More than a year after the devastating Sony Pictures hack, a trio of cybersecurity firms claim to have pinpointed the culprits behind the breach that rattled Hollywood and invigorated President Obama's cybersecurity agenda.
The companies said in a report released Wednesday that an outfit it dubs "Lazarus Group," which has carried out high-profile attacks on government agencies, militaries, and banks in the US and South Korea since 2009, is responsible for the Sony Pictures incursion in November 2014.
The firms didn't connect Lazarus Group directly to North Korea, which US law enforcement and many security experts believe funded the Sony Pictures hack in retaliation for the "The Interview," a comedy distributed by Sony about an assassination plot against North Korean leader Kim Jong-un.
"What we've found clearly communicates a very well resourced organization that is extremely well-motivated, extremely well-organized, and has demonstrated since 2009 their ability to operate," said Andre Ludwig, the senior technical director at Novetta, a Virginia cybersecurity firm. It published the report along with AlienVault and Kaspersky Lab.
Their research also connected Lazarus Group to distributed denial of service, or DDoS, attacks that targeted South Korea's government, military, and major banks in 2011, as well as to "Operation Troy," a military espionage campaign targeting South Korea.
The report found traces of the Lazarus Group's malware in China, India, Japan, and Taiwan. That could indicate the Sony hack was the work of one group – or closely linked networks – that potentially collaborated on technical resources, attacks, and coordinated server infrastructure. The hackers appeared to communicate in Korean, according to malware samples the researchers analyzed.
The security researchers say they based their finding on hundreds of millions of malware samples related to Sony and other hacks – ultimately attributing 2,000 samples and 45 families of malware to the Lazarus Group.
"We embarked on this pursuit to understand what occurred," said Mr. Ludwig. "We want to share our knowledge in a way that people can leverage to better protect themselves."
In the aftermath of the Sony hack, theories about who hacked the company ranged from the hacker collective Lizard Squad to insiders at the company. Initially, a previously unknown group calling itself Guardians of Peace breached Sony's networks, demanding payment before dumping a trove of company documents online. Hackers later demanded the studio pull "The Interview."
The Sony Pictures hack eventually cost the company an estimated $15 million, leaked its private employee communications and unreleased films, and ultimately led to the resignation of the company's co-chair, Amy Pascal.
Soon after the breach, the FBI said that North Korea was responsible based upon claims that attackers failed to mask IP addresses that traced back to Pyongyang. "The FBI now has enough information to conclude that the North Korean government is responsible for these actions," the bureau said in a statement at the time. The FBI also claimed that the malware involved matched code used in an attack against South Korean television stations and banks in 2013.
But those suggestions – and a statement from Director of National Intelligence James Clapper claiming that a North Korean general had ordered the attack – weren’t enough to dull skepticism at the time from the security community, until the National Security Agency backed up the claim by reverse engineering some of the malware involved.
That analysis was underscored by noted cybersecurity expert Thomas Rid, professor of security studies at King's College London, who said the FBI may have found a mechanism used by North Korean hackers to encrypt the stolen data.
The Sony hack, which led the US to bolster economic sanctions against North Korea, also helped spur Obama into a major push on cybersecurity in 2015. That culminated in the Cybersecurity Act of 2015 that gives companies legal cover for sharing information on cybersecurity threats with the government through the Department of Homeland Security.