• Reuters

  • SHARE

Cybersecurity researchers have uncovered what they say is technical evidence linking the massive breach at Sony Corp.’s Hollywood studio with attacks in South Korea and the Middle East.

Moscow-based security software maker Kaspersky Lab said Thursday it uncovered evidence that all three campaigns might have been launched by the same group, or facilitated by a single organization skilled in working with destructive malware.

In 2012, cyberattackers damaged tens of thousands of computers in Saudi Arabia’s national oil company and Qatar’s RasGas with a virus known as Shamoon, one of the most destructive campaigns to date. Some U.S. officials blamed Iran.

Last year, more than 30,000 PCs at South Korean banks and broadcasting companies were hit by a similar attack that cybersecurity researchers widely believe was launched from North Korea.

Kaspersky researcher Kurt Baumgartner said there are “unusually striking similarities” related to the malicious software and techniques in the two campaigns and the Nov. 24 Sony attack in which malware dubbed “Destover” was used.

He described the similarities in depth in a technical blog published Thursday on Kaspersky’s website.

“It could be a single actor or it could be that there are trainers or individuals who float across groups,” Baumgartner said in an interview.

He said the evidence suggests hackers from North Korea are behind the attack on Sony, although it is unclear whether they work directly for the government.

Not all cybersecurity researchers agree with Kaspersky’s interpretation of the technical evidence.

California-based Symantec Corp. said in a blog posting Thursday it also sees similarities between the attacks against Sony and the Shamoon campaign, but attributed it to a copycat.

“There is no evidence to suggest that the same group is behind both attacks,” Symantec said on its blog.

The diverging views highlight the difficulties that law enforcement faces in determining the identity of the hackers responsible for the Sony breach.

Hackers often conduct attacks by digitally hopping through multiple computer severs around the globe to mask their real Internet address, or use “false flag” techniques to make it look as though the attack is the work of another nation or group.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.

SUBSCRIBE NOW