Modern field guide to security and privacy

Who really hacked Sony? Cybersecurity researchers say they finally know

A group they've dubbed "Lazarus Group" is well organized and tied to numerous other attacks on governments, banks, and military institutions in the US and South Korea since 2009.

The film "The Interview" outside the Alamo Drafthouse theater in Littleton, Colo., on Dec. 23, 2014.

More than a year after the devastating Sony Pictures hack, a trio of cybersecurity firms claim to have pinpointed the culprits behind the breach that rattled Hollywood and invigorated President Obama's cybersecurity agenda.

The companies said in a report released Wednesday that an outfit it dubs "Lazarus Group," which has carried out high-profile attacks on government agencies, militaries, and banks in the US and South Korea since 2009, is responsible for the Sony Pictures incursion in November 2014.

The firms didn't connect Lazarus Group directly to North Korea, which US law enforcement and many security experts believe funded the Sony Pictures hack in retaliation for the "The Interview," a comedy distributed by Sony about an assassination plot against North Korean leader Kim Jong-un.

"What we've found clearly communicates a very well resourced organization that is extremely well-motivated, extremely well-organized, and has demonstrated since 2009 their ability to operate," said Andre Ludwig, the senior technical director at Novetta, a Virginia cybersecurity firm. It published the report along with AlienVault and Kaspersky Lab.

Their research also connected Lazarus Group to distributed denial of service, or DDoS, attacks that targeted South Korea's government, military, and major banks in 2011, as well as to "Operation Troy," a military espionage campaign targeting South Korea.

The report found traces of the Lazarus Group's malware in China, India, Japan, and Taiwan. That could indicate the Sony hack was the work of one group – or closely linked networks – that potentially collaborated on technical resources, attacks, and coordinated server infrastructure. The hackers appeared to communicate in Korean, according to malware samples the researchers analyzed. 

The security researchers say they based their finding on hundreds of millions of malware samples related to Sony and other hacks – ultimately attributing 2,000 samples and 45 families of malware to the Lazarus Group. 

"We embarked on this pursuit to understand what occurred," said Mr. Ludwig. "We want to share our knowledge in a way that people can leverage to better protect themselves."

In the aftermath of the Sony hack, theories about who hacked the company ranged from the hacker collective Lizard Squad to insiders at the company. Initially, a previously unknown group calling itself Guardians of Peace breached Sony's networks, demanding payment before dumping a trove of company documents online. Hackers later demanded the studio pull "The Interview."

The Sony Pictures hack eventually cost the company an estimated $15 million, leaked its private employee communications and unreleased films, and ultimately led to the resignation of the company's co-chair, Amy Pascal.

Soon after the breach, the FBI said that North Korea was responsible based upon claims that attackers failed to mask IP addresses that traced back to Pyongyang. "The FBI now has enough information to conclude that the North Korean government is responsible for these actions," the bureau said in a statement at the time. The FBI also claimed that the malware involved matched code used in an attack against South Korean television stations and banks in 2013.

But those suggestions – and a statement from Director of National Intelligence James Clapper claiming that a North Korean general had ordered the attack – weren’t enough to dull skepticism at the time from the security community, until the National Security Agency backed up the claim by reverse engineering some of the malware involved.

That analysis was underscored by noted cybersecurity expert Thomas Rid, professor of security studies at King's College London, who said the FBI may have found a mechanism used by North Korean hackers to encrypt the stolen data.

The Sony hack, which led the US to bolster economic sanctions against North Korea, also helped spur Obama into a major push on cybersecurity in 2015. That culminated in the Cybersecurity Act of 2015 that gives companies legal cover for sharing information on cybersecurity threats with the government through the Department of Homeland Security.


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Who really hacked Sony? Cybersecurity researchers say they finally know
Read this article in
QR Code to Subscription page
Start your subscription today