> The 'evidence' so far is, as others are pointing out, that people in NK wrote similar malware and some of the components used.
I had written a lengthy post pointing out the many pieces of evidence you're ignoring, but I think the FBI release does the job just as well. I find the infrastructure evidence as interesting, if not more interesting than the similar code:
> Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
> The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
>Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
This also does not mention that some of the code was compiled on a machine configured with Korean language settings. This doesn't establish definitively that North Korea was behind this, but it is consistent with that conclusion.
There is also classified evidence. You may choose to ignore it, but I find the claim deserving of some (though not decisive) weight, and certainly worthy of mention.
Sure there are things pointing to NK; but I believe this is intentional. Using an IP in NK, or one "associated with NK actors" doesn't prove it is NK. Consider all the discussion for piracy. IP doesn't prove anything.
I don't think the action was directed clearly by high level NK officials.
Consider; what if the hackers had said "We are NK, war on USA" from the very start. Would that change anything? Nope. Just because something appears to be something doesn't mean it is.
Also; why is the evidence classified? The public already has the leaked data in immense amounts... many groups already have the malware itself that was used... How about they actually show the evidence instead of just pointing fingers.
Anyone can go "yeah it's NK; they do this sort of thing".
>The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult. I would find the presence of Chinese far more plausible.
That's an uninformed confused argument. That blogers' links about "traditional" korean are about a few differences in vocabulary that have developed between North and South. Nothing that would suggest that there are any differences in the characters used to type on a computer with. That's because the languages and characters are the same.
BTW, the original investigation on the locale concluded that the UTF8 character could be decoded with korean or chinese locales.
The fact that the hackers were using a korean (or chinese) locale doesn't prove that the hackers were korean, but it also doesn't prove that the hackers were NOT korean, as this blogger tries to do.
I don't find that argument very persuasive. First, while there are dialect differences I think this argument significantly overstates them - I think the last answer in this Quora discussion sums it up well, saying that it's like the differences in American and British English - significant, but hardly a serious barrier: http://www.quora.com/Korean-language-1/How-different-is-the-...
It's not like North Korea's government just picks random proles and tells them to start writing malware if they want to keep receiving gruel; anyone engaged in cyber-espionage is going to have a very high security clearance and be well educated by North Korean standards. You wouldn't be surprised by the idea of a KGB officer (or FSB these days) that spoke perfect English, would you? Why is the idea that North Korean spies would be fluent in dialect/idiom of their own language so hard to swallow? I would imagine that any North Koreans engaged in cyber espionage/security has spent at least some time infiltrating South Korean social networks, to gather intelligence, disseminate subtle propaganda (as opposed to the chest-beating type put out by the official news agencies) and so forth.
I don't know if the Sony attack was carried out by NK or not, but the idea that it could not have been rests on the notion that North Koreans are incapable of social engineering, acquiring language skills beyond their own, or impersonating anyone else for espionage purposes - a modern version of the trope that Russian spies could be quickly detected by the poor cut of their suits.
What OSs have "North Korean" locale and language settings? The Windows 7 PC I'm on now sure doesn't have one (though it does have "Korean"). And if there is no "North Korean" setting available, wouldn't it make sense for them to use Korean, seeing as it's the only other language that uses their system of writing?
I had written a lengthy post pointing out the many pieces of evidence you're ignoring, but I think the FBI release does the job just as well. I find the infrastructure evidence as interesting, if not more interesting than the similar code:
> Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
> The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
>Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
This also does not mention that some of the code was compiled on a machine configured with Korean language settings. This doesn't establish definitively that North Korea was behind this, but it is consistent with that conclusion.
There is also classified evidence. You may choose to ignore it, but I find the claim deserving of some (though not decisive) weight, and certainly worthy of mention.