14 DAY TRIAL // The hackers who published sensitive information from Sony Pictures Entertainment (SPE) computers used the high-speed Internet connection of a five-star hotel in Bangkok, Thailand, to leak the data online, according to one person familiar with the investigation of the incident.
Investigators managed to trace the connection to the St. Regis hotel, but they are uncertain whether the hackers, acting under the name of Guardians of Peace (GoP), actually rented a room, used the public area in the lobby, or broke into the network from a remote location, Bloomberg reports.
The leak occurred at the beginning of the month and included documents containing private data of some 47,000 individuals – Sony employees, collaborators and multiple stars at Hollywood, Sylvester Stallone being one of them.
Multiple connections to Thailand have been discovered
As far as the identity of the perpetrators is concerned, it continues to remain unknown. However, the investigators got one clue from the analysis of a malware sample (dubbed WIPALL by Trend Micro and Destover by Kaspersky) picked from Sony systems pointing to North Korea, which officially denied any involvement in the attack on Sunday.
More evidence towards Thailand being the initial location of the data leak is an IP address belonging to a university in the country and used by the malware to communicate with GoP.
Hackers endorsed by governments often operate from different countries, and this would also be the case with North Korea, where the Internet connection is far from being the speediest.
GoP sent to various online media publications information that the cache of data they exfiltrated from Sony computers was close to 100 terabytes in size.
This would suggest that the intruders broke into the network of the company at an earlier time this year and seeped out the documents over the course of several months, in order to keep the leak under the radar.
Who GoP is exactly and their affiliation still remains a mystery
Apart from the name of the group, which the hackers promoted themselves, there is no verified information about the members.
Security experts have issued speculations about who may be sponsoring their activities and pointed to similarities to past attacks carried out by the DarkSeoul group, believed to be connected to North Korea.
After analyzing the malware used on Sony, they also discovered technical similarities to Shamoon, a group that attacked Aramco, a Saudi Arabian oil company.
Sony seems to be the target of choice for cyber-attacks lately, as another of its divisions, PlayStation Network (PSN) has been hit by a DDoS incident recently. Yesterday, the Twitter feed of Lizard Squad announced that the gaming network was taken down.