<div dir="ltr"><a href="https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/">https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/</a><br><br><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">On November 24th, 2014 a<span> </span></span><a href="http://www.reddit.com/r/hacking/comments/2n9zhv/i_used_to_work_for_sony_pictures_my_friend_still/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Reddit post appeared</span></a><span style="font-weight:400"><span> </span>stating that Sony Pictures had been breached and that their complete internal network, nationwide, had signs that the breach was carried out by a group calling themselves GOP, or The Guardians Of Peace. This started a long twisting road for Sony as details of the hack came out for months after. The resulting fallout had considerable impact for Sony, their executives, and many others unaffiliated with Sony.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Risk Based Security covered this incident with an initial blog written on November 24, 2014,<span> </span></span><a href="https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">and updated 23 times</span></a><span style="font-weight:400"><span> </span>with the last update on February 22, 2015. We followed that up with what was to be a final piece on February 18, 2016, taking a look a “</span><a href="https://www.riskbasedsecurity.com/2016/02/sony-a-year-after-the-hack/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Year After the Hack</span></a><span style="font-weight:400">”. While we didn’t count Sony out for further news, large-scale hacks like this rarely see definitive attribution or any form of closure. We moved on,<span> </span></span><a href="https://cyberriskanalytics.com/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">cataloging the thousands of other breaches</span></a><span style="font-weight:400"><span> </span>that have happened since.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">On September 6, 2018, news broke that the U.S. Department of Justice (DOJ)<span> </span></span><a href="https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">announced charges</span></a><span style="font-weight:400"><span> </span>and filed an indictment against a North Korean “spy” for his role in the hacking of Sony (and others) and the authoring of the<span> </span></span><a href="https://www.darkreading.com/attacks-breaches/get-ready-for-wannacry-20-/d/d-id/1331834" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Wannacry 2.0</span></a><span style="font-weight:400"><span> </span>malware (</span><a href="https://int.nyt.com/data/documenthelper/274-park-jin-hyo-complaint/7b40e5ed5b185f141e1a/optimized/full.pdf#page=1" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">PDF of Indictment</span></a><span style="font-weight:400">). The indicted, Park Jin-hyok (박진혁; a/k/a Jin Hyok Park and Pak Jin Hek), was charged for violating 18 U.S.C. § 371 (Conspiracy) committing the following offenses: 18 U.S.C. §§ 1030(a)(2)(c), 1030(a)(4), (a)(5)(A)-(C) (Unauthorized Access to Computer and Obtaining Information, with Intent to Defraud, and Causing Damage, and Extortion Related to Computer Intrusion); and (2) a violation of 18 U.S.C. § 1349 (Conspiracy), for conspiring to commit the following offense: 18 U.S.C. § 1343 (Wire Fraud).</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">It is believed that Mr. Park works for<span> </span></span><a href="https://en.wikipedia.org/wiki/Reconnaissance_General_Bureau" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">North Korea’s Reconnaissance General Bureau</span></a><span style="font-weight:400"><span> </span>(their equivalent of our C.I.A.) according to the DOJ. Specifically, the complaint alleges that Mr. Park is a member of the DPRK-sponsored hacking team known in the private sector as “Lazarus Group” (a/k/a Hidden Cobra), and worked for a front company named Chosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”) while conducting the activity.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">You can read more about this latest development all over the media, including<span> </span></span><a href="https://www.nytimes.com/2018/09/06/us/politics/north-korea-sony-hack-wannacry-indictment.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">The New York Times</span></a><span style="font-weight:400">,<span> </span></span><a href="https://www.cnet.com/news/justice-department-charges-north-korean-hacker-linked-to-wannacry-2014-sony-hack/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">CNET</span></a><span style="font-weight:400">,<span> </span></span><a href="https://motherboard.vice.com/en_us/article/j5nyyx/doj-charge-north-korea-wannacry-sony-hack" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Motherboard</span></a><span style="font-weight:400">, the<span> </span></span><a href="https://www.washingtonpost.com/world/national-security/justice-department-to-announce-hacking-charges-against-north-korean-operative-the-charge--stemming-from-the-2014-sony-pictures-case--is-the-first-against-a-pyongyang-spy/2018/09/06/f477bfb2-b1d0-11e8-9a6a-565d92a3585d_story.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Washington Post</span></a><span style="font-weight:400">,<span> </span></span><a href="https://www.reuters.com/article/us-cyber-northkorea-sony-justice/u-s-charges-north-korean-hacker-for-cyber-attacks-against-sony-uk-nhs-idUSKCN1LM2HU" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Reuters</span></a><span style="font-weight:400">,<span> </span></span><a href="https://www.bloomberg.com/news/articles/2018-09-06/urgent-justice-dept-set-to-announce-charges-in-sony-pictures-hack" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Bloomberg</span></a><span style="font-weight:400">, and others. If you are a journalist, we sympathize with you!