At least one former employee of Sony Corp. may have helped hackers orchestrate the cyberattack on the company’s film and TV unit, according to security researcher Norse Corp.
The company narrowed the list of suspects to a group of six people, including at least one Sony veteran with the necessary technical background to carry out the attack, said Kurt Stammberger, senior vice president at Norse.
The company used Sony’s leaked human-resources documents and cross-referenced the data with communications on hacker chat rooms and its own network of Web sensors, he said.
Norse said the findings cast doubt on the U.S. government’s claim that the attack was aimed at stopping the release of “The Interview,” a comedy about a plot to assassinate North Korean leader Kim Jong Un.
The FBI said Dec. 19 it had enough evidence to link the attack to the communist regime, prompting President Barack Obama to vow a response to the cyberassault.
“When the FBI made this announcement, just a few days after the attack was made public, it raised eyebrows in the community because it’s hard to do that kind of an attribution that quickly — it’s almost unheard of,” Stammberger said in a telephone interview from San Francisco.
“All the leads that we did turn up that had a Korean connection turned out to be dead ends,” he said.The information found by Norse points to collaboration between an employee or employees terminated in a May restructuring and hackers involved in distributing pirated movies online that have been pursued by Sony, Stammberger said.
The initial demands by the group calling itself Guardians of Peace were extortion, rather than pulling the movie from release, he said.
“There is no credible information to indicate that any other individual is responsible for this cyber incident,” Jenny Shearer, a Federal Bureau of Investigation spokeswoman, said in an email.
The agency based its assessment on information from the U.S. intelligence community, the Department of Homeland Security, foreign partners and the private sector.
The earliest activity by the virus that ravaged Sony Pictures Entertainment’s computers last month can be traced to July, Stammberger said.
Norse, founded in 2010, uses a network of more than 8 million honeypots, or software traps that lure in hackers, to track malware activity on the Web, according to Stammberger.
Norse briefed the FBI on the findings in St. Louis on Monday, Stammberger said.
The FBI made its conclusion based on technical analysis and infrastructure used in the attack, it said in the Dec. 19 statement.
Sony’s internal probe linked the attackers to an organization known as DarkSeoul, people familiar with matter have said.
The attackers released private emails, employee salaries and health records.
They have been silent since Dec. 16, even as Sony reversed its decision to cancel the release of “The Interview.”
While the virus used to attack Sony’s computers was coded in a Korean language environment and is similar to the one that struck South Korean banks and media companies in 2013, that in itself is insufficient evidence to link it to North Korea, said Trend Micro Inc., a developer of security software.
The malware is available on the black market and can be used without a high level of technical sophistication, said Masayoshi Someya, a Tokyo-based representative of Trend Micro.
It was customized for this company in particular, targeting specific anti-virus software, Someya said.
“A lot of malware is kind of like a Roomba — it shuffles around the computer network, bumps into furniture and goes in spirals and looks for things kind of randomly,” Stammberger said, referring to a popular automated room-cleaning device.
“This was much more like a cruise missile.
“This malware had specific server addresses, user IDs, passwords and credentials, it had certificates,” he noted. “This stuff was incredibly targeted. That is a very strong signal that an insider was involved.”