Cyber-security firms are increasingly pointing the finger of blame for last week's hack of Sony Pictures at North Korea – just as the rogue state now denies it had any involvement.
Both Kaspersky and Symantec have analysed the Destover malware used to wipe the film and TV company's files, and found it uses the Korean language and has “glaring similarities” and “several links” with prior attacks on South Korea - which the South Korean Government said came from North Korea.
But the two firms stop short of definitively blaming North Korea – and experts agree it is too early to be sure of the attack's attribution, even though the country has the “means, motive and opportunity”.
North Korea is suspected of the hack because Sony Pictures is soon to release ‘The Interview', a comedy film in which Seth Rogen and James Franco play two reporters granted an audience with North Korean leader Kim Jong-un who are then approached by the CIA to assassinate him.
In a 4 December blog titled “Mystery North Korean actor's destructive and past network activity”, Kaspersky researcher Kurt Baumgartner confirms the Sony Destover attack malware uses Korean language packs and has “glaring similarities with some of the suspect group's previous activity” – namely the DarkSeoul and Shamoon attacks.
The DarkSeoul campaign in March 2013 targeted South Korean TV broadcasters and major banks and the South Korean Government said it was carried out by North Korea, though this was not definitively confirmed.
The 2012 Shamoon attacks were against oil and energy companies including Saudi Aramco.
Kaspersky connects the three campaigns based on the their shared methods of overwriting and restoring data, the type of wiper drivers they use, the “pseudo-political messages” they espouse, the tight timeframe between being complied and deployed, and even the similar skeletal artwork used by the DarkSeoul ‘Whois' and Destover ‘GOP' groups (see pictures below and right).
Baumgartner says: “The list of commonalities does not prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover. But it should be noted that the reactionary events and the groups' operational and toolset characteristics all carry marked similarities – and it is extraordinary that such unusual and focused acts of large-scale cyber-destruction are being carried out with clearly recognisable similarities.”
But directly asked by SCMagazineUK.com, a Kaspersky Lab spokesperson said the company does not talk about attribution, and gave SC this brief statement: “Kaspersky Lab does not comment or speculate on the origins of attacks, but provides factual analysis of the threats and any subsequent impact on people, organisations and infrastructure.”
Meanwhile in a 4 December blog, Symantec says the “Destover destructive malware has links to attacks on South Korea”, specifically the Volgmer and Jokra campaigns, as well as Shamoon. Jokra is the Trojan used in the DarkSeoul campaign.