</span></p><h4 style="color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;font-weight:normal;text-decoration:none;margin:0px 0px 5px;padding:0px;font-size:14px;background-color:rgb(247,247,247)"><strong>Lazarus and the Lead Up</strong></h4><h4 style="color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;font-weight:normal;text-decoration:none;margin:0px 0px 5px;padding:0px;font-size:14px;background-color:rgb(247,247,247)">Since the news of the Sony hack slowly faded out of public attention, one group suspected to be involved in the hack has been active. Over the last few years, news and research about Lazarus Group has continued to come out. Looking back at a brief highlight of the history of these stories makes a North Korea indictment not so surprising.</h4><ul style="list-style-type:square;margin:0px;padding:0px 0px 15px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Feb 24, 2016 – Several security companies created “</span><a href="https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Operation Blockbuster</span></a><span style="font-weight:400">” and published a report detailing activity by Lazarus Group as well as signatures for many security products to detect and disrupt their activity.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Feb 24, 2016 –<span> </span></span><a href="https://www.darkreading.com/threat-intelligence/sony-hackers-behind-previous-cyberattacks-tied-to-north-korea-/d/d-id/1324422" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">According to a new investigation</span></a><span style="font-weight:400">, Lazarus Group has been conducting attack campaigns since at least 2009, and factored into the FBI’s conclusion that North Korea was behind the Sony breach.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Feb 13, 2017 – A “</span><a href="https://www.theregister.co.uk/2017/02/13/sony_pictures_hackers_lazarus_returns/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">worldwide bank attack blitz</span></a><span style="font-weight:400">” is linked to the same hackers who compromised Sony.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Mar 22, 2017 – A North Korean group is suspected of<span> </span></span><a href="https://www.bloomberg.com/news/articles/2017-03-22/north-korea-link-said-to-be-probed-in-n-y-fed-account-theft" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">theft of federal funds</span></a><span style="font-weight:400"><span> </span>in Bangladesh. </span><span style="font-weight:400">Lazarus Group<span> </span></span><a href="https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">was eventually linked to the February 2016 attack</span></a><span style="font-weight:400"><span> </span>on the Bangladesh Central bank resulting in more than $850 million fraudulent SWIFT transactions, $80 million of which had not been recovered.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">May 15, 2017 – The WannaCry ransomware is said to<span> </span></span><a href="https://www.theguardian.com/technology/2017/may/15/wannacry-ransomware-north-korea-lazarus-group" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">have links to North Korea</span></a><span style="font-weight:400">.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">May 16, 2017 – Lazarus Group<span> </span></span><a href="http://www.euronews.com/2017/05/16/lazarus-group-suspected-of-hack-attack" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">suspected of infecting</span></a><span style="font-weight:400"><span> </span>as many as 300,000 computers across 150 countries using the WannaCry ransomware.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">May 18, 2017 – Article titles are<span> </span></span><a href="http://www.latimes.com/nation/la-fg-lazarus-group-20170518-story.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">definitively linking</span></a><span style="font-weight:400"><span> </span>Lazarus Group to Sony at this point.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">May 23, 2017 –<span> </span></span><a href="https://www.cyberscoop.com/wannacry-symantec-lazarus-group/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Multiple</span></a><span> </span><a href="https://www.cnbc.com/2017/05/23/symantec-says-highly-likely-north-korea-group-behind-ransomware-attacks.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">articles</span></a><span style="font-weight:400"><span> </span>cite researchers saying that North Korea “highly likely” to be behind ransomware attacks.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Jun 13, 2017 – US-CERT<span> </span></span><a href="https://www.us-cert.gov/ncas/alerts/TA17-164A" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">issues an advisory</span></a><span style="font-weight:400"><span> </span>about HIDDEN COBRA, the code name for North Korea’s DDoS Botnet infrastructure.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Jun 14, 2017 – Engadget<span> </span></span><a href="https://www.engadget.com/2017/06/14/us-issues-alert-north-korea-cyber-attack-hidden-cobra/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">publishes a summary article</span></a><span style="font-weight:400"><span> </span>saying that North Korea has been “</span><i><span style="font-weight:400">hacking everyone since 2009</span></i><span style="font-weight:400">”.