A month ago, Americans were hanging on every Pastebinned word of a shadowy hacking collective known as Guardians of Peace that had brought Sony—and maybe even a country—to its knees. It was one of the most thorough hacks ever perpetrated on a company. The GoP promised terabytes upon terabytes of data, destructive attacks, and more leaks.
And now, nothing.
To anyone who followed the hack, there are still plenty of outstanding questions.
What good is a government agency that can break into these networks and see bad things happen, but doesn't do anything to stop it?
The more we learn about it—the New York Times just reported that the NSA tapped North Korea and ostensibly knew about the hack as it was happening—the more questions there are.
The Times quotes an intelligence official who said that the Sony hack did indeed come from North Korea, but that "it didn't set off alarm bells" at the agency, so the NSA didn't alert Sony to the hack. Surely, this is the sort of thing the NSA would be monitoring?
I spoke to four separate security analysts, who have all been studying this hack very, very closely. They all gave me wildly different answers and theories as to what might be going on here. The unfortunate and dissatisfying answer is that we may not ever learn more about the Guardians of Peace or the full extent of the Sony hack.
But let's at least explore what we know we don't know, because this hack may be over, but its impact on American politics and entertainment industry isn't going to end anytime soon.
Who are the Guardians of Peace?
Many in the security industry have said that it doesn't really matter at this point, and we don't know:
"I am hoping the whole conversation continues to shifts towards the how and away from the who," Marc Rogers, a security researcher for CloudFlare and a hacker on the review board of the annual DEFCON hacker conference, told me. "Even if it was a nation state with some magical zero day, [a hack that exploits a previously unknown vulnerability] that doesn't explain why Sony was ignoring so much well established security best practice. Why data exfiltration of this scale wasn't detected. Why billion dollar companies can still be brought to their knees with a single phishing email."
That said, the who certainly does matter, because there are two very different lines of questioning that arise, depending on who did the hack.
"I still think its unlikely it was North Korea," Rogers said. "My best guess these days is that Sony was completely owned probably by several different groups and that one of them might be affiliated with North Korea isn't a huge stretch."
That multiple hackers theory is a pretty new one—and really just underscores how little we know: "talking about shadowy figures we will never be able to prosecute isn't going to get us any closer to a solution," Rogers added.
If it was North Korea
Why didn't the NSA stop this hack? Why didn't the NSA at least alert Sony it was happening?
This is a huge question. Robert Kalinofski, a consultant with Carbon Dynamics security firm who used to work in the government, told me that the NSA may have not wanted to compromise its mission in North Korea. He said that the government regularly watches governments and hacking collectives attack American companies without doing anything, in hopes of eventually catching a bigger fish. But a hack of this size certainly seems to be the kind of thing that such surveillance is designed to do.
All the aces had been played
"If the NSA was in the networks and saw it, one might have expected some level of disruption to stop such a breach, or at least minimize it. This could be done by notifying Sony in a manner that wasn't attributable to the agency, or doing something to directly impede the attacks in a transparent manner to Sony," Brian Martin, CEO of Attrition, one of the world's most famous and longest-lasting hacker and security information websites, told me. Martin has done most of his Sony hack analysis with Risk Based Security. "As we saw, it took very little for a known DDoS group to drop most of NK off the Internet with a small saturation attack. What good is a government agency that can break into these networks and see bad things happen, but doesn't do anything to stop it?"
Kalinofski disagrees, sort of. He told me that, if North Korea contracted mercenary hackers to carry out the attack, the NSA would have only had other forms of evidence that the hack was happening. Maybe enough to attribute the crime to the country, but not enough to stop it as it was happening:
"More than likely, if in fact North Korea hired another entity to perform this hack, the NSA intercepted proof of payment or some sort of communications related to the event, versus being so embedded that they saw this all going down live," he said.
Why did the leaks stop coming?
Again, there's disagreement.
"If GoP was sincere, then leaks would stop when Sony announced it was pulled… then start up again when released," Martin said.
North Korea has generally had a don't-give-a-damn attitude about pissing off the international community, so why wouldn't the country, after Sony released The Interview, say screw it all to hell and release everything? Kalinofski says that North Korea may have seen an out while it still has plausible deniability.
With a ballistic missile, they can't do this, but with the hack, they can
"North Korea is never going to take ownership of this ever. They want the ability to go in front of the United Nations Security Council and claim they're being treated unfairly and unjust," Robert Kalinofski told me. "With a ballistic missile, they can't do this, but with the hack, they can."
If it was independent actors
How much did the hackers take?
News reports have suggested that there were terabytes of data stolen. There's no proof of that, but all the analysts I spoke with seem fairly confident that the hackers certainly had and have more information that hasn't been released. Rogers said that the company was so thoroughly owned, that the hackers were in the system so long, that there has to be more.
"I think it's probable that the attackers could have downloaded anything they wanted," he said.
"When you combine that with the fact that the attackers were clearly inside Sony for months, terabytes of data does seem like a very real possibility," Rogers added. "If so the rest of that data—all the rest of the employee emails, all of Sony's digital IP, from films to scripts, the rest of Sony's financial data, the rest of Sony's contracts—it's all probably still out there somewhere."
Why hasn't more come out then?
This is the main line of questioning that led me down this path in the first place, and this is where things start to make sense, as long as you buy the idea that North Korea was not involved.
"One thing to keep in mind for high-profile breaches where the attackers have a very public face, is that as the attention to their activity grows, the more concern they have over being caught," Martin said.
"After breaching Sony, exfiltrating that much data, and disclosing embarrassing private emails, the hackers may have received the best Christmas present they could have asked for; most of the world blaming someone other than them. Once the blame was placed solely on North Korea, it increased the chance that they would not be discovered," he added. "It was the perfect time to go low profile and let the game play out with almost everyone looking in the wrong direction."
And it's not just the FBI. Kalinofski says that, once the hackers threatened physical violence, things may have gotten just a bit too real for them.
"If you noticed, the leaks stopped after the threat of physical terrorism. When you're committing white collar crime and hacking companies and releasing docs, you've got the FBI on you. When you make a physical threat on american soil, you now gain the attention of every intelligence apparatus across the globe," he said. "It's not an FBI van showing up at your door, it's special forces."
Or, maybe, the hackers disclosed everything that was embarrassing to the company. Adrian Sanabria, an analyst at 451 Research who has written extensively about the hack, raised a good point: "The adversary could have run out of useful ammunition."
"Though they claimed to have grabbed 111 terabytes of data, the rest just didn't carry the firepower of what they had been previously released," he said. "All the aces had been played. Perhaps they were tired of reading the personal communications of the rich and famous."
We don't know what happened, and we're likely to never know what happened. But there's no harm, I guess, in a bit more speculation.