The researchers tracked the activities of the former employee, a systems administrator who had an extensive technical background and knowledge of Sony's systems, on underground forums where the group appears to have communicated prior to the breach.
Norse senior vice president Kurt Stammberger told The Security Ledger that the group included two people in the U.S., one in Canada, one in Singapore, and one in Thailand.
The ex-employee in question was fired from the company in May 2014.
"The investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony’s anti-piracy stance, to infiltrate the company’s networks," Anthony M. Freed, Norse's senior editor of publications, explained in a blog post.
The researchers briefed the FBI on their findings earlier this week. "The disclosure casts further doubt on the FBI’s assertion that the attack was carried out by state-sponsored actors under the control of North Korea, a theory that has been all but discredited by a host of security professionals over the last week," Freed wrote.
HyTrust president and co-founder Eric Chiu told eSecurity Planet by email that systems administrators' deep knowledge about internal networks, systems and data, along with very broad access, can provide them with "god-like" privileges.
"Whether you are dealing with a disgruntled employee or an outside attacker that has stolen their credentials, the harm can be devastating and very difficult to detect -- just look at Edward Snowden, who stole millions of classified records, or Shionogi Pharmaceuticals, where a former IT administrator was able to leverage virtualization credentials to destroy every single system that the company ran on in a matter of minutes," Chiu said.
"The insider threat is the number one attack vector today and can lead to the greatest damage," Chiu added.
"Whether attacks are perpetrated by professionals, a nation-state, teenagers, former employees or hacktivists, there is a common attack pattern that we have seen underscored all year long: attackers are using employee accounts against their employers," Rapid7 global security strategist Trey Ford told eSecurity Planet.
Ford suggests that companies take the following steps to protect themselves from these types of breaches:
- Institute strong password policies
- Use two-factor authentication for all external access
- Frequently inventory, assess, and test controls to raise confidence that policies are enforced across the network
- Deploy account behavior monitoring and intruder detection to catch attackers that slip through
"The technology needed to improve controls, and to better protect and monitor the use of user and administrative accounts, exists today," Ford added. "Given the lower barrier to entry for, and the strong economic forces and diverse motivations behind cyber-attacks, we expect attacks against organizations of all sizes and industries to increase in 2015."
A recent eSecurity Planet article offered advice on defending against insider threats.
Photo courtesy of Shutterstock.