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Nov 20, 2017 – McAfee Mobile Research<span> </span></span><a href="https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">publishes findings</span></a><span style="font-weight:400"><span> </span>linking Lazarus Group to new Android malware, installed more than 1,300 times.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Dec 17, 2017 –<span> </span></span><a href="http://fortune.com/2017/12/17/bitcoin-north-korea/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">It is reported</span></a><span style="font-weight:400"><span> </span>that Lazarus Group is targeting Cryptocurrency Executives in phishing campaigns.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Feb 12, 2018 – Lazarus Group<span> </span></span><a href="https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">pops back on radar</span></a><span style="font-weight:400">, targeting both global banks and Bitcoin users in a campaign dubbed HaoBao.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Apr 30, 2018 –<span> </span></span><a href="https://www.independent.co.uk/life-style/gadgets-and-tech/news/north-korea-hackers-server-thailand-sony-pictures-cyber-attack-a8329586.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Servers are seized in Thailand</span></a><span style="font-weight:400"><span> </span>due to their use in computer crime and have links to Lazarus Group.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Aug 23, 2018 – Continuing their targeted attacks on Cryptocurrency exchanges, Lazarus Group uses macOS malware<span> </span></span><a href="https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">for the first time</span></a><span style="font-weight:400">.</span></li></ul><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">Among the evidence used to link Mr. Park to Lazarus Group and criminal activity are Bitcoin payments made as a result of WannaCry infections, tracking banking transactions related to the fraudulent Bangladesh SWIFT activity, and multiple links to North Korean based IP addresses. It is clear from the affidavit that the FBI had been investigating throughout all of the news above.</span></p><h4 style="color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;font-weight:normal;text-decoration:none;margin:0px 0px 5px;padding:0px;font-size:14px;background-color:rgb(247,247,247)"><strong>What Happened with Sony Since Last Update</strong></h4><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">If you look back at our prior coverage, one consistent bit that Sony dealt with during the breach is a steady level of drama. Since the last update, more information has come out pertaining to Sony, the breach, and the aftermath.</span></p><ul style="list-style-type:square;margin:0px;padding:0px 0px 15px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Feb 18, 2016 – Sony Entertainment CEO Michael Lynton<span> </span></span><a href="https://variety.com/2016/digital/news/michael-lynton-sony-hack-fax-machine-1201709910/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">resorts to sending faxes</span></a><span style="font-weight:400">, still worried about emails being compromised.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Feb 24, 2016 – Ongoing analysis of the breach suggests the hackers were causing mayhem “</span><a href="https://www.wired.com/2016/02/sony-hackers-causing-mayhem-years-hit-company/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">years before</span></a><span style="font-weight:400">” they hit Sony.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Apr 6, 2016 – A class action settlement related to the Sony hack<span> </span></span><a href="https://deadline.com/2016/04/sony-hack-lawsuit-settlement-approved-class-action-1201732882/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">gets final approval</span></a><span style="font-weight:400">.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Jun 2, 2016 – A “strained relationship” and “infighting” between Lynton and Steve Mosko, chief of Sony’s television division,<span> </span></span><a href="https://www.hollywoodreporter.com/news/sony-infighting-led-tv-chief-898917" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">led to Mosko leaving</span></a><span style="font-weight:400">.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Jul 28, 2016- A lawsuit in Florida<span> </span></span><a href="https://www.hollywoodreporter.com/thr-esq/sony-hack-results-lawsuit-failure-915251" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">filed by Possibility Pictures</span></a><span style="font-weight:400"><span> </span>complains that the Sony hack resulted in one of their movies being illegally distributed online.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Aug 11, 2016 – Seth Rogen<span> </span></span><a href="http://time.com/4448238/seth-rogen-has-an-interesting-take-on-amy-pascal/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">defends Amy Pascal</span></a><span style="font-weight:400">, despite her racist remarks, saying her termination was not warranted.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Dec 6, 2016 – Representative Adam Schiff, on the House of Representatives Intelligence Committee,<span> </span></span><a href="https://www.reuters.com/article/us-usa-cyber-russia-congress/u-s-lawmaker-sony-hack-may-have-inspired-russian-election-hacking-idUSKBN13V2N3" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">says the U.S. failure</span></a><span style="font-weight:400"><span> </span>to “</span><i><span style="font-weight:400">retaliate strongly for the 2014 cyber attack against Sony Pictures may have helped inspire Russian hackers who sought to interfere in the 2016 U.S. election</span></i><span style="font-weight:400">”.