A Geography of Cyber Crime

In light of recent events at Sony Pictures I thought I would offer my nickle’s worth of commentary, layout some geography, and point out some, well absurdities.

Maybe the absurdities should come first. Then, I can use some of these irrational statements as fodder for later geographic tie-ins. I’m not sure even where to start, as Sony appears to have gone screaming off into the woods like a teenager at Camp Crystal Lake.

One of the most glaring omissions I have noticed is the lack of any sort of commentary coming from Japan. Why Japan? Sony one of the most respected corporate names in Japan.

  1. Fortune: #7 (#1 is Nippon Steel; 2012)
  2. Reputation Institute: #5 (ties for 1st & 3rd; 2014)
  3. Wall Street Journal: #6 (2009); #8 (2010)

In some particular sectors, like consumer electronics, Sony is #1, ahead of Canon, Toshiba, and Fujitsu.

But, I don’t think I answered the question. Why Japan? Sony Pictures USA is a subsidiary of Sony, International, and thus a Japanese company. While Sony Pictures USA might have been the immediate victim of this hack, the real victim is Sony Corporation.

What I have seen very little of in the media is a media source, like CNN, Time, the Washington Post, the New York Times, or NPR inquire as to Japan’s silence.

Japan is not silent, though, simply being very quiet and reserved. Reuters features a 12-22-2014 story detailing Japan’s notable discretion about Sony’s hack. North Korea has a history of abducting Japanese people from beaches. In 2002, North Korea admitted to kidnapping 13 Japanese citizens and using them to help train North Korean spies (The Economist 10-2014). North Korea released 5 Japanese citizens and claimed the remaining eight were dead.

Let’s just say that any North Korea suggestion the United Nations should sanction the United States on the recent Torture Report should also reflect back upon the DPRK, too. Those who live in Glass Houses, right? North Korea really seems to be a parody of itself at times, calling for sanctions against the United States all the while stealing Japanese citizens off their beaches, torturing them, returning 5 “plus their families”. . .what?! Where did these families come from? And, then unable to return the remaining eight people on account of “they’re dead, so. . .shrug.

Bloomberg recently presented a graphic which seems to demonstrate how insignificance Sony hack when compared to other hacks. “Only 47,000 records were stolen.” Big deal, right? Just a few measly emails and a Powerpoint. Heh; Sony wishes. This is perhaps a good reason why people should not get their technology knowledge from a financial company. Bloomberg seems to have missed the bigger issue.

According to Wired, a far better source of tech news and knowledge in my opinion, about 40Gb of data was stolen from Sony USA (“What We Know;” Wired; 12-2014.) Bloomberg’s graphic seems to have focused solely on user data, passwords, credit card info, and personal information and essentially said, “Uh, we don’t know about this 40Gb of data stolen, what it could be, or how significant it could be, so let’s just pretend it doesn’t exist.”

Forty gigabytes sounds like a considerable amount of stuff to me. Depends on what is in that 40Gb, though. User information does not consume much space, depending on the file formats; maybe a couple of hundred megabytes. However, once we cross into GigabyteLand, things get interesting. Are new PS4 games, new Sony Pictures movies, source code for certain products, beta versions of software, etc. hiding inside the 40Gb? The possibilities are pretty interesting, actually.

Before I move on to the geography, I have a few other concerns to get off my chest.

First, Sony did make a mistake in not releasing “The Interview.” Wait, I need to amend that: “Sony made numerous mistakes in not releasing “The Interview.”

  1. Sony obviously has network security problems. The current episode is only the latest, not the first.
  2. Sony needs to consider the probability their network infrastructure has been compromised from the inside. Not merely based on this latest success but on the shear preponderance of episodes.
  3. Sony blamed movie theaters (Variety, 12-2014) for forcing them to remove “The Interview.” Clearly, this was false. Several theater owners have come forward stating it was Sony who pulled the movie, not theaters refusing to show the movie.
  4. Sony blamed the United States government for not helping them fast enough. Really? Sony, you have been seriously hacked more times than the George Washington’s proverbial “cherry tree.” (2011 & attrition.org);  No doubt, government and corporations need to work on some form of cyber-attack monitoring and response system. However, this is nothing new. Sony clearly is not handling technology well, in spite of being a technology company.
  5. Sony has yet to act like an adult and assume responsibility for numerous oversights and boorish behavior. Sony simply should have said,

    “We made a mistake. We should not have capitulated to the #GOP. Furthermore, we allowed a toxic environment to erode our brand. We have disrespected those under contract to us. We have not protected our personal information and have not taken appropriate measures to protect the information of our consumers. We clearly need evaluate many of our internal relationships, our internal processes, and engage in correcting these technological gaps. We apologize for our actions and for assigning blame to our business partners, actors, and associates.”

