New Sony Hacking Theory: Ex-Employees May Have Been Involved

Print Email
December 31, 2014 by Pavel Alpeyev

At least one former employee of Sony Corp. may have helped hackers orchestrate the cyber-attack on the company’s film and TV unit, according to security researcher Norse Corp.

The company narrowed the list of suspects to a group of six people, including at least one Sonyveteran with the necessary technical background to carry out the attack, said Kurt Stammberger, senior vice president at Norse. The company used Sony’s leaked human-resources documents and cross-referenced the data with communications on hacker chat rooms and its own network of Web sensors, he said.

Norse said the findings cast doubt on the U.S. government’s claim that the attack was aimed at stopping the release of “The Interview,” a comedy about a plot to assassinate North Korean leader Kim Jong Un. The FBI said Dec. 19 it had enough evidence to link the attack to the communist regime, prompting President Barack Obama to vow a response to the cyber-assault.

“When the FBI made this announcement, just a few days after the attack was made public, it raised eyebrows in the community because it’s hard to do that kind of an attribution that quickly — it’s almost unheard of,” Stammberger said in a telephone interview from San Francisco. “All the leads that we did turn up that had a Korean connection turned out to be dead ends.”

FBI’s Response

The information found by Norse points to collaboration between an employee or employees terminated in a May restructuring and hackers involved in distributing pirated movies online that have been pursued by Sony, Stammberger said. The initial demands by the group calling itself Guardians of Peace were extortion, rather than pulling the movie from release, he said.

“There is no credible information to indicate that any other individual is responsible for this cyber incident,” Jenny Shearer, a Federal Bureau of Investigation spokeswoman, said in an e-mail. The agency based its assessment on information from the U.S. intelligence community, the Department of Homeland Security, foreign partners and the private sector.

The earliest activity by the virus that ravaged Sony Pictures Entertainment’s computers last month can be traced to July, Stammberger said. Norse, founded in 2010, uses a network of more than 8 million honeypots, or software traps that lure in hackers, to track malware activity on the Web, he said.

Norse briefed the FBI on the findings in St. Louis on Monday, Stammberger said.

DarkSeoul

The FBI made its conclusion based on technical analysis and infrastructure used in the attack, it said in the Dec. 19 statement. Sony’s internal probe linked the attackers to an organization known as DarkSeoul, people familiar with matter have said.

The attackers released private e-mails, employee salaries and health records. They’ve been silent since Dec. 16, even as Sony reversed its decision to cancel the release of “The Interview.”

Sony’s Tokyo-traded shares dropped 4.9 percent in December, ending a six-month rally, and closed at 2,472.5 yen yesterday. Japanese equity markets are closed today. The company’s ADRs fell 2.8 percent in New York trading yesterday.

While the virus used to attack Sony’s computers was coded in a Korean language environment and is similar to the one that struck South Korean banks and media companies in 2013, that’s not enough to link it to North Korea, according to Trend Micro Inc., a developer of security software.

Cruise Missile

The malware is available on the black market and can be used without a high level of technical sophistication, according to Trend Micro’s Tokyo-based security evangelist Masayoshi Someya. It was customized for the company, targeting specific anti-virus software, he said.

“A lot of malware is kind of like a Roomba — it shuffles around the computer network, bumps into furniture and goes in spirals and looks for things kind of randomly,” Stammberger said. “This was much more like a cruise missile.”

“This malware had specific server addresses, user IDs, passwords and credentials, it had certificates. This stuff was incredibly targeted. That is a very strong signal that an insider was involved.”

–With assistance from Jordan Robertson in Washington.

Copyright 2024 Bloomberg.
Print Email

Was this article valuable?

Here are more articles you may enjoy.

Study: Average Cyber Breach Insurance Coverage Gap is 350%
The Supreme Court Just Complicated Employer Diversity Initiatives
P/C Insurance Execs, Underwriters Out of Sync on Advanced Tech
New Atlantic Hurricane Forecast Calls for 33 Named Storms

Related Articles

Cyber Victims Warned Against Revenge Hacking
Obama: Sony Pictures’ Hacking an ‘Act of Cyber Vandalism’
Sony Studio Cyber Attack Costs Could Hit $100 Million Mark
BlackBerrys Could Serve As Cyber Security Solution
Hacking Attacks That Destroy Data More Widespread Than Realized
Former Sony Workers Suing Over Unprotected Personal Info
North Korea May Have Had Outside Help in Sony Pictures Hacking
Sony Pictures Enlists Employees to Screen for Stolen Data Use

Our Contributors

Meghan ParrillaHow Apprenticeship Programs May Be the Best Solution to Today’s Talent Crisis
James GammellViewpoint: Risks for D&O Insurers Exploring the New Frontier of Gen AI
Shannon ShallcrossViewpoint: You’re at a Competitive Disadvantage If You’re Not Innovating
William SteenbergenThe Insurance Data Paradox: Structure Creates Flexibility
Richard CoyleMany Businesses May Not Be Protected Against Losses From Snow Melt Floods
See All Our Contributors