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">May 11, 2017 – A story published on Gawker in 2015 was removed from their archive after<span> </span></span><a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/05/11/how-a-former-sony-chairman-de-indexed-an-article-based-on-his-sony-hack-e-mails/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">pressure from Sony’s Michael Lynton</span></a><span style="font-weight:400"><span> </span>due to the heavy quoting of emails stolen during the breach.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">May 16, 2017 – Michael Lynton<span> </span></span><a href="https://variety.com/2017/digital/news/michael-lynton-sony-hack-snapchat-1202428861/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">confesses</span></a><span style="font-weight:400"><span> </span>that he wasn’t sure the studio would survive the hacking crisis.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Jul 8, 2017 – Amy Pascal, who was terminated by Sony due to racist emails, talks about<span> </span></span><a href="https://www.hollywoodreporter.com/news/amy-pascal-speaks-living-sony-hack-1019544" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">living through the hack</span></a><span style="font-weight:400">.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Aug 21, 2017 – A hacker group called “OurMine”<span> </span></span><a href="https://www.businessinsider.com/playstation-network-allegedly-hacked-ourmine-2017-8" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">claims it breached</span></a><span style="font-weight:400"><span> </span>Sony’s PlayStation Network and stole information.</span></li><li style="list-style-type:none;background:url("images/yes.png") no-repeat;margin:0px;padding:0px 0px 0px 25px;font-weight:400"><span style="font-weight:400">Aug 19, 2018 – Seth Rogen<span> </span></span><a href="https://uproxx.com/movies/seth-rogen-sony-hack-no-guilt/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">tells the media</span></a><span style="font-weight:400"><span> </span>why he never felt guilt in his role in the Sony breach.</span></li></ul><div id="gmail-attribution" style="color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"></div><h4 style="color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;font-weight:normal;text-decoration:none;margin:0px 0px 5px;padding:0px;font-size:14px;background-color:rgb(247,247,247)"><strong>Attribution</strong></h4><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">We said in the<span> </span></span><a href="https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/#attributionguessinggameperspective" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">original Sony blog series</span></a><span style="font-weight:400">, and many times since, that attribution of a hack is difficult at best, impossible many times. Being able to track the attack to a single person, if a skilled attacker, presents many challenges that make law enforcement ineffective. In many cases, it is third-party security firms with research divisions that do a lot of the heavy lifting. They share this information with law enforcement and many times can greatly improve the odds of attribution.</span></p><p style="margin:0px;padding:0px 0px 10px;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><span style="font-weight:400">With Sony, it was curious to see who blamed who in 2014 and 2015. Note that it was a fluid situation during the breach and subsequent fallout, as different people and firms investigated, selectively sharing their findings (sometimes with media, sometimes with law enforcement). It caused a bit of flip-flopping in some cases for the Obama administration while others took a stance early on and doubled-down at every opportunity. Reading back through the articles, we have created a list of who attributed to who back then:</span></p><table border="1" cellspacing="4" cellpadding="4" style="color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><tbody><tr><td bgcolor="#819FF7"><span style="font-weight:400">Attributor</span></td><td bgcolor="#819FF7"><span style="font-weight:400">Attribution</span></td><td bgcolor="#819FF7"><span style="font-weight:400">Date</span></td><td bgcolor="#819FF7"><span style="font-weight:400">Source</span></td></tr><tr><td><span style="font-weight:400">North Korea</span></td><td><b>maybe</b><span style="font-weight:400"><span> </span>North Korea</span></td><td><span style="font-weight:400">2014-12-02</span></td><td><a href="https://www.bbc.com/news/world-asia-30283573" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">BBC Article</span></a></td></tr><tr><td><span style="font-weight:400">North Korea</span></td><td><b>not</b><span style="font-weight:400"><span> </span>North Korea</span></td><td><span style="font-weight:400">2014-12-07</span></td><td><a href="https://www.nytimes.com/2014/12/08/business/north-korea-denies-hacking-sony-but-calls-attack-a-righteous-deed.html" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">New York Times</span></a></td></tr><tr><td><span style="font-weight:400">Joe Demarest, FBI</span></td><td><b>not</b><span style="font-weight:400"><span> </span>North Korea</span></td><td><span style="font-weight:400">2014-12-09</span></td><td><a href="https://www.reuters.com/article/us-sony-cybersecurity-fbi/fbi-official-says-no-attribution-to-north-korea-in-sony-hack-probe-idUSKBN0JN1MF20141209" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Reuters Article</span></a></td></tr><tr><td><span style="font-weight:400">Unnamed Source Investigating</span></td><td><span style="font-weight:400">China</span></td><td><span style="font-weight:400">2014-12-15</span></td><td><a href="https://deadline.com/2014/12/is-the-chinese-armys-cyber-squad-behind-the-sony-attack-1201325918/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Deadline Article</span></a></td></tr><tr><td><span style="font-weight:400">Marc Rogers, CloudFlare</span></td><td><b>not</b><span style="font-weight:400"><span> </span>North Korea</span></td><td><span style="font-weight:400">2014-12-18</span></td><td><a href="https://marcrogers.org/2014/12/18/why-the-sony-hack-is-unlikely-to-be-the-work-of-north-korea/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Blog Post</span></a></td></tr><tr><td><span style="font-weight:400">Marc Rogers, CloudFlare</span></td><td><span style="font-weight:400">Sony Insider</span></td><td><span style="font-weight:400">2014-12-18</span></td><td><a href="https://marcrogers.org/2014/12/18/why-the-sony-hack-is-unlikely-to-be-the-work-of-north-korea/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Blog Post</span></a></td></tr><tr><td><span style="font-weight:400">Obama Administrator / FBI</span></td><td><span style="font-weight:400">North Korea</span></td><td><span style="font-weight:400">2014-12-19</span></td><td><a href="http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">FBI Press Release</span></a></td></tr><tr><td><span style="font-weight:400">CrowdStrike</span></td><td><span style="font-weight:400">North Korea</span></td><td><span style="font-weight:400">2014-12-19</span></td><td><a href="https://www.crowdstrike.com/blog/unprecedented-announcement-fbi-implicates-north-korea-destructive-attacks/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">CrowdStrike Blog</span></a></td></tr><tr><td><span style="font-weight:400">Taia Global</span></td><td><span style="font-weight:400">Russia</span></td><td><span style="font-weight:400">2014-12-26</span></td><td><a href="https://www.npr.org/sections/alltechconsidered/2014/12/26/373303733/doubts-persist-on-u-s-claims-on-north-korean-role-in-sony-hack" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">NPR Article</span></a></td></tr><tr><td><span style="font-weight:400">Norse Corporation</span></td><td><span style="font-weight:400">Sony Insiders</span></td><td><span style="font-weight:400">2014-12-28</span></td><td><a href="https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Security Ledger</span></a></td></tr><tr><td><span style="font-weight:400">James Clapper, DNI</span></td><td><span style="font-weight:400">North Korea</span></td><td><span style="font-weight:400">2015-01-07</span></td><td><a href="https://www.businessinsider.com/this-is-north-korean-general-behind-sony-hack-2015-1" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">Business Insider</span></a></td></tr><tr><td><span style="font-weight:400">Seth Rogen</span></td><td><b>not</b><span style="font-weight:400"><span> </span>North Korea</span></td><td><span style="font-weight:400">2018-04-15</span></td><td><a href="http://www.ign.com/articles/2018/04/16/seth-rogen-doesnt-believe-north-korea-behind-sony-hack" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">IGN Article</span></a></td></tr></tbody></table><br class="gmail-Apple-interchange-newline"><div class="entry-content" style="overflow:hidden;color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;background-color:rgb(247,247,247);text-decoration-style:initial;text-decoration-color:initial"><p style="margin:0px;padding:0px 0px 10px"><span style="font-weight:400">As you can see, attribution was all over the place back then, and what appear to be some mistakes as recent as April of this year (Rogen), and some relatively safe bets (Clapper after seeing the evidence the FBI had). Perhaps the most fascinating is the Norse claims that a Sony insider was involved. That is actually part of a larger,<span> </span></span><a href="https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/" target="_blank" rel="noopener" style="color:rgb(0,103,162);text-decoration:none"><span style="font-weight:400">more specific attribution</span></a><span style="font-weight:400"><span> </span>they made then:</span></p><p style="margin:0px;padding:0px 0px 10px"><span style="font-weight:400">Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President at Norse, said that his company identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand.  The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.</span></p><p style="margin:0px;padding:0px 0px 10px"><span style="font-weight:400">That is a very specific list of people, supposedly with evidence enough to make them go public, and doesn’t include a North Korean as far as they knew. Hopefully in the future everyone will get a chance to look at the evidence they collected, in light of the latest indictment, and see what happened.</span></p><h4 style="color:rgb(68,68,68);font-family:Arial,Tahoma,Verdana;font-weight:normal;text-decoration:none;margin:0px 0px 5px;padding:0px;font-size:14px"><strong>Conclusion?</strong></h4><p style="margin:0px;padding:0px 0px 10px"><span style="font-weight:400">In these ongoing blog series, we frequently have this notion that we will wrap it up someday. With a criminal indictment and what appears to be definitive proof pointing to North Korea, it seems like this may be the time. But, we’ve learned our lessons on these epic data breaches! If more develops on this story, we’ll be here to cover it.</span></p></div><br class="gmail-Apple-interchange-newline"><br></div>