Cyber experts link Sony hackers to campaigns against targets in U.S., South Korea

Cybersecurity researchers claim in a new report that the hackers who obliterated Sony Pictures Entertainment in 2014 were more prolific than previously thought — so much so that a coalition of experts say that the perpetrators started attacking targets since at least 2009 and were active as of late last year.

The “Operation Blockbuster” report put out on Wednesday by Novetta, a Virginia-based security analytics company, concludes that the Sony hack was carried out by a “structured, resourced and motivated organization” that had been targeting government and media groups for several years by the time the Hollywood studio had its computer systems ravaged in a scorched earth attack in November 2014.

Yet while the report’s authors stop short of blaming the Sony hack on North Korea — an assertion widely shared within the U.S. government — they lend credence to that claim by linking the malware used against the movie house to earlier attacks on targets in the United States and South Korea, two countries at the top of the hermit kingdom’s enemies list.

“This is very much supportive of the theory that this is nation-state,” Novetta Chief Executive Peter LaMontagne told Reuters. “This group was more active, going farther back, and had greater capabilities and reach than we thought.”

Mr. Montagne’s company leveraged the services of some of the world’s most renowned cybersecurity firms — among them Kaspersky Labs, Symantec and TrendMicro — to conduct an investigation into the “Lazarus Group,” a name applied by Novetta to the perpetrators responsible for the Sony hack.

According to their findings, several other operations, including a campaign last year in which victims were sent malicious documents purported to be media coverage of South Korea’s parliamentary election, were carried out by the same group. 

Sophisticated malware analyzed by the coalition and attributed to the Lazarus Group has been used in previous campaigns and gives the researchers reason to believe that the SPE hack was carried out not by Sony employees or hell-bent hacktivists.

Instead, rather, the researchers blame “a single group, or potentially very closely linked groups sharing technical resources, infrastructure and even tasking” that remains on the warpath.

“The Lazarus Group is just one of many attack groups with the sophisticated operational techniques required to breach networks around the globe, and steal or destroy data and other assets,” Mr. LaMontagne said in a statement. “By working with industry partners, we were able to better understand and devise ways to disrupt the tools and techniques used by malicious actors and share that information to protect our collective customers.”

“While the debate over who was responsible — North Korea, hacktivists, or SPE employees — was the primary subject played out in the media, the attack presented much larger implications, such as how little resistance a modern commercial enterprise is able to provide in the face of a capable and determined adversary with destructive intent,” the Novetta report noted.

Individuals calling themselves the “Guardians of Peace” took credit for hacking SPE in 2014 and pilfering sensitive data including employee records, internal emails and unreleased major motion pictures.

Sony Pictures later said it spent $15 millions on “investigation and remediation costs,” and the Obama administration imposed new sanctions on North Korea in retaliation.