According to security researchers from Kaspersky Lab and AlienVault Labs, the hackers behind the 2014 Sony hack are alive and still hacking.

Juan Andrés Guerrero-Saade, senior security researcher at Kaspersky, and Jaime Blasco, head of the intelligence and research team at AlienVault, have been gathering evidence that purports to show that the same hackers are still victimizing users. The pair detail a number of links between the Sony attack and subsequent attacks against organizations in South Korea.

The researchers are not sure that the hackers are North Korean operatives. They collected 400 to 500 malware samples over the course of a year and analyzed these and other clues.

Various attack attributes such as re-using code, techniques and practices were not enough to determine that they all came from the same hackers. However, the clincher came when the researchers found a dropper that was used in multiple attacks to drop different payloads. The droppers not only used very similar code but also linked to a resource base using the same password.

The researchers also found that the attackers in all cases used a .BAT file to automatically erase traces of their incursions, a move which left telltale signs on the affected systems.

Other clues they gathered included a shared blacklist of sandbox applications and snippets of code in Korean.

Source: SCMagazine