Adam Segal for posting a link to a fascinating Wall Street Journal piece titled Sony Hackers May Have Left Deliberate Clues, Expert Says. From the story by Jeyup S. Kwaak:
Apparent slip-ups by the hackers of Sony Pictures that have helped convince U.S. investigators the hackers are North Koreans have a precedent, and may even have been deliberate to win domestic kudos, according to a top cybersecurity expert and former senior North Korean official.
The head of a group of hacking experts that have analyzed previous suspected North Korean cyberattacks on South Korea said a record of a North Korean Internet address was also left in a 2013 attack on Seoul because a detour through Chinese servers was briefly suspended, exposing the origin of the incursion...
Choi Sang-myung, who is also an adviser to Seoul’s cyberwarfare command, said... [w]hile it was impossible to prove whether the hackers left evidence by mistake or on purpose, that they didn’t fully cover their tracks could mean North Koreans wanted to be known...
That theory is supported by Jang Jin-sung, a former official in North Korea’s propaganda unit, who says North Korean hackers likely have an incentive to leave some evidence because officials often secure promotions after a successful attack against enemies.
“People fiercely compete to prove their loyalty” after an order is given, he said. “They must leave proof that they did it.”
These are fascinating comments, from people who understand the DPRK hacking scene better than critics of the FBI attribution statements.
This theory shows DPRK intruders may have incentives for breaking operational security ("OPSEC" or "opsec"), and that they were not just "sloppy" as mentioned by FBI Director Comey yesterday.
In the 2013 Mandiant APT1 report I suggested the following language be used:
These actors have made poor operational choices, facilitating our research and allowing us to track their activities.
In the case of Chinese PLA Unit 61398, I think the OPSEC failures were unintentional. Others theorized differently, but the Chinese have fewer incentives to reveal themselves. They want information, above any other consideration. They would rather not have victims know who is stealing their trade secrets, commercial data, and sensitive information.
Intrusions into critical infrastructure, confirmed in an open hearing in November 2014 by NSA Director Mike Rogers, might be a different case. If a nation state is trying to signal power to an adversary, it will want the adversary to know the perpetrator.
In this case of DPRK intrusions, North and South Korean sources explain that DPRK hackers have tangible incentives to reveal their identities. Apparently hacking for the government is one ticket to a marginally better life in North Korea, as reported by Newsweek.
All of this demonstrates that technical indicators are but one element of attribution. Personal, not just national, incentives, facing the individual intrusion operators, should be part of the attribution equation too.
Remember to read Attributing Cyber Attacks by my KCL professor Thomas Rid, and fellow PhD student Ben Buchanan, for the best modern report available on attribution issues.
Update: Thanks to Steven Andres for pointing out a link mistake.