What If North Korea Wasn’t Behind the Sony Hack?

From the moment the Federal Bureau of Investigation identified North Korea as the culprit behind the devastating cyber attack on Sony Pictures Entertainment, private security experts not employed by the studio have sprung into action, spinning alternative narratives about what might have happened.

They have dissected what little the FBI has disclosed publicly — and have found the explanation wanting.

The latest theory, presented to the FBI on Monday, blamed the attacks on one or more insiders working in concert with known hackers.

It doesn’t help the U.S. government’s cause that North Korea has denied any involvement in the breach that saw the unprecedented disclosure of private corporate data, including embarrassing emails, details of confidential business plans and information about its current and former employees. Sony initially canceled the Christmas Day release of the film that became the focus of the hackers’ demands, “The Interview,” after the Guardians of Peace hacker group made threats with terrorist undertones. But the studio subsequently released the bawdy R-rated comedy about a fictional CIA-backed plot to assassinate North Korean leader Kim Jong-un in some 300 independent theaters and online.

As late as Tuesday, the FBI reaffirmed its conviction that the Hermit Kingdom is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment.

“Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector,” the FBI said in a statement to Re/code. “There is no credible information to indicate that any other individual is responsible for this cyber incident. The FBI is committed to identifying and pursuing those responsible for this act and bringing them to justice.”

The FBI said its investigation is continuing and added little else to bolster its belief, leaving plenty of room for alt narratives. Here’s how it breaks down:

Marc Rogers, principal security researcher at CloudFlare and director of security operations for DefCon, an annual hacker convention, remains skeptical of the North Korean connection. He said the FBI’s announcement that it had identified the attacker, within weeks of the massive breach becoming public on Nov. 24, got his “spider sense tingling.”

“It’s just too quick,” Rogers said. “Digital forensics is one of the hardest sciences out there. It’s the ultimate game of needles in haystacks.”

The evidence the FBI publicly cited in tying Pyongyang to the hack was flimsy, Rogers said. For example, the agency said the malware found in the course of the Sony attack is similar to the malicious software North Korean sympathizers employed elsewhere — notably, in the massive Dark Seoul cyber assault in 2013 that nearly brought the South Korean capital to its knees.

The software DNA may be there, Rogers notes. But that’s hardly the incriminating fingerprint on the gun found at the crime scene, because such malicious code is sold or leaked on Internet forums, where it is readily available to wannabe hackers, he said.

“The similarity between two pieces of malware doesn’t tell you they came from the same author,” Rogers said. “They just have access to the same information — maybe they hang out in the same forums.”

Even the Internet addresses of the computers used to launch the assault are routinely used to send out spam or malware.

“Those are well-known proxies used by cyber criminals,” said Rogers. “Is it plausible the North Koreans are using well-known criminal haunts? Yeah, it’s plausible … but not definitive.”

Representatives of another security firm said they met with FBI investigators Monday to present the results of its own independent analysis, which ties the breach to a disgruntled former Sony employee dubbed “Lena,” and members of a now-disbanded splinter group of Anonymous called LulzSec.

Kurt Stammberger, a senior vice president with Norse cybersecurity, said a team of counterintelligence analysts began examining leaked documents and combing through conversations in online forums and chat rooms to see if the evidence supported the U.S. government’s narrative that North Korea masterminded one of the most destructive hacks in corporate history.

“The answer to that question was no — we couldn’t find any data to support that,” Stammberger said.

What Norse’s researchers found, instead, was a 10-year veteran of Sony Pictures with a technical background and access to the studio’s networks who was laid off this spring, and individuals previously associated with LulzSec, which claimed responsibility for a 2011 attack on the Sony Pictures website.

“The data we dug out seems to better support this idea that one or more individuals that were either fired or laid off by Sony during the May 2014 restructuring were sufficiently pissed off to share their inside knowledge of the Sony network and credentials with members of this hacking group,” said Stammberger.

Stammberger declined to describe what information connected this former employee with the hackers — only that Norse turned over its evidence to the FBI this week. But he said it’s clear the attackers had some kind of inside-assist: The malware used to infiltrate Sony’s corporate network had the addresses of individual computer servers written into the code.

“This was super-duper targeted. That’s why it was so effective,” Stammberger said. “They knew precisely how Sony’s network was architected, exactly where all of its critical data was kept. That’s why so much of their data has spilled out onto the Internet.”

One group of cyber security consultants used linguistic analysis to attempt to pinpoint the hackers’ country of origin.

Taia Global Chief Executive Jeffrey Carr said his firm analyzed the 20 messages left by the Guardians of Peace to determine the whereabouts of the cyber criminals. It identified words, phrases and grammatical structures that appeared to have been written by non-native English speakers. Then, it compared the vocabulary and sentence construction to that of Korean, Mandarin Chinese, Russian and German.

The analysis revealed that the hackers were most likely Russian.

“The Russian language fits the linguistic profile exactly,” Carr said. “Korean is still possible — but much less likely.”

This article originally appeared on Recode.net.