Investigators blame government-backed attackers for 2014 Sony hack

25 Feb 2016

Security analytics company Novetta has pointed to government-backed attackers for the 2014 cyber attack on Sony Pictures' movie-making department but stopped short of supporting the official US view that North Korea was to blame.

After the high profile breach, Novetta set up a coalition to investigate the attacks. It roped in the largest security software vendor in the US, Symantec Corp, Russian-based security firm Kaspersky Lab, and at least 10 other institutions in the investigation.

After investigating the case for over a year, Novetta released a report yesterday that determined the unidentified hackers had been at work since at least 2009 - five years before the Sony breach.

Novetta said Sony's hackers were not activists or disgruntled employees, and likely had attacked other targets in China, India, Japan, and Taiwan.

According to the Novetta group, the hackers were likely also responsible for denial-of-service attacks that disrupted US and South Korean websites on 24 July 2009. The group also said it found overlaps in code, tactics, and infrastructure between the attacks.

Reports quoting Symantec researcher Val Saengphaibul said his company connected the hackers to attacks late last year, suggesting the exposure of the Sony breach and the threat of retaliation by the US had made no difference to the activities of the group.

The investigation, dubbed "Operation Blockbuster," which got underway in December 2014, was an independent undertaking and did not involve official investigators, law enforcement or the film studio. Symantec, Kaspersky Lab, AlienVault Labs, and Novetta collaborated on the study that aimed to "identify and impact the malicious tools and infrastructure used by the Lazarus Group" and also to "clarify details surrounding" the Sony attack, according to the report.

The study uncovered numerous, distinct malware "families" used by the hacking group, and though the Sony hack might be the most prominent attack carried out by the group, the study reported that the Lazarus Group was also behind a large-scale 2013 attack on South Korean television stations, and continued to carry out operations against media, governmental and financial institutions.