The Security Ledger

New Clues In Sony Hack Point To Insiders, Away from DPRK

Clues from an investigation of the hack of Sony Pictures now point to at least one former employee, according to Norse Security.

A strong counter-narrative to the official account of the hacking of Sony Pictures Entertainment has emerged in recent days, with the visage of the petulant North Korean dictator, Kim Jong Un, replaced by another, more familiar face: former Sony Pictures employees angry over their firing during a recent reorganization at the company.

Researchers from the security firm Norse allege that their investigation of the hack of Sony has uncovered evidence that leads, decisively, away from North Korea as the source of the attack. Instead, the company alleges that a group of six individuals is behind the hack, at least one a former Sony Pictures Entertainment employee who worked in a technical role and had extensive knowledge of the company’s network and operations.

[Read Security Ledger coverage of the hack of Sony Pictures Entertainment.]

If true, the allegations by Norse deal a serious blow to the government’s account of the incident, which placed the blame squarely on hackers affiliated with the government of the Democratic Peoples Republic of Korea, or DPRK. That accusation, first aired last week, has been the source of heated rhetoric from both Washington D.C. and Pyongyang, the North Korean capital.

Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President at Norse, said that his company identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand.  The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.

Stammberger said that Norse’s team of around nine researchers started from the premise that insiders would be the best situated to carry out an attack on the company and steal data. The company analyzed human resources documents leaked in the hack and began researching employees with a likely motive and means to carry out a hack.

That HR data was the “golden nugget” in the investigation, revealing the details of a mass layoff at Sony in the Spring of 2014, including a spreadsheet identifying employees who were fired from Sony Pictures in the April-May time period.

After researching those individuals, Norse said it identified one former employee who he described as having a “very technical background.” Researchers from the company followed that individual online, noting angry posts she mad e on social media about the layoffs and Sony. Through access to IRC (Internet Relay Chat) forums and other sites, they were also able to capture communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia.

According to Stammberger, the Norse investigation was further able to connect an individual directly involved in those online conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.

Stammberger was careful to note that his company’s findings are hardly conclusive, and may just add wrinkles to an already wrinkled picture of what happened at Sony Pictures. He said Norse employees will be briefing the FBI on Monday about their findings.

“They’re the investigators,” Stammberger said. “We’re going to show them our data and where it points us. As far as whether it is proof that would stand up in a court of law? That’s not our job to determine, it is theirs,” he said of the FBI.

At a minimum, the latest theory suggest that official accounts of the hack from U.S. government sources are now just one among many competing theories about the source of motivation behind the attack that are circulating within security circles and in the mainstream media. This, ten days after the Obama Administration pinned the blame for the destructive attack squarely on  hackers affiliated with the reclusive government of the Democratic Peoples Republic of Korea (DPRK).

The sheer amount of information leaked by the hackers has provided plenty of ammunition to fuel alternative narratives about what happened. Initial reports noted that the malware used in the attacks on Sony was created on systems that used Korean language software libraries, and shared similarities with malicious software used in destructive attacks on the Saudi oil firm Saudi Aramco.

But for every clue that seems to point to the involvement of the DPRK, there are others that point in other directions, as well. For example, recent analysis has focused on date and time stamps attached to the leaked Sony data. Researchers have used those time stamps to infer the speed with which the data was transferred off Sony’s network. Reports have suggested that the timestamp data points to a data leak within Sony’s enterprise network, for example: to a USB device or external hard drive.

Other analysis studied clues buried in statements made by the shadowy hacking crew, the Guardians of Peace or GOP, who claimed responsibility for the attacks. Email addresses and other ephemera from the GOP communications with Sony and the outside world have been read to reveal links to everything from Japanese anime and the Mighty Morphin Power Rangers television show to U.S. domestic disputes over politics and gender equality. Further, linguistic analysis of GOP’s online communications suggests they were penned by someone who is a native Russian speaker, not a native Korean (or English) speaker.

But the Norse account of the hack does answer some puzzling questions about the incident that are as yet unexplained, according to Mark Rasch, a former federal prosecutor and a principal at Rasch Technology and Cyberlaw. Among those questions: how hackers were able to obtain near-perfect knowledge of Sony Pictures’ network and, then, sneak terabytes of data off of the network without arousing notice.

“It has always been suspicious that it was North Korea,” Rasch said. “Not impossible – but doubtful…It made a lot more sense that it was insiders pretending to be North Korea.”

Rasch noted, as others have, that the attackers initially made no mention of the Sony Pictures film “The Interview” in communications with the company or the outside world. Rasch notes that the hackers also exhibited a somewhat sophisticated knowledge of how Hollywood works – leaking data that was deeply personal and particularly embarrassing to Sony executives.

Stammberger notes the involvement of an insider would explain how the attackers obtained critical information about Sony’s network, including the IP addresses of critical servers and valid credentials to log into them. Even in sophisticated attacks, remote actors might spend days, weeks or months probing a network to which they have gained access to obtain that information: using compromised employee accounts to explore and find sensitive data before stealing it or causing other damage. It is during that “lateral movement,” malicious actors are often spotted, Stammberger said.  In the case of the Sony hack, however, the malware was compiled knowing exactly what assets to attack.

Still, there are many questions that have yet to be answered. Norse’s own analysis has plenty of blank spaces. Stammberger said that a “handful” of former employees may have been involved, though only one was linked directly to the hack. That employee, at some point, joined forces with external actors and more experienced hackers with a grudge against Sony, including individuals involved with sites like the Pirate Bay which offer Hollywood movies for download. “We see evidence for those two groups of people getting together,” Stammberger told The Security Ledger.

Spread the word!