From the FBI's Dec. 19 report:
- From Risk Based Security's excellent timeline of events:
- Sony was crushed on November 24.
- Guardians of Peace at that time had public contact info and a facebook page. RBS was able to contact them.
- GoP claimed to have collected 12 terabytes of data from Sony.
- GoP began publishing Sony data on December 1, one week after shutting down Sony's network.
- GoP uses a different e-mail address every day, and these emails are likely compromised accounts of real people.
- NBC News was first to suggest North Korean responsibility on December 1.
- The FBI attempted to visit security research Dan Tentler, who has been investigating the Sony hack, for "illegal downloading".
- Someone claiming to represent GoP sent emails to Sony employees threatening the lives of their families. Another email from GoP denied responsibility.
- Mandiant was hired to investigate the Sony hack before it became public.
- From leaked emails, a group called God’sApstls had emailed Sony executives on November 21.
- An anonymous pastebin identifies Guardians of Peace as Tunisian Hacker Team members Beent1988, sillux, TheEyetion, and Supothis. RBS warns that the information is not reliable.
- The malware is similar to the malware used in the 2013 attack on South Korean banks
- The malware is similar to malware previously known to be used by North Korea
- The infrastructure used is known to have previously been used by North Korea
Marc Rogers, the top security guy of Cloudflare and the Black Hat conference:
- The Destover file deletion tool used in the Sony attack is very similar to the
Disttrack/Shamoon tool used in a 2012 attack on ARAMCO in 2012 and the wiper used in
the 2013 DarkSeoul attack on South Korean banks and television.
- The Shamoon source code was leaked and is widely available if you know where to look.
- All but one of the alleged C&C servers are known public proxies used by multiple actors.
From the GoP hacker Lena, via Verge:
- From an anonymous source, the GoP used the network of the St. Regis hotel in Bangkok on Dec. 2 just after midnight local time
- From Liam O Murchu of Symantec, the GoP used a C&C server that was used in the 2013 attack on South Korean banks.
- McAfee had found similarities between the 2013 attack and attacks on US and South Korean military sites dating to 2009.
- CrowdStrike has tracked the attackers since 2006 and identifies them as North Korean.
Fusion Media and
From Kurt Stammburger at Norse Security, cited by CBS:
- GoP had physical access to Sony's facilities and "staff with similar interests" let them in.
- Lena initially claimed that GoP's goal was "equality", saying "We Want equality. Sony doesn’t. It’s an upward battle."
From Brian Fung at WaPo:
- Stammburger has tentatively identified Lena as a ten-year Sony employee
who left Sony in May and "was in precisely the right position and had the deep
technical background she would need to locate the specific servers that
- The "North Korean" malware identified by the FBI is generic and in wide use by all sorts of hackers.
- The GoP did not make any demands regarding the movie The Interview until late in their campaign.
- Hackers claiming ties to Anonymous launched OpRIPNK to to DDoS North Korea.
- TheAnonMessage endorsed OpRIPNK and was denounced by YourAnonNews for a separate issue.
- Lizard Squad celebrated the DDoS of North Korea.
citing leaked Sony emails:
- The speed with which the national security apparatus blamed North Korea for the hack is suspicious.
- IntelCrawler has identified several Lizard Squad members as members of Guardians of Peace.
- Sony has been compromised by multiple hacking rings for years.
- Sony was warned in late 2013 of hackers stealing gigabytes of data.
From Marc Rogers:
- A high-ranking CIA agent met with Sony's head of security Stevan Bernard on October 31.
- Undersecretary of State Richard Stengel and other feds asked Sony to produce propaganda against ISIS.
From The Daily Beast:
- The Guardians of Peace text "reads to me like an English speaker pretending to be bad at writing English" rather than a Korean with poor grasp of English.
- The Guardians of Peace did not mention North Korea or The Interview until after the media suggested that North Korea may have been behind the attack because of the movie.
- The code was written on a PC with Korean locale, but Rogers suggests this is meaningless.
- The destruction of Sony's data combined with the failure to take advantage of it suggests that the attacker was motivated by revenge.
- The Guardians of Peace laughed at the FBI's assumption that North Korea was responsible.
- The GoP linked to the "You Are An Idiot" video.
- Richard Nixon once referred to South Korea as "the guardians of peace", a possible origin
of the group's name.
- An anonymous pastebin claiming to represent
a group of 25-30 Anonymous members threatened further hacking attacks against Sony if they
failed to release The Interview.
Edit Dec. 26: Lizard Squad got doxxed by Finest Squad. Most of the lizards are high school age or younger, suggesting that there are leaders yet to be identified. The oldest name in the list is a 32yo who goes by "Criminal", "CGOD", or "Fatally" online, suggesting he might be the most experienced in the group (that we know of) and inclined to criminal behaviour.
The full list of names is: chF/chFthemango/FTBG cHF, clerk/nitrous/verdict, TokenTheGod/OMG Treh/BaseSquad, kms/underscore, Criminal/CGOD/Fatally, Jordie, MLT. A separate doxx by "Dox Squad" identifies additional members: Satan666/Satan600, Teridax/AlphaQuintesson, PriNc£/Dox_Boi, Komodo/SYNACKtra, BP/Onion Cow/GaySexWithDad, Niko/PussySquirting, and Cedrick/Cedrick8I. Additional names are given for chF: chFTheCat, Clerk: Savaged/NotClerk. Another doxx lists TokenTheGod as Lizard Squad's leader, GDK Jordie as co-leader, chF as manager, and gives additional names: Souly (IP provisioning), dox_boi (doxxing and swatting), lolaristocrat (doxxing), Talos. It mentions that Criminal/Fatally had been raided. Most of the Finest Squad doxx was copied and pasted from a Dec. 9 doxx by YourAnonGlobo. Also, Lizard Squad is threatening to doxx Finest Squad back.
None of these doxx mention any alleged links between Lizard Squad and GoP, so IntelCrawler's claim that they are related has no outside support yet.
Edit Jan 10: Rumor has it that several lizards have moved to Team P0ison. The /baphomet/ group on 8chan is pointing the finger at DeleteSec / Deadman1420 as a lizard affiliate who was dumb enough to go to 8chan from his home IP and brag that he DDOSed them. It's not impossible that someone else was using his system as a proxy.
Edit Feb 1: Unconfirmed chatlogs and rumors suggest that Lizard Squad's Vince Omari and Julius "Ryan" Kivimaki got picked up by the police in January, were released, and then started attacking 8chan's Gamergate forum. That ain't suspicious at all.
IntelCrawler has released a report on Lizard Squad attempting to link them to Guardians of Peace.
- The strongest link is that a lizard admitted "knowing some people from the GOP" and "handed over some Sony logins to them".
- Lizard Squad domain host Abdilo/Notavirus/Survivaton "left Lizard Squad in October", has a history of hacking South Korean targets, and had tweeted about GoP after the group had been named in the press.
- Teridax was tweeting jokes about 9/11 around the time a GoP paste mentioned 9/11, which is entirely meaningless
- lolaristocrat joked about being from North Korea after the media blamed the Sony attack on North Korea, which is even more meaningless
That's not very strong. Additional Lizards named by IntelCrawler are ladykiller/labelled, sp3c, Vagineer, Chameleon, ryan (Kivimaki), dragon, and Gecko. I suspect that Chameleon, dragon, Komodo, and Gecko probably have different names and took lizard-themed names for Lizard Squad. Abdilo has been known to livestream his attacks, has openly attacked .gov and .mil sites for months from his home IP, and has not been arrested. The hacking group The Empire published Abdilo's request for membership.
So far it looks like the link between Lizard Squad and GoP is very weak.
Edit Dec 28: Not about the hack but worthy of a facepalm, Sony pirated some of the music in the movie. This from the same company that put rootkits on its music CDs.
Edit Dec 29: Norse Security has now identified six individuals involved in the hack. Charles C. Johnson has identified a second Sony employee as an involved hacker. This "lena2" is a senior systems administrator in Sony's payroll department, which Sony's consultants Bain & Co. eliminated. Leaked data suggests that lena2 may be Shahana Manjra, but nothing is confirmed yet.
From Jonathan Langdale: "They are looking at the wrong Lena. Lena was a June pink slip, used as a decoy. They have another name though."
Edit Jan 10: The FBI denounced Norse's information as not credible.
Edit Jan 10: The RBS timeline has updated.
Edit Feb 1: The NSA claims it had broken into North Korea's network and watched the attack go down. That would be exceptionally strong evidence if true.
Here's a conspiracy theory found while googling around for more info about the attack: TahoeBlue at Prison Planet thinks Sony did it to themselves to distract the public from the movie "Unbroken", about a Japanese POW camp during WWII. This idea has motive and nothing else going for it.