Breach, Data Security, Incident Response, TDR

Researchers investigate, suggest fired employees assisted in Sony hack


Researchers are saying that one or more former employees may have aided in the massive hack of Sony.

Operating under an assumption that at least one insider must have aided in the attack, Norse Corporation posted on Monday that it is focusing on a group of six individuals, one of whom seems to be an ex-employee with a technical background and knowledge of Sony's systems.

“System administrators have very deep knowledge about internal networks, systems and data, as well as very broad access that gives them ‘god-like' privileges,” Eric Chiu, president and cofounder of HyTrust, said in a statement emailed to on Tuesday.

The Norse effort is based on leaked human resources documents that reveal a series of layoffs at Sony that occurred sometime in spring 2014, according to the post, which explains that researchers “tracked the activities of the ex-employee on underground forums where individuals in the U.S., Europe and Asia may have communicated prior to the attack.”

The researchers believe the ex-employee was working with “pro-piracy hacktivists,” according to the post. “We think we see indicators of those two groups of people getting together,” Kurt Stammberger, senior vice president of Norse, was quoted as saying.

Citing Stammberger and an unnamed FBI source, CNN reported on Tuesday that officials met with Norse on Monday.

The FBI looked at evidence provided by Norse – which includes information on an employee that was laid off in May after working for Sony in Los Angeles for 10 years – but is still continuing to operate under the determination that North Korea is behind the attack, according to the report.

Citing an unnamed FBI agent and Los Angeles Police Department (LAPD) officer, Got News reported on Tuesday that the FBI and the LAPD are investigating “an insider group working with outsider help,” adding that one leaker may have connections to a Canada-based hacker affiliated with LulzSec.

“The insider threat is the number one attack vector today and can lead to the greatest damage,” Chiu said. “The recent development that the breach at Sony may have been led by former Sony employee(s) that were laid off is yet another wake up call to this.”

Meanwhile, The Washington Post reported on Monday that hacker group Lizard Squad is taking responsibility for providing some Sony employee logins to Guardians of Peace (GoP), the hacker group allegedly responsible for the attack on Sony.

“The news that Lizard Squad may have provided the stolen credentials from Sony that were used by the GoP in the Sony breach underscores the misplaced confidence companies have in the strength of their user account security and password management,” Trey Ford, global security strategist with Rapid7, said in a statement emailed to on Tuesday.

Looking at credentials management in 2015, Ford said organizations need to have strong password policies, enable two-factor authentication for external access, and deploy account behavior monitoring and intruder detection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.