The Sony hackers are still on the loose. Who are they?

After a year of analysis, cybersecurity experts believe the group behind the Sony hack in 2014 has been attacking networks for nearly a decade, at least, and continues to target government and commercial institutions globally.

Kacper Pempel/Reuters/File
An illustration file picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw.

A consortium of cybersecurity firms said Wednesday that the group that publicly exposed the inner workings of Sony in a sensational cyberattack in 2014 has been wreaking havoc for nearly a decade and is still alive and strong today, targeting networks around the world.

Though it claimed to be a hacktivist group called "Guardians of Peace" after it publicly released company e-mails and a trove of other damaging information about Sony, cybersecurity experts have concluded that its history of attacks indicates that the hacker group is actually a sophisticated, well-financed, and determined foe.

They have linked the group with attacks on government, media, military, aerospace, financial, and critical infrastructure in the United States, Taiwan, China, Japan, and India. South Korea appears to be a favorite target. 

Cybersecurity experts could not directly connect the hackers to the North Korean government, as the FBI did in its investigation of the Sony attack. But evidence suggests a government is likely behind these attacks, rather than a hacktivist group or a vindictive former employee, as has been suggested in the Sony case, says analytics firm Novetta.

The McLean, Va.-based firm, along with 13 industry partners that included Kaspersky Lab, Symantec, and AlienVault, spent a year piecing together seemingly unrelated attacks by analyzing the malware, or destructive software, used in each one.

They identified duplicate strings of code, passwords, and misspellings, which helped the security experts link 45 families of malware to the group, according to a report released Wednesday called “Operation Blockbuster.”

"There's very hard evidence to suggest that a lot of the development is all originating from the same authors and codebases," Andre Ludwig, a senior technical director at Novetta told The Washington Post. "These aren't pieces of malware that are being shared on underground forums – these are very well guarded codebases that haven't leaked out or been thrown around publicly," he said.

The cybersecurity experts have dubbed the hackers “Lazarus Group,” after the biblical figure that comes back from the dead, because it seems to create new identities – "NewRomanic Cyber Army Team," the "WhoIs Team," and "IsOne" – and new tools for each attack.

Lazarus could even be a coordinated network of hacker groups, says Novetta, together responsible for stealing data, carrying out cyber espionage, and other attacks that have crippled financial systems, in at least one case preventing the customers of a South Korean bank from accessing money through ATMs for a brief period.

“It’s impressive the scope of what these guys have done and what they continue to do.… And the scary part is, they have no qualms about being destructive,” Ludwig told Wired.

The coalition of firms led by Novetta is working to distribute information to governments and corporations describing how to protect their cyber assets from attacks, as it continues to monitor the hackers' activities.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.