Details are starting to emerge about how Sony was compromised. Sagie Dulce from Imperva reckons he’s seen the Destover back-door software used before, in 2012 in Saudi and then again in the 2013 Dark Seoul.
A few days ago Jaime Blascoof AlienVault Labs sent me a note about malware samples he’s got hold of, with the following comment:
“From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony’s network and even credentials – usernames and passwords – that the malware uses to connect to systems inside the network. The malware was used to communicate with IP addresses in Europe and Asia, which is common for hackers trying to obscure their location. The hackers who compiled the malware used the Korean language on their systems.”
I’ve had other reports that the malware was compiled using a Korean language development environment. This means nothing to me – a lot of these generic malware kits are.
To me, this is looking more and more like the work of the usual suspects. An inside job – not a sudden and spontaneous lashing out by the North Koreans. This kind of attack requires time to put together.