Kaspersky’s principle security researcher Kurt Baumgartner has uncovered a number of details surrounding the malware attack that crippled Sony Pictures last month.
Research indicates that the group known as the Guardians of Peace (GOP) responsible for the recent hack may be connected with the 2012 attack on Saudi Aramco by “WhoIsTeam.”
In fact, Baumgartner believes that the attack on Sony, dubbed Destover by Kaspersky, the Shamoon malware used against Saudi Aramco and the 2013 Dark Seoul attacks were all perpetrated by the same group.
"In all three cases: Shamoon, Dark Seoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own," Baumgartner wrote online.
"All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.”
The styling of the threats also carried similarities, with the Dark Seoul and Destover attacks both including a warning that further hacks would follow, while skull imagery and similar colours were also used.
Baumgartner also identified that the Shamoon and Destover attacks utilised off-the-shelf EldoS RawDisk drivers within the dropper's resource section and in both cases hackers built the malware components very close to the day of the attack.
Many industry experts have suggested that North Korea is behind the recent Sony hack in response to an upcoming film portraying the country in a negative light. While Baumgartner has said that the new research does not add any weight to this claim, he did described the similarities between the high-profile attacks as “extraordinary.” He also revealed that the parallels between the Sony malware and those used previously indicate that the entertainment firm should be able to recover its wiped data.
Jaime Blasco, director of AlienVault Labs obtained malware samples from the Sony hack and told ITProPortal:
"From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials -- usernames and passwords -- that the malware uses to connect to systems inside the network. The malware was used to communicate with IP addresses in Europe and Asia, which is common for hackers trying to obscure their location. The hackers who compiled the malware used the Korean language on their systems."