Norse, the cybersecurity firm that first identified a potential insider in the massive November hack of Sony Pictures, believes it’s uncovered evidence on six individuals primarily involved in the attack, including one former Sony employee with “extensive knowledge of the company’s network and operations.”
Senior vice president at Norse Kurt Stammberger told the Security Ledger late Sunday the company has identified six people “with direct involvement in the hack,” two of whom are based in the U.S. along with one in Canada, Singapore and Thailand.
The list also includes a former decade-long Sony veteran who “worked in a technical role” and was laid off in May. Norse previously identified the ex-employee as “Lena,” and said she claimed to have connection to the “Guardians of Peace” hacker group that took credit for the attack against Sony, which has so far resulted in leaked employee information, executives’ emails, unreleased films and the limiting of “The Interview” theatrical release in response to a terrorist threat.
The FBI has attributed all of the above to North Korea due to the film’s plot, which centers around an attempt to assassinate North Korean dictator Kim Jong-un. (RELATED: More Evidence From Sony Hack Leads Away From North Korea, Suggests Insider)
According to Stammberger, Norse, which is not involved in the official investigation, began its own independent examination under the premise that the attack would have been best executed from the inside — an assumption numerous cybersecurity experts have put forth since the FBI formally accused Pyongyang. (RELATED: Evidence Linking North Korea To Sony Hack ‘Pretty Weak’)
Using Sony human resources documents leaked in the hack itself, researches looked back through employees with the background and motivation that would likely preclude such an attack. One with a “very technical background” included on a list of layoffs from earlier this spring stood out, and a follow up investigation of the individual’s online communications revealed disgruntled posts on social media referencing the layoffs.
After examining intercepted communications of other individuals engaged in contact with hacker and hacktivist groups in Europe and Asia (where the Sony hack was routed through), Norse connected one of those individuals with the Sony employee on a server that featured the earliest-known version of the malware used against Sony.
Stammberger said the company would report its findings to the FBI Monday.
“They’re the investigators,” Stammberger said. “We’re going to show them our data and where it points us. As far as whether it is proof that would stand up in a court of law? That’s not our job to determine, it is theirs.”
Stammberger also said Norse found evidence linking the employee to well-known illegal media download hubs like Pirate Bay, which frequently features free downloads of big-budget Hollywood films.