The disastrous Sony hack that occurred in late 2014 was just one of many attacks that were and continue to be carried out by the same group of hackers. According to new data from malware researchers Juan Andrés Guerrero-Saade and Jaime Blasco, as summarized in Wired, there is a lot of evidence to suggest that the hackers are using the same techniques and code bases across a range of targets.
Using a tool called YARA, which identifies suspicious activity and malware, researchers compiled a “taxonomy” of various types of malware and techniques. “Over the course of more than a year, they collected 400 to 500 malware samples used in attacks now believed to be related,” Wired says, “as well as other digital footprints left behind by the group or groups of hackers behind the attacks.” The hackers also used the same dropper (the code that inserts malware into a computer) in several of their intrusions.
While some similarities noted were simple — a repeated misspelling of “Mozilla” as “Mozillar,” for instance — most of the telltale signs are more technical in nature. Experts identified that hackers were compiling an ever-changing list of sandbox names to watch out for. Sandboxes are computer environments virtually separated from other parts of the machine, and antivirus programs use them to execute and analyze potentially malicious code.
The exact identity of whoever is orchestrating the attacks (or how many people or how many groups are involved) is still very unclear, but by connecting the dots between tools they use, the picture gets slightly clearer. While many believe that the Sony hack was executed by or on behalf of North Korea, that has not been definitively proven. There is evidence to suggest that this belief is true, though: An analysis of dozens of intrusions shows that “the adversaries appear to have focused exclusively on targets in South Korea, and they’ve made the mistake several times of leaving Korean language in their files when they compiled their code.”
Still, Guerrero-Saade and Blasco are not in the business of identifying hackers, only studying them. There are a lot of blank spaces left to fill.