Submission + - Investigation IDs Crew of 6 Behind Hack of Sony, Including Former Employee (securityledger.com)
chicksdaddy writes: Alternative theories of who is responsible for the hack of Sony Pictures Entertainment have come fast and furious (http://it.slashdot.org/story/14/12/24/1757224/did-north-korea-really-attack-sony)in recent weeks- especially since the FBI pointed a finger at the government of North Korea last week. (http://news.slashdot.org/story/14/12/18/0249222/us-links-north-korea-to-sony-hacking) But Norse Security is taking the debate up a notch: saying that they have conclusive evidence pointing to group of disgruntled former employees as the source of the attack and data theft.
The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals — in the U.S., Canada, Singapore and Thailand — that it believes carried out the attack, including at least one 10 year employee of SPE who worked in a technical capacity before being laid off in May.(https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/)
Rather than starting from the premise that the Sony hack was a state sponsored attack, Norse researchers worked their investigation like any other criminal matter: starting by looking for individuals with the "means and motive" to do the attack. HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off.
After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony's network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10 year SPE veteran who he described as having a “very technical background.” Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia.
According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.
While Stammberger admits that some clues in the investigation seemed to point to attackers in one of the Koreas, he says those paths all turned into dead ends, and that Norse investigators found no convincing evidence of North Korean involvement in the incident.
According to Stammberger, the company is briefing the FBI on its investigation on Monday. I'd love to be a fly on the wall in that room!
The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals — in the U.S., Canada, Singapore and Thailand — that it believes carried out the attack, including at least one 10 year employee of SPE who worked in a technical capacity before being laid off in May.(https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/)
Rather than starting from the premise that the Sony hack was a state sponsored attack, Norse researchers worked their investigation like any other criminal matter: starting by looking for individuals with the "means and motive" to do the attack. HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off.
After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony's network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10 year SPE veteran who he described as having a “very technical background.” Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia.
According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.
While Stammberger admits that some clues in the investigation seemed to point to attackers in one of the Koreas, he says those paths all turned into dead ends, and that Norse investigators found no convincing evidence of North Korean involvement in the incident.
According to Stammberger, the company is briefing the FBI on its investigation on Monday. I'd love to be a fly on the wall in that room!