Novetta finds Sony hackers active since 2009, North Korea involvement not endorsed

An investigation undertaken by a coalition of security firms has found that the perpetrators of the 2014 Sony hack were active well before the breach, with North Korea avoiding accusation this time around.

Security analytics company Novetta has said the perpetrators behind the 2014 cyber attack on Sony Pictures' movie-making department were government-backed, stopping short, however, of endorsing the official US view that North Korea was to blame.

Following the high profile breach, Novetta organised a coalition to investigate, employing the largest security software vendor in the US, Symantec Corp, Russian-based security firm Kaspersky Lab, and at least 10 other institutions to collaborate on the investigation.

The coalition had been investigating the Sony case for over a year, with Novetta releasing a report on Wednesday that determined the unidentified hackers had been at work since at least 2009 -- five years before the Sony breach.

According to Novetta, Sony's hackers were not activists or disgruntled employees, and likely had attacked other targets in China, India, Japan, and Taiwan.

The Novetta group said the hackers were likely also responsible for denial-of-service attacks that disrupted US and South Korean websites on July 24, 2009. The group said it found overlaps in code, tactics, and infrastructure between the attacks.

Symantec researcher Val Saengphaibul said his company connected the hackers to attacks late last year, suggesting the exposure of the Sony breach and the threat of retaliation by the United States had not silenced the gang.

The coalition of security companies distributed technical indicators to help others determine if they had been targeted by the same hackers, which Novetta dubbed the Lazarus Group.

The Obama administration has tied the attack on Sony Corp's film studio to its release of The Interview, a comedy that depicted the fictional assassination of North Korean leader Kim Jong Un.

Despite ongoing investigations being carried out by the FBI, Sony announced less than a month after the attack that it was pulling the plug on the film, cancelling all plans for its release.

North Korea, however, denied any involvement in the attacks.

"We do not know where in America the Sony Pictures is situated and for what wrongdoings it became the target of the attack, nor [do] we feel the need to know about it," North Korea's top military body, the National Defence Commission, told the state-run KCNA news agency at the time

Novetta agreed, saying the breach "was not the work of insiders or hacktivists".

"This is very much supportive of the theory that this is nation-state," Novetta Chief Executive Peter LaMontagne told Reuters. "This group was more active, going farther back, and had greater capabilities and reach than we thought."

LaMontagne said the report was the first to tie the Sony hack to breaches at South Korean facilities including a power plant. The FBI and others had previously said the Sony attackers reused code that had been used in destructive attacks on South Korean targets in 2013.

In late November, 2014, Sony's television and movie arm was hijacked and threats were made to leak sensitive corporate data unless particular demands were met.

Within days it was revealed that the damage spread further than just internal systems being compromised or the defacement of websites belonging to the company, with Twitter accounts taken over with unauthorised messages left behind.

A few days later, sensitive data stored by Sony such as passwords, mailboxes, personal employee data, and passport copies were leaked online. In addition, a number of movies that were yet to be released prematurely debuted to the masses through file-sharing.

The Wall Street Journal revealed at the time that the Social Security numbers of over 47,000 current and former Sony employees -- as well as Hollywood celebrities such as Sylvester Stallone -- have been posted online.

The following February, it was revealed that Sony Pictures took a $15 million hit to its finances as part of "investigation and remediation costs" relating to the cyberattack.

With AAP

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All