    Instead, Sony acts like an irresponsible child, pointing fingers at others parties and lying in juvenile attempts to deflect responsibility.

  6. Sony does not need a partner to distribute the movie online. All of Sony’s rhetoric, “Oh, maybe we will release the movie online, but no one will help us! Please help us, somebody!” is utter nonsense.  Sony owns Crackle, an online movie streaming service. If a viewer can stream the comedic fashion of Jack Black and Michael Cera in “Year One,” I’m not sure what is stopping Sony from posting “The Interview.”

Is the culprit really North Korea?

The FBI seems so sure about the attack coming from North Korea. (Re/code 12-2014)

“As a result of our investigation, and in close collaboration with other U.S. Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the FBI said in a statement.”

I’m not a security expert, to be clear, but the analysis performed appeared to occur really fast. Typically, the postmortem of a hack attack can take weeks, if not months, to really pinpoint where the attack originated. In 2009, the New York Times published a map illustrating the number of infected computers globally.

SonyHack-GhostNetOf course, this map is 5 years old. One of the traits illustrated, though, is how distributed infected computers are, plus how many computers are infected. South, Southeast, and East Asia is obviously a hotbed of infected computers. The United States has its fair share. Europe is hard to read, but if the EU was considered rather than each country, the proportional circle would be much larger, for sure. Since the EU has a combined population about 33% larger than the United States, and working from the assumption “people are people,” I would guess the EU may have more infected computers than the United States.

The problem with rapidly announcing North Korea as the culprit is rife with flaws. Tracing cyber attacks is hardly easy or straight-forward today due to the shear number of zombie computers and infected servers. I remember being hacked in the mid-1990s. In those days, determining the attacker’s locations was fairly self-evident. I could check my server logs for access and run a couple traceroutes. I had hackers based in Hungary, the new Czech Republic, plus China. I was running IBM AIX servers at the time, fully patched and updated. I discovered one day one of my servers had a hidden fileshare someone in Romania was using. Come to find out, I had an open port I didn’t really need open and the Romanian hacker had taken advantage of my lack of knowledge (I was a relatively new and lone sysadmin at the time). Valuable lessons learned.

But, how did I know where these hackers were located? The Internet is based on Internet Protocol (IP) addresses. Every country has some addresses. Every place and every organization within a country has some connection to a parent IP address. By checking international IP codes, a person can trace incoming and outgoing network traffic by the IP address. In the 1990s, network traffic was nowhere near as complex as today. Furthermore, the numbers of computers while large, was not what it is today. Thus the ability to infect millions of computers didn’t really exist like it does today. A hacker could infect thousands, maybe hundreds of thousands. Millions of infected computers took serious, coordinated effort. (“Computer Security Hacking History;” wikipedia)

The FBI has been boasting its own findings, pinning the Sony hack on North Korea. The problem with doing so is, “What is the FBI is wrong?” But, that really isn’t my point. My point is, “How can they be so satisfied they are correct?”

First, North Korea has but one physical connection to the world’s Internet backbone. One. A single solitary connection. All of the Internet Security World knows this.

Read: “Your Friendly North Korea Network Observer

Read: “A Lot of Smart People Think North Korea Didn’t Hack Sony” (Gawker)

Read: “FAUXTRIBUTION?” (Krypt3ia)

The bottom-line is discovering the source of the Sony attack coming from inside North Korea would be pretty much a no-brainer. Except that is not what the evidence shows. The SonyHack was by far more sophisticated than simply a bunch of North Korean hackers sitting around in a state-sponsored cafe cracking into Sony. The reality is, this wasn’t simply a bunch of North Korean hackers cracking into a vulnerable server in Thailand and then cracking into Sony.

Read “FAUXTRIBUTION?” above to really get into the nuts and bolts. Not that the FBI is wrong; I just don’t see any evidence they have addressed the real root of the SonyHack. Not based on what evidence they have released nor on the analysis by security analysts of the FBI evidence. Of course, they could be withholding evidence – but why?

Here are a few of the addresses the FBI has culled from internet traffic associated with the SonyHack.


None of these appear to originate in North Korea. As Krypt3ia notes in the commentary, these are probably proxy sites responsible for routing traffic.

Countries with loose digital laws or with few enforcement resources to pursue the misuse of digital traffic tend to be common locations for nefarious activity, i.e. Poland, Italy, and Bolivia. Singapore typically takes a very harsh stance on misuse of internet resources. As of the date of the post, the United States computer complicit in the SonyHack was still up-and-running. Perhaps to encourage the hackers to keep using it, maybe.

Sony thinks this is an “Act of Cyber War,” as does Sen. John McCain. (HuffPost) With all due respect to John McCain, we really aren’t sure this attack even originated with North Korea. Furthermore, we need to tread carefully about calling every hack attempt an “Act of War.”

I don’t want to live in a world where every single action becomes an “Act of Terrorism,” or an “Act of War.” Our leaders cannot and should not declare and classify every single event against a person, a company, an organization, a state, a government, as an “Act of War/Terrorism.” Doing so means our entire global will live under the Cloak of Inscrutable Authority and our freedoms will continue to erode under the guise of “protecting people from people who our government says are evil.”

The SonyHack was surely espionage, surely a criminal act, and no doubt damaging to Sony USA. However, they are complicit in their own damage based on their own negligence. But, certainly not an act of war.

There have been other hacks, though, which may truly have been acts of aggression.

In 2007, Estonia was essentially closed-off from the internet by. . .even today, analysts aren’t entirely sure. (“2007 Cyberattacks on Estonia;” wikipedia) Estonia blamed Russia. Russia said, “Hey, watch who you point fingers at. We provide you your energy. And, it wasn’t us.” However, shutting down the Estonian internet does appear to have connections to the Russian Duma, their legislature. Evidence is spotty.

When a country’s energy supply and communications networks are tampered with, one could make an argument for cyber-war.

In 2011 Norwegian oil companies were hit with a “spearphishing” attack. (NetworkWorld; 2011) “Phishing” employs sending out huge amounts of spam and hoping to get a small percentage of people “biting,” and then their computers are infected. “Spearphishing” is targeted at specific people, like CEOs, and enticing them to do something stupid, like “click here to verify your account information.” The received email may even come via a trusted source.

In 2008, the Baku-Tbilisi-Ceyhan (BTC) pipeline was sabotaged by a mysterious explosion. (Eurasianet; 12-2014) The BTC pipeline was built to help the Caucasus region and eastern Turkey become less reliant upon Russia petroleum. According U.S. intelligence software was installed which shutdown alarms and allowed pipeline pressure to build which resulted in pipeline damage.

Recently, a German steel company was the target of hackers. (ITWorld, 2014) Again, using a spearphishing attack, hackers were able to gain access to computers running blast furnace. By tampering with the software controls, the hackers were able to bring “massive damage” to the facility.

Last, but not least of all, who can forget Stuxnet? (“Stuxnet;” wikipedia) In 2010, Stuxnet was all the rage. Stuxnet was running rampant throughout Iran, causing all sorts of mayhem. Even today, no one really knows the true source of Stuxnet. However, many analysts suggest no countries other than Israel and the United States could have created a piece of malware so deviously sophisticated.

Of course, there are other traces of hacking to support real war. The Syrian Civil War is an example of using hacking to open another front. The Syrian Electronic Army is a pro-Assad “collection of hackers and online activists.” (The Atlantic; 8-2011) The SEA has gone after The Atlantic magazine and many governments in the Middle East, from Tunisia, Egypt, Libya, to Al Jazeera, BBC News, and Facebook.

Hacking in all forms, cannot be simply classified as “terrorism,” or an “act of war.” How does one go about declaring war on a collection of people, scattered about the globe, who collectively engage in criminal actions against a person, a place, a thing, or idea? What if the next hack is the effort of one person in Croatia? Or, if the next hack is organized by like-minded individuals residents of several countries, similar to Anonymous? The United States cannot declare war on Thailand, Cypress, Poland, Australia, Germany, the Czech Republic, plus Canada and itself simply because the perpetrators call those countries home. To do so is not only not rational, but really, really dangerous to all freedom-loving people everywhere.

Hopefully, I have drawn out some of the geography lodged in all of the hub-bub surrounding the SonyHack. The Internet is geography, and geography is part and parcel of the Internet. I perhaps am guilty of a little hyperbole by injecting my own personal sentiments. I do not like to internalize some of the nonsense and what I see is a lack of critical thinking on the part of our media; and I also see too much willingness of governments to drape “national security” cloaks over circumstances. The cloaks then prove nearly impenetrable and our republic-based democracy suffers from the lack of transparency. And, there I go again.

Thanks for reading. Hope everyone has a safe and relaxing holiday season – until you are notified in March by Home Depot and Wal-mart 300 million sales records were stolen by the Colbert Nation Liberation Front.


Hey; Thanks for taking the time to leave a comment! Your feedback is greatly appreciated!

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s