Security firm casts doubt on claim that North Korea hacked Sony

The Sony Pictures Studios building in Culver City, Calif.
Damian Dovarganes/AP/File
The Sony Pictures Studios building in Culver City, Calif.

At least one former employee of Sony Corp. may have helped hackers orchestrate the cyber-attack on the company’s film and TV unit, according to security researcher Norse Corp.

The company narrowed the list of suspects to a group of six people, including at least one Sony veteran with the necessary technical background to carry out the attack, said Kurt Stammberger, senior vice president at Norse. The company used Sony’s leaked human-resources documents and cross-referenced the data with communications on hacker chat rooms and its own network of Web sensors, he said.

Norse said the findings cast doubt on the US government’s claim that the attack was aimed at stopping the release of “The Interview,” a comedy about a plot to assassinate North Korean leader Kim Jong Un. The FBI said Dec. 19 it had enough evidence to link the attack to the communist regime, prompting President Barack Obama to vow a response to the cyber-assault.


“There is no credible information to indicate that any other individual is responsible for this cyber incident,” Jenny Shearer, a Federal Bureau of Investigation spokeswoman, said today in an e-mail. The agency based its assessment on information from the US intelligence community, the Department of Homeland Security, foreign partners and the private sector.

Get Today's Headlines in your inbox:
The day's top stories delivered every morning.
Thank you for signing up! Sign up for more newsletters here

Public Sources

Much of the information from outside firms about the Sony hacking comes from public sources, such as by monitoring Internet traffic and posts to social-media accounts, and can be speculative.

Norse, founded in 2010, says it monitors live hacking threats through a network of sensors that are designed to be attacked and relay threat information.

The FBI’s Dec. 19 announcement “raised eyebrows in the community because it’s hard to do that kind of an attribution that quickly -- it’s almost unheard of,” Stammberger said in a telephone interview from San Francisco. “All the leads that we did turn up that had a Korean connection turned out to be dead ends.”


The information found by Norse points to collaboration between an employee or employees terminated in a May restructuring and hackers involved in distributing pirated movies online that have been pursued by Sony, Stammberger said. The initial demands by the group calling itself Guardians of Peace were extortion, rather than pulling the movie from release, he said.

July Timeline

The earliest activity by the virus that ravaged Sony Pictures Entertainment’s computers last month can be traced to July, Stammberger said. Norse uses a network of more than 8 million honeypots, or software traps that lure in hackers, to track malware activity on the Web, he said.

Norse briefed the FBI on the findings in St. Louis on Monday, Stammberger said. Joshua Campbell, an FBI spokesman in Washington, declined to comment when reached by e-mail.

The FBI made its conclusion based on technical analysis and infrastructure used in the attack, it said in a statement. Sony’s internal probe linked the attackers to an organization known as DarkSeoul, people familiar with matter have said.


Cruise Missile

The attackers released private e-mails, employee salaries and health records. They’ve been silent since Dec. 16, even as Sony reversed its decision to cancel the release of “The Interview.”

While the virus used to attack Sony’s computers was coded in a Korean language environment and is similar to the one that struck South Korean banks and media companies in 2013, that’s not enough to link it to North Korea, according to Trend Micro Inc., a developer of security software.

The malware is available on the black market and can be used without a high level of technical sophistication, according to Trend Micro’s Tokyo-based security evangelist Masayoshi Someya. It was customized for the company, targeting specific anti-virus software, he said.

“A lot of malware is kind of like a Roomba -- it shuffles around the computer network, bumps into furniture and goes in spirals and looks for things kind of randomly,” Stammberger said. “This was much more like a cruise missile.

‘‘This malware had specific server addresses, user IDs, passwords and credentials, it had certificates. This stuff was incredibly targeted. That is a very strong signal that an insider was involved.’’