Firm Says Insider Was Behind Sony Hack

December 30, 2014 Updated: December 30, 2014

A disgruntled ex-employee, not North Korea, was instrumental in the hack of Sony, according to the security firm Norse, which conducted its own investigation using data leaked during the hack.

The data leaked by an online group self-titled Guardians of Peace contained the personal information from more than 47,000 current and former Sony employees, including salaries and Social Security numbers.

Norse analyzed leaked data from Sony’s human resources department to identify an employee who was fired during the company’s spring 2014 layoffs, and later found that she made angry social media posts about Sony, and communicated with hacker-activist groups, Norse Senior Vice President Kurt Stammberger told the Security Ledger.

Stammberger told the Ledger that Norse’s findings are still speculative, and the company intends to turn their results over to the FBI so that the agency can continue its investigation.

“We are very confident this was not an attack masterminded by North Korea and that insiders were key to the implementation of the one of the most devastating attacks in history,” Stammberger told CBS. “This woman was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised.”

The FBI concluded last week that North Korea was responsible for the hacking of Sony, citing North Korean IP addresses from machines used by the hackers and malware similar to those used in the 2013 South Korea cyber attacks. North Korea is believed to be motivated to retaliate for Sony’s distribution of “The Interview,” a comedy film, which depicts the assassination of the country’s leader Kim Jong Un.

Stammberger said that the pieces of evidence linking the attack to North Korea were decoys. For instance, the malware used in the Sony hack is used by other hackers worldwide, and the hackers sent emails to Sony asking for money before they referenced “The Interview.”

Norse is not alone in its skepticism about the FBI’s conclusion. Last week, Cloudflare researcher Marc Rogers rejected the FBI’s blame of North Korea for the attack, arguing that hackers would hijack machines to leave false IP traces and cover up their tracks.

However, Norse is the first to point to an alternate agent as responsible for the attacks. Stammberger told the Ledger that Norse had identified five other individuals who likely worked with the ex-employee to hack Sony, two from the United States, and one each from Canada, Singapore, and Thailand.