In late November 2014, a mysterious group of hackers calling itself "God'sApstls" sent an ominous and jumbled email to a few high-level Sony Pictures executives.
"The compensation for it, monetary compensation we want," the hackers wrote. "Pay the damage, or Sony Pictures will be bombarded as a whole."
The executives at the Hollywood studio, which was about to release the controversial James Franco and Seth Rogen's comedy The Interview, ignored the email. Just three days later, the hackers' followed through with their threat and breached the studio's systems, displaying a message on the computer screen of every employee: "Hacked by #GOP [Guardians of Peace]."
The hackers not only defaced employee's computers, they then wiped their hard disks, crippling Sony Pictures for weeks, and costing the company $35 million in IT damages, according to its own estimate.
Now, more than a year later, several security researchers are still hunting down the hackers behind the attack, which the FBI officially identified as North Korean government-employed hackers. And despite the fact that the group is apparently still alive and well, a coalition of security researchers believes they can now disrupt them by exposing their extensive malware arsenal.
On Wednesday, a group of companies led by Novetta released a report detailing the Sony hackers' long history of operations, as well as its large stock of malware. It's perhaps the most detailed and extensive look at the group behind what might be the most infamous cyberattack ever.
Andre Ludwig, the senior technical director at Novetta Research and Interdiction Group, said that the investigation started from four hashes (values that uniquely identify a file) that the Department of Homeland security published after the attack. With those few identifying strings, and after months of sleuthing, the researchers found 2,000 malware samples, both from online malware portal VirusTotal, as well as from antivirus companies. Of those, they manually reviewed and catalogued 1,000, and were able to identify 45 unique malware strains, revealing that the Sony hackers had an arsenal more sophisticated and varied than previously thought.
The researchers hope that by shedding light on the hackers' toolkit, the group, which the researchers called "Lazarus Group," will be forced to adapt, spending resources and time, and perhaps even lose capabilities after antivirus companies and potential targets put up new defenses.
"There is no more shadows to hide in for these tools."
"If all of a sudden you have antivirus signatures that detect and delete all the group's arsenal, boom!" Jaime Blasco, the chief scientist at AlienVault Labs and one of the researchers who investigated the Sony hackers, told Motherboard. "They lose access to all the victims' they got before."
As Ludwig put it, "there is no more shadows to hide in for these tools."
As it turns out, the hackers' arsenal contains not only malware capable of wiping and destroying files on a hard disk like the Sony hack, but also Distributed Denial of Service (DDoS) tools, tools that allow for remotely eavesdropping on a victim's computer, and more, according to the report. The researchers tracked some of this tools in cyberattacks and espionage operations that go as far as back as 2009, perhaps even 2007, showing the hackers that hit Sony have a long history.
While others suspected this before, Blasco said that nobody demonstrated it as conclusively until now.
Novetta researchers and their partners, which include AlienVault and Kaspersky Lab, don't get into saying who the hackers really are, but they also don't question the FBI's controversial claim that North Korea was behind the attack.
The main reason, LaMontagne explained, is that the new data they found discredits the alternative theories that the hackers were actually a disgruntled former employee or just an independent hacktivist group.
A former Sony system administrator is unlikely to have built more than 45 malware tools in the span of more than seven years, LaMontagne told me. And the same time, he added, it's also unlikely that a previously unheard of hacktivist group would pop up, claim responsibility for such a high-profile attack, and then disappear.
"They're extremely motivated, regimented, organized, and they can definitely execute."
"We have no reason to dispute what the US government and other governments have asserted as the threat being North Korean," Peter LaMontagne, the CEO of Novetta, told me.
And as it turns out, those hackers have been around for longer than anyone thought—wielding sophisticated weapons. This, according to the researchers, shows the group was much more seasoned than anyone believed.
"Their motivation and operational execution, it's impressive," Ludwig said. "They're extremely motivated, regimented, organized, and they can definitely execute."
Now that their methods and tools are exposed, however, the researchers hope that they won't be as effective.