The sweeping conclusion by President Obama and the FBI last week, blaming North Korea for the Sony hack, was clean and, to many, wholly satisfying. It’s unusual that a huge cyber-crime is solved so definitively and so quickly. It felt like something out of the movies.
But cyber-sleuths unaffiliated with the U.S. government, who are conducting their own investigations, have uncovered some clues that suggest there was more to the attack. A group of "hacktivists" who have been targeting Sony for years, including in the 2011 attack that took down the PlayStation Network, may have also played a role.
The hacker group Lizard Squad may have ties to Guardians of Peace, the group claiming responsibility for the latest Sony attack, according to research from IntelCrawler, a Los Angeles cyber-intelligence firm. Online postings from members of each group use similar language and slang. They cross-post on one another's social-media accounts, make similar extortion attempts, and carry out attacks on almost identical timelines.
The connections suggest that North Korea and hacktivist groups could have worked together on different parts of the Sony Pictures breach, or there may have been overlapping attacks, says Dan Clements, president of IntelCrawler. Both groups have said they are preparing Christmas surprises for Sony. Lizard Squad posted to a now-suspended Twitter account, saying it's "working together with #GoP on a Christmas project."
"These gamers had been trolling Sony for years," Clements says. “They had compromised credentials; who knows who they shared that with in the underground?"
In past breaches, Sony had come under fire from multiple groups at the same time. Sony was warned in late-2013 that hackers were stealing gigabytes of data from its network several times a week, underscoring a pattern of security lapses that predated the recent attack, Bloomberg News reported. At least three hacking groups had infiltrated the PlayStation Network at the time of the 2011 hack. The one that did the most damage was a Russian cyber-crime ring that had been inside of the network for at least two years, stealing and reselling video games.
Tracking hackers is tough. Because of advances in hacking capabilities, it's often difficult to tell the difference between state-sponsored attackers and independent groups, says Bruce Schneier, a prominent cyber-security author, blogger and chief technology officer at Co3 Systems. He says he's "deeply skeptical" that North Korea is behind the Sony attack. "Hackers have loved to hate Sony for a decade," Schneier says.
The FBI’s statement blaming North Korea for the Sony attack contained little concrete evidence, which leaves open the possibility that multiple actors could have been involved, Schneier says. "We actually don't know what the evidence is," he says.
But the U.S. does claim to have evidence it’s not sharing publicly. Forensic research done after an attack on a network as large as Sony’s has flaws of its own, says Rob Lee, a U.S. Air Force Cyber Warfare Operations officer and co-founder of Dragos Security. "Malware creators very commonly share pieces of malware; they very commonly share capabilities,” Lee says. “Just doing pure technical analysis is very limiting for that reason."
The Sony Pictures hackers reused at least six components from previously known malware, according to Israeli security company CyActive. The research community is calling on the U.S. government to reveal more of what it knows about the hack, which resulted in massive leaks containing unreleased films, inflammatory e-mails and employees' medical records.