Sony, the DPRK, and the Thailand - Pyongyang Connection

UPDATE (19DEC2014 1725PST)
I'm top-posting this update because I've just learned of some new information about Loxley Pacific which makes me believe that the Loxley-DPRK connection should be investigated in a more rigorous fashion. This comes from Don Sambandaraksa's Bloggery article "Loxley and the Thai way of doing things":
"(I)n April 2003 a company in Japan, Meishin, attempted to export parts for nuclear centrifuges to North Korea. The intermediary was a Thai telecom company, Loxley Pacific, and the consignment was declared as telecom equipment in an attempt to avoid scrutiny."
"The sad thing was that because of the proper and elite image of Loxley in Thailand, the news blackout was almost absolute within the country. Editors did not wish to make an enemy of Loxley as their owners, the Lamsum family, have a banking, food, commercial and advertising empire that is no less omnipresent than that of True and CP owned by the Chearavanont family. Only the Lumsums prefer to keep themselves to themselves unlike the publicity hungry Chearavanonts."
"No publication would risk losing their advertising income by pointing out that they were part of North Korea’s nuclear program. No politician would dare to lose party funding by taking them on - the Lumsums were the fifth largest official donor to the Democrat party. The Chearavanonts, meanwhile, topped the 2011 list."
"The Bangkok Post’s Post Database section ran the story, but what should have been front page news on every newspaper in the country was instead run as a story on the back page of the the technology section. Such was the scale of denial."
The above is just a snippet of Don's full article which discusses Loxley, its subsidiary Loxley Pacific, and its sale to North Korea of a GSM network and an ISP. If Don is correct in his assessment about Loxley's political influence in Thailand and its deal-making with insiders, then chances are good that Loxley's own network is extremely vulnerable to being breached (who would be brave enough to tell the CEO?). Post-breach, it could be used as a vector to access North Korea's mobile and Internet networks. Anything the attackers do after that would be blamed on Pyongyang - no questions asked.

[Original Post Begins Here]
The White House appears to be convinced through "Signals intelligence" that the North Korean government planned and perpetrated this attack against Sony:
In one new detail, investigators have uncovered an instance where the malicious software on Sony’s system tried to contact an Internet address within North Korea
There is a common misconception that North Korea's ITC is a closed system therefore anything in or out must be evidence of a government run campaign. In fact, the DPRK has contracts with foreign companies to supply and sustain its networks. Those companies are:
  • Lancelot Holdings
  • Loxley Pacific 
  • Shin Satellite Corp
  • Orascom Telecomms Holding
Each offers a different service, but Loxley Pacific, a Thailand joint venture involving Loxley (Thailand), Teltech (Finland), and Jarangthai (Taiwan). 

Loxley Pacific is a subsidiary of Loxley, a Thai public company that provides a variety of products and services throughout the Asia Pacific region. According to its 2013 annual report, Loxley has 809 permanent staff and 110 contract staff. 

Loxley Pacific provides fixed-telephone lines, public payphone, mobile phones, internet, paging, satellite communications, long-distance/international services, wire or wireless in the Rajin-Sonbong Free Economic and Trade Zone. Star JV is North Korea's internet service run as a joint venture between the North Korean government and Loxley Pacific.

One of the easiest ways to compromise the Internet backbone of a country is to work for or be a vendor to the company which supplies the backbone. For the DPRK, that's Loxley, based in Bangkok. The geolocation of the first leak of the Sony data on December 2 at 12:25am was traced to the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley offices.


This morning, Trend Micro announced that the hackers probably spent months collecting passwords and mapping Sony's network. That in addition to the fact that the attackers never mentioned the movie until after the media did pretty much rules out "The Interview" as Pyongyang's alleged reason for retaliation. If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific's network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK's network against any target that they wish. Every attack would, of course, point back to the hated Pyongyang government.

Under international law, "the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State" (Rule 8, The Tallinn Manual). The White House must responsibly evaluate other options, such as this one, before taking action against another nation state. If it takes such action, and is proved wrong later, which it almost certainly will be, the reputation of the U.S. government and the intelligence agencies which serve it will be harmed.

RELATED:

"Sony Hacker Language Analyzed" - Language Log article by Victor Mair
"Sony, the DPRK, and the Thailand - Pyongyang Connection" by Jeffrey Carr
"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Comments