Norse Security says its investigation points to six suspects, and no involvement by North Korea.
While the FBI maintains that North Korea is the prime suspect in the recent Sony Pictures computer network hack, a respected security firm monitoring the breach has come to radically different conclusion.
Norse is a security firm with offices in Silicon Valley, and St. Louis, and while the firm has not been retained by Sony in any way, it has nonetheless conducted its own independent investigation of the network breach. So far, Norse says it has connected six people around the world to the hack, including one former Sony Pictures employee that was laid off in May 2014.
Five of these suspects have been tied to specific locations — one in Canada, one in Singapore, one in Thailand, and two in the United States.
Norse used some of the publicly leaked data to conduct its investigation, including lists of SPE employees laid off in April and May 2014 during a company restructure. Operating under the premise that the hack was assisted by a current or former employee, Norse investigators found one laid off employee with deep technical background. Norse then tailed the suspect online, looking at social media posts, and IRC (Internet Chat Relay) chat communications made by the suspect. Monitoring IRC activity led to conversations between the suspect, and various hackers and hacktivist groups based in Europe and Asia.
As the Norse investigation is independent, the firm has shared its findings with the FBI, who met with the investigation team in Norse’s St. Louis offices. “They’re the investigators,” said Norse senior VP Kurt Stammberger to The Security Ledger. “We’re going to show them our data and where it points us. As far as whether it is proof that would stand up in a court of law? That’s not our job to determine, it is [the FBI’s].”
The theory set forth by Norse is the latest to challenge the FBI’s assertion that North Korea was behind the Sony Pictures hack. Others have pointed to evidence that key leaked data was possibly taken off the network via local storage (a flash drive or external hard drive), while linguistics experts say whoever was communicating on behalf of the involved hacker group (identified as Guardians of Peace, or GOP), is a native Russian speaker.
While North Korea is sure to remain in the FBI’s crosshairs, mounting evidence for alternate theories is becoming more difficult to ignore by the day.
Sources: Norse | The Security Ledger