A new report into the damaging attack on Sony Pictures Entertainment has uncovered a long-active hacking group that may be connected to North Korea.
Security vendor Novetta, working together with Kaspersky Labs, Symantec and AlienVault, has produced an extensive report into the attack [pdf] which it said was initiated by hackers dubbed the Lazarus Group.
Sony Pictures was attacked in November 2014. The US FBI has claimed North Korea was behind the hack, which used data-wiping malware and which was thought to be retaliation for a Sony Pictures film, The Interview, which ridiculed the North Korean dictator Kim Jong-un.
At the time, several security researchers cast doubt on the FBI's claims, arguing the hack was more likely performed by insiders with access to SPE's systems.
Now, however, the security vendors that investigated the hack believe the FBI was probably right.
"Although our analysis cannot support direct attribution of a nation-state or other specific group due to the difficulty of proper attribution in the cyber realm, the FBI’s official attribution claims could be supported by our findings," the report stated.
The hackers may have attempted to hide themselves as hacktivists to throw trackers off the scent and to spread disinformation, according to the report.
A previously unknown group, Guardians of Peace, claimed responsibility for the attack and posted the stolen sensitive data on the internet, only to completely disappear after the attack.
While North Korea ICT infrastructure is comparatively poor compared to developed countries, Novetta said cyber attacks were "no longer limited to highly-resourced nation states".
The Lazarus Group may have been active since 2007, and the researchers have tied 45 different malware families with shared code to the hackers.
These include programs for distributed denial of service attacks, keystroke logging, remote access and surveillance, and disk wiping, among others.
South Korean and US government agencies, financial institutions, media and entertainment companies and critical infrastructure utlities have been the main targets for the Lazarus Group over the years.
However, the Lazarus Group has been active worldwide, attacking targets in Taiwan, Japan, China, Italy, India and Brazil, as well as other countries.