The FBI Has Been Wrong About Hacks Against the US Before

The Federal Bureau of Investigation concluded last week that North Korea was responsible for the hacks that crippled and publicly embarrassed Sony Pictures Entertainment and its employees. Since then, President Barack Obama has promised to retaliate and unknown parties took the entire Hermit Kingdom offline on Monday.

The situation is clearly heated and the stakes are high, but here's the thing: the FBI has wrongly blamed nation-states for perpetrating hacks against the US before.

In January of 1998, Iraq ousted US arms inspectors from the country, leading to a tense political situation that wouldn't be resolved until November. In February, the FBI detected a number of intrusions in government computer networks, including the Air Force.

Tracing the complex series of intermediary servers—known as "proxies"—that the hackers used to cover their tracks revealed a connection in the United Arab Emirates, leading the FBI to believe that Iraq was responsible for the attacks.

Further investigation later revealed that the hacks were perpetrated not by the Iraqi state, but by Israeli and Californian teenagers. The FBI even made a short documentary training video about the incident, dubbed "Solar Sunrise," which WIRED uploaded to YouTube.

For information security professionals, the Solar Sunrise fiasco represents a lesson in how not to conduct a cyber security investigation: don't rush the job, and don't place blame where it may not lie out of haste, especially when the evidence amounts to little more than mildly compelling.

"While the FBI does have skilled investigators, they have made mistakes in the past," Brian Martin, the vulnerabilities expert for cyber security firm Risk Based Security, told me. "They attributed Iraq for a previous intrusion, and there's probably been several others. This is something that happens with the FBI fairly frequently. They can be put in a spot that is subject to a lot of political pressure with various politicians saying 'cyberwar' and 'we lost.'"

Martin, like other cyber security and legal experts that have come forward in recent days to cast aspersion on the evidence the FBI has released, believes that the FBI's technical reasons for pointing the finger at North Korea are unsound. Specifically, the FBI's finding that the malware used in the attack communicated with several North Korean IP addresses.

"For 30 years now, when a moderately skilled computer criminal does his or her thing, they comprise one machine and use it to execute future attacks," Martin said. "Some attackers will go through two, three, four—who knows how many—computer systems before they actually attack their intended target. Everything we've seen so far suggests that they're at least moderately skilled."

Just like the 1998 hackers did, modern hackers often route their attacks through multiple proxies to throw off investigators. The FBI finding a connection in the UAE is what led them to initially blame Iraq, and a similar logic appears to be at play in their implication of North Korea.

As a result of these gaps in the FBI's reading of the evidence, Martin believes that no certain conclusions can be made about North Korea's involvement in the Sony hacks.

"The little bit that we've seen from the FBI may suggest that North Korea was involved, but it may also just as easily suggest China's involved, that random hackers are involved and have compromised computers in those countries, or anything else," he told me.

Marc W. Rogers, an ex-hacker currently employed as cloud-based security service CloudFlare's principal security researcher, also believes that the FBI's evidence leaves something to be desired.

"They seem to hold the belief that one piece of malware having links to another piece of malware is a definitive tie," Rogers said. "The reality is that this is not the case."

Rogers is referring here to the FBI's discovery that the malware used in the Sony hacks, which has been described by security experts as "slapdash," has links to previous cyber attacks that have been linked to North Korea. As other security experts have noted in the last several weeks, malware is often shared among hackers and reused.

"There's lots of malware that's shared between different groups, and all malware is built on top of older malware," Martin said. "They're also built on top of hacking tools. For example, you'll find lots of malware that uses pieces of code from popular tools like Nmap. Does that mean that the guy who wrote Nmap is a malware author? No. Does that mean he works for North Korea? No."

The FBI's exact reasons for implicating North Korea in the Sony hack based on this evidence are unclear, and there is the possibility that the bureau is working off of signals intelligence or information provided by other agencies that it can't disclose.

Regardless, it's readily apparent that intense public focus on the hack formed a political pressure cooker that demanded a response from government officials. As in 1998, Rogers said, the FBI could be pointing the finger too hastily at the most obvious target.

"By blaming a nation-state, the FBI gets to point a finger at someone very quickly," Rogers told me. "Politically, it gives a lot of advantages. We know the current administration is looking to push through some tighter regulations for the internet."

In terms of political expediency, the looming specter of regressive or restrictive cybersecurity legislation in the wake of the high-profile hack has recently troubled experts. Peter Singer, for instance, told Motherboard in an interview last week that he believes the current crisis will be used to push forward unpopular legislation, not unlike the Cybersecurity Information Sharing and Protection Act (CISPA).

To wit, President Obama said during his year-end press conference last Friday that the Sony hacks indicate a need for stronger cyber security laws for the US and the world.

"This points towards the need to work with the international community to set up some very clear rules of the world for how the internet […] operates," Obama told reporters. "Right now it's the wild west."

As doubt about the FBI's justification for pinning the Sony hacks on North Korea continues to swell in cybersecurity circles, it appears as though recent history could be repeating itself. Amid a maelstrom of political tension and grandstanding, the FBI implicated the most ready-at-hand villain—North Korea this time, instead of Iraq.

If the host of cyber security experts calling the FBI's evidence into question are to be believed, it could be the case that the hack was in fact perpetrated not by a powerful nation-state, but American teenagers, like in 1998. Or anybody else, for that matter.