Ex-Worker Theory Casts Doubt on N. Korea as Sony Hacker

At least one former employee of Sony Corp. may have helped hackers orchestrate the cyber-attack on the company’s film and TV unit, according to security researcher Norse Corp.

The company narrowed the list of suspects to a group of six people, including at least one Sony veteran with the necessary technical background to carry out the attack, said Kurt Stammberger, senior vice president at Norse. The company used Sony’s leaked human-resources documents and cross-referenced the data with communications on hacker chat rooms and its own network of Web sensors, he said.

Norse said the findings cast doubt on the U.S. government’s claim that the attack was aimed at stopping the release of “The Interview,” a comedy about a plot to assassinate North Korean leader Kim Jong Un. The FBI said Dec. 19 it had enough evidence to link the attack to the communist regime, prompting President Barack Obama to vow a response to the cyber-assault.

“When the FBI made this announcement, just a few days after the attack was made public, it raised eyebrows in the community because it’s hard to do that kind of an attribution that quickly -- it’s almost unheard of,” Stammberger said in a telephone interview from San Francisco. “All the leads that we did turn up that had a Korean connection turned out to be dead ends.”

FBI’s Response

The information found by Norse points to collaboration between an employee or employees terminated in a May restructuring and hackers involved in distributing pirated movies online that have been pursued by Sony, Stammberger said. The initial demands by the group calling itself Guardians of Peace were extortion, rather than pulling the movie from release, he said.

“There is no credible information to indicate that any other individual is responsible for this cyber incident,” Jenny Shearer, a Federal Bureau of Investigation spokeswoman, said in an e-mail. The agency based its assessment on information from the U.S. intelligence community, the Department of Homeland Security, foreign partners and the private sector.

The earliest activity by the virus that ravaged Sony Pictures Entertainment’s computers last month can be traced to July, Stammberger said. Norse, founded in 2010, uses a network of more than 8 million honeypots, or software traps that lure in hackers, to track malware activity on the Web, he said.

Norse briefed the FBI on the findings in St. Louis on Monday, Stammberger said.

DarkSeoul

The FBI made its conclusion based on technical analysis and infrastructure used in the attack, it said in the Dec. 19 statement. Sony’s internal probe linked the attackers to an organization known as DarkSeoul, people familiar with matter have said.

The attackers released private e-mails, employee salaries and health records. They’ve been silent since Dec. 16, even as Sony reversed its decision to cancel the release of “The Interview.”

Sony’s Tokyo-traded shares dropped 4.9 percent in December, ending a six-month rally, and closed at 2,472.5 yen yesterday. Japanese equity markets are closed today. The company’s ADRs fell 2.8 percent in New York trading yesterday.

While the virus used to attack Sony’s computers was coded in a Korean language environment and is similar to the one that struck South Korean banks and media companies in 2013, that’s not enough to link it to North Korea, according to Trend Micro Inc., a developer of security software.

Cruise Missile

The malware is available on the black market and can be used without a high level of technical sophistication, according to Trend Micro’s Tokyo-based security evangelist Masayoshi Someya. It was customized for the company, targeting specific anti-virus software, he said.

“A lot of malware is kind of like a Roomba -- it shuffles around the computer network, bumps into furniture and goes in spirals and looks for things kind of randomly,” Stammberger said. “This was much more like a cruise missile.”

“This malware had specific server addresses, user IDs, passwords and credentials, it had certificates. This stuff was incredibly targeted. That is a very strong signal that an insider was involved.”

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE