The attackers behind the Sony Pictures hack in 2014 are alive and well and still hacking, according to security researchers from Kaspersky Lab and AlienVault Labs.
Juan Andrés Guerrero-Saade, senior security researcher at Kaspersky, and Jaime Blasco, head of the intelligence and research team at AlienVault, have been gathering evidence of malicious activity against other victims which they say makes a strong link to the actors behind the Sony attack.
The researchers presented their work at the Kaspersky Security Analyst Summit in Tenerife, Spain. In an article in Wired, the pair detail a number of links between the Sony attack and subsequent attacks against organisations in South Korea.
Although the US government blamed the Sony hack on agents from North Korea, the researchers from Kaspersky and AlienVault refused to endorse this view, saying that attribution was inherently unreliable.
The investigation started with an analysis of the Destover malware and other data to create a “taxonomy” of related attacks. They collected 400 to 500 malware samples over the course of a year and analysed these and other clues.
They found that the attackers were re-using code, techniques and practices which was not quite enough to tie all of the attacks to the same group. The clincher came with the discovery of a dropper that was used in multiple attacks to drop different payloads. The droppers not only used very similar code but also linked to a resource base using the same password.
The researchers also found that the attackers in all cases used a .BAT file to automatically erase traces of their incursions, a move which left telltale signs on the affected systems.
Other clues they gathered included a shared blacklist of sandbox applications and snippets of code in Korean.