Sony Leak Was An Inside Job

While the mainstream media dutifully followed the “Sony hacked by North Korea” narrative, experts were not at all convinced. There are situations where North Korea is the source of advanced persistent threats (APT), but their operators grew up in the world’s last Stalinist state. They are often confused by how little control western governments have in their media, let alone their entertainment business. The rapid, direct hits on Sony‘s soft spots indicated an insider was involved.

HackerThe first big clue that the intrusion was an inside job came thanks to metadata. The exfiltrated files are a known size; they get laid down in order with date/time stamp, and the transfer speeds vastly exceeded the capacity of the company’s internet connection. The person who exfiltrated the data did so by plugging an external drive into a computer connected to the Sony corporate LAN. One of those exfiltrated files, the movie The Interview, the alleged motivation for North Korea to attack Sony, has started showing up online and is headed for an unprecedented “online before theaters” release, now that it’s clear it’s not going to trigger an international incident.

Six Individuals Involved in the Hack, Including One Former Sony Employee

A recent Security Ledger article, New Clues In Sony Hack Point To Insiders, Away From DPRK, had this to say about the messages offered by Guardians of Peace, the group taking credit for the intrusion.

Other analysis studied clues buried in statements made by the shadowy hacking crew, the Guardians of Peace or GOP, who claimed responsibility for the attacks. Email addresses and other ephemera from the GOP communications with Sony and the outside world have been read to reveal links to everything from Japanese anime and the Mighty Morphin Power Rangers television show to U.S. domestic disputes over politics and gender equality. Further, linguistic analysis of GOP’s online communications suggests they were penned by someone who is a native Russian speaker, not a native Korean (or English) speaker.

The presence of a native Russian speaker does not surprise knowledgeable APT watchers. Roughly a third of all APT reports point the finger at Russian actors, Moscow based Kaspersky Lab is a prolific profiler of such things, and this has been the case since the collapse of the Soviet Union. The freshly dismantled KGB of the early 1990s transformed into cybercrime rings, and Russians have dominated the business ever since.

It is thought that the group name Guardians of Peace, shortened to #GOP, is a jab at Mitt Romney, whose former employer, Bain Capital, acquired Sony, and was responsible for layoff decisions in early 2014. Security firm Norse Corporation believes they have identified a group of six individuals involved in the intrusion.

Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President at Norse, said that his company identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand. The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.

Norse is in a unique position to evaluate the DDoS aimed at Sony as well as the intrusion, thanks to their IPViking Live platform, which provides a realtime global view of attack sources and targets. This short clip is from an event earlier this year; the attacks aimed at the St. Louis area in response to the Ferguson grand jury failing to indict Michael Brown’s killer.

We approached Norse directly to see if there was additional information available on the Sony intrusion. Based on their response it seems like there will be information forthcoming, but not just yet, due to the open investigation. We’ll be back with an update once this information is made public.

We can share as soon as law enforcement approves – have to play by the book… – @NorseCorp

Images from Shutterstock.