A number of private security researchers are voicing doubts that the attack on Sony‘s computer systems originated in North Korea, stating it is likely that Russian hackers are instead to blame.
According to a new report, computational linguists at Taia Global, a group of cyber security consultants, performed a linguistic analysis of online messages from the Guardians of Peace, and concluded that, based on translation errors and phrasing, the group is more likely Russian than Korean.
Marc Rogers, a security researcher at Lookout, who is also the director of security operations for an annual hacker convention called DefCon, has been analyzing the small amount of evidence that has been released publicly, and he argues that it does not point conclusively to North Korea.
Rogers cautioned against taking the U.S. government’s findings as final, stating that the information needs to be evaluated by independent researchers.
“Essentially, we are being left in a position where we are expected to just take agency promises at face value,” said Rogers. “In the current climate, that is a big ask.”
Samples studied by independent analysts reportedly indicate that hackers used computers from all over the globe, citing the use of a Bolivian computer, which has also been used to attack targets in South Korea. That computer, along with others in Poland, Italy, Thailand, Singapore and the United States, were all freely available to anyone to use.
Rogers believes this means that anyone with an Internet connection and basic hacking skills could be behind the attack on Sony.
Analysts also believe that those behind the attack on Sony had a vast knowledge of the studio’s computer systems, which includes the names of company servers and passwords, which were all protected by hard-coding into the malware, suggesting the entire assault could have been an inside job.
U.S. Government officials believe the cyber attacks were in retaliation for The Interview’s release, but those doubting the official theory believe it wasn’t until the media pitched that narrative that the Guardians of Peace claimed it as a motive for the attack.
A better explanation is that a disgruntled “insider” is behind the chaotic events. Rogers wrote, “Combine that with the details of several layoffs that Sony was planning, and you don’t have to stretch the imagination too far to consider that a disgruntled Sony employee might be at the heart of it all.”
Shlomo Argamon, Taia’s Global’s chief scientist, said he and a team of linguists had been mining hackers’ messages for phrases that are not normally used in English and found 20 in total.
Korean, Mandarin, Russian and German linguists then conducted literal word-for-word translations of those phrases in each language. Of the 20, 15 appeared to be literal Russian translations; only nine were Korean, and none matched Mandarin or German phrases, reports The Boston Globe.
The team also performed a second test on language used by hackers. They reportedly asked the same linguists if five of those phrases were valid in their own language. One was said to be a valid Korean construction, while three of them were consistent with Russian.
“Korea is still a possibility, but it’s much less likely than Russia,” Argamon said of his findings.
While some independent researchers are skeptical of the official narrative, other private security researchers say their own research backs up the government’s claims.
CrowdStrike, a California-based security firm, has been monitoring the group behind the Sony hack since 2006 and believes they are indeed located in North Korea.