North Korea unlikely to be behind Sony Pictures attacks

The tactics and publicity around the stolen documents are more in line with hacktivists, experts said

North Korea is most likely not responsible for the cyberattacks against Sony Pictures Entertainment, which saw thousands of sensitive internal documents released on the Web in a high-profile strike, experts said.

The secretive nation has been fingered in part because the same malware was used against Sony that crippled South Korea in March 2013. Those attacks, dubbed "Dark Seoul," wiped data from banks' computers, disabled ATMs and crippled websites.

It was also theorized that North Korea was angry about a forthcoming movie in the U.S., "The Interview," a comedy in which two show business reporters travel to North Korea to interview leader Kim Jong Un.

But the Sony attacks have been a more public affair, with taunting images displayed on hacked PCs, sensitive company documents posted online and gigabytes of leaked documents sent to journalists.

They are not tactics normally associated with state-sponsored attacks, said Lucas Zaichkowsky, an enterprise defense architect with Resolution1 Security.

"That is almost certainly a hacktivist play," said Zaichkowsky in a phone interview Wednesday.

Zaichkowsky used for work for Mandiant, the computer forensics company now owned by FireEye that has been reportedly contracted by Sony to investigate the attacks. He said the release of gigabytes of data seems more like a move that would come from hacktivists, possibly with connections to disgruntled employees.

A hacking group calling itself the Guardians of Peace (GOP) has claimed responsibility, and a self-proclaimed leader of the group has been sending data to reporters, including IDG News Service.

The group said in an email it was not working on behalf of any state and said its actions against Sony were in part related to the company's restructuring efforts and labor issues.

"Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years," GOP wrote. "It has brought damage to a lot of people, some of whom are among us."

The group said corporate restructuring was the "decisive motive of our action" and called on Sony to "stop this and pay proper monetary compensation to the victims."

"We have another plan to correct the incidents of Michael Brown," the email to reporters added, referring to the fatal shooting of an unarmed man by a police officer in Ferguson, Missouri.

These are hardly the normal concerns of North Korea, and the message doesn't mention "The Interview" at all. It's more consistent with attacks by activist hackers due to its attention-seeking nature, public posting of links to stolen files on Pastebin and reference to social causes.

Jamie Blasco, director of AlienVault Labs, has been analyzing the malware and said the attackers seem to have had knowledge of Sony's internal network.

"The malware samples contain hardcoded names of servers inside Sony's network and even credentials/usernames and passwords that the malware uses to connect to systems inside the network," he said.

Former Sony employees might have that kind of network knowledge, but hackers also often do reconnaissance on networks prior to an attack, looking for weak points to exploit.

Although attributing cyberattacks is difficult, it's unlikely North Korea is behind Sony's troubles, said Scot. A. Terban, a threat intelligence analyst who writes under the Twitter handle @krypt3ia.

The style of malware used against Sony, which corrupts a computer's master boot record, has been around for 16 years, Terban said in a phone interview Wednesday.

It is possible that the Sony attackers obtained the same malware that was used against South Korea last year, as the malware is available on the internet. The attackers may have changed it a bit to avoid security software and then repurposed it, he said.

Terban said the use of Korean language encoding in the malware is still "not a lot to hang your hat on as far as attribution goes."

If North Korea had indeed struck Sony, "there would be no evidence of Korean coding" in the malware, Terban said.

Read more: Sony Hack Attack

McAfee, a computer security company now owned by Intel, did extensive research into the Dark Seoul attacks, publishing a technical report on the malware in July 2013.

Its analysts wrote the March 2013 attacks were actually the conclusion of a four-year covert espionage campaign that also sought classified military data.

Two groups, called the Whois Hacking Team and the NewRomanic Cyber Army Team, conducted the Dark Seoul attacks, but McAfee concluded they were likely part of the same team since they used similar attack code.

McAfee declined an interview request Thursday asking if its researchers were still tracking the groups.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags AccessDatamcafeesecuritydata breachSony Pictures Entertainment

More about FireEyeIDGindeedIntelNewsSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk and Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place