The perpetrators of the 2014 cyber attack on Sony Pictures Entertainment (SNE) were not activists or disgruntled employees, and likely had attacked other targets in China, India, Japan and Taiwan, according to a coalition of security companies that jointly investigated the Sony case for more than a year.
The coalition, organized by security analytics company Novetta, concluded in a report released on Wednesday that the hackers were government-backed but it stopped short of endorsing the official U.S. view that North Korea was to blame.
The Obama administration has tied the attack on Sony Corp’s film studio to its release of The Interview, a comedy that depicted the fictional assassination of North Korean leader Kim Jong Un.
Novetta said the breach “was not the work of insiders or hacktivists.”
“This is very much supportive of the theory that this is nation-state,” Novetta CEO Peter LaMontagne told Reuters. “This group was more active, going farther back, and had greater capabilities and reach than we thought.”
Novetta worked with the largest U.S. security software vendor Symantec (SYMC), top Russian security firm Kaspersky Lab and at least 10 other institutions on the investigation, a rare collaboration involving so many companies.
They determined that the unidentified hackers had been at work since at least 2009, five years before the Sony breach. The hackers were able to achieve many of their goals despite modest skills because of the inherent difficulty in establishing an inclusive cyber security defense, the Novetta group said.
LaMontagne said the report was the first to tie the Sony hack to breaches at South Korean facilities including a power plant. The FBI and others had previously said the Sony attackers reused code that had been used in destructive attacks on South Korean targets in 2013.
The Novetta group said the hackers were likely also responsible for denial-of-service attacks that disrupted U.S. and South Korean websites on July 24, 2009. The group said it found overlaps in code, tactics and infrastructure between the attacks.
Symantec researcher Val Saengphaibul said his company connected the hackers to attacks late last year, suggesting the exposure of the Sony breach and the threat of retaliation by the United States had not silenced the gang.
The coalition of security companies distributed technical indicators to help others determine if they had been targeted by the same hackers, which Novetta dubbed the Lazarus Group.