Doubts on N. Korea claim? FBI briefed on theory Sony hack was inside job

A security firm has brought new evidence to the FBI that it claims points to a laid-off employee and others as the hackers behind the massive cyber-breach at Sony, even as the bureau publicly stands by its explanation that North Korea executed the attack.

Kurt Stammberger, senior vice president for market development at cyber intelligence firm Norse, told that his company was turning over "raw data" to the FBI on Tuesday. He said the company also briefed the FBI for "two or three hours" on Monday during a meeting in St. Louis.

"They were very open" to the new information, Stammberger said.

Among other details, he said Norse has data about the malware samples that point to "super, super detailed insider information" that only a Sony insider would have.

The briefing by Norse is the latest example of the doubts being raised by private cybersecurity analysts about the FBI's claim that Kim Jong-un's regime was behind the attack. Skeptics for days have described the evidence cited by the FBI as inconclusive and circumstantial. And they've questioned whether Pyongyang had the motive, or the ability, to scramble Sony's systems.

More On This...

    The most popular alternative theory, it seems, is that the hack was carried out by disgruntled former Sony employees.

    The FBI, though, stood by its original announcement on Tuesday.

    "The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment," the FBI said in a statement. "Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector."

    The bureau added: "There is no credible information to indicate that any other individual is responsible for this cyber incident."

    A State Department spokesman on Tuesday also stood by the conclusion that North Korea was responsible.

    Some in the private sector have defended the FBI's case.

    Dmitri Alperovitch, with security firm CrowdStrike, recently told Wired that the U.S. has more evidence proving North Korean involvement, and the government can't release it yet.

    But Stammberger said he's confident the FBI will investigate further.

    "They're smart folks. They will follow the evidence of the data trail, I'm confident of that," he said.

    A post on Norse's company blog on Monday explained that their own investigation has focused on a group of at least six people who "may have worked to compromise the company's networks, including at least one ex-employee who had the technical background and system knowledge to carry out the attack."

    According to the post, the researchers "tracked the activities of the ex-employee on underground forums." Investigators at Norse believe disgruntled workers or former workers "may have joined forces with pro-piracy hacktivists, who have long resented the Sony's anti-piracy stance."

    Stammberger explained Tuesday that the information points to at least one American -- the former Sony employee, who according to Stammberger lost their job earlier this year -- as well as individuals from Canada, Singapore and Thailand.

    He acknowledged the FBI could have a "smoking gun" piece of evidence that they haven't shared, but said the private intelligence community has seen nothing connecting the attack to a nation state.

    "The fact that nobody has seen any data that connected this to North Korea is a little strange," he said. "Also strange was the speed at which the FBI ... pinned it on them."

    Other security analysts have floated a similar theory.

    David Kennedy, CEO of information security firm TrustedSec, told last week that he thinks an angry insider at Sony was behind the attack.

    "They were going for destroying the company," he said. He noted Sony had massive layoffs earlier this year, "a lot of them in the systems administrator field."

    The FBI has not shared all its evidence, leaving open the possibility that the bureau has stronger evidence linking the hack to North Korea.

    The FBI, in originally claiming Pyongyang was behind the hack, alleged the following:

    • Analysis of the malware "revealed links to other malware that the FBI knows North Korean actors previously developed." 
    • The FBI observed "significant overlap between the infrastructure used in this attack and other malicious cyber activity" previously linked to North Korea, like North Korea-tied IP addresses that allegedly communicated with IP addresses tied to the Sony attack. 
    • The "tools" used in the Sony attack were similar to an attack in March 2013 by North Korea against South Korean companies. 

    But some have noted that the malware code has already leaked and is used by others, meaning its use in this attack doesn't necessarily point to North Korea.

    "It's kind of like saying the bank robbers used a Ford Focus as a getaway car. Your grandmother uses a Ford Focus. Therefore, your grandmother is the bank robber," Stammberger said.

    And skeptics have questioned the notion that the attack was North Korean retaliation for "The Interview" -- the comedy where Seth Rogen and James Franco play two reporters hired to take out North Korea's leader. Though North Korea had objected to the film, critics say the initial messages from the apparent hackers did not cite the movie. That connection came later.

    North Korea, for its part, denies responsibility for the attack.