The tools involved in the Sony Pictures attack may have been more sophisticated than we thought. Recode's Arik Hessedahl is reporting that the attackers employed a previously undisclosed vulnerability to break into the Sony Pictures system, according to "sources familiar with the Sony investigation." Also known as a zero-day vulnerability, undisclosed weaknesses are particularly valuable in the security world, and typically employed by nation-state attackers. It's unclear how central the exploit was to the attack or which system was found to be vulnerable. Much of the previously reported software involved in the attack had been re-used from earlier attacks in South Korea in 2013.
The report also cuts against earlier statements by the NSA, which had described the attack as originating with spear phishing emails sent to Sony Pictures employees. Spear phishing is a much simpler attack, in which an attacker simply sends a personalized email with a malware-laden link or attachment, and generally doesn't require a new