and the amount of data security analysts need to sort through, identifying the source and intention of the attacker is no easy task.
Without Re/code providing evidence of actual attribution, an actual official statement from Sony, law enforcement or North Korea for that matter, the story as it stands is FUD and the infosec equivalent of tabloid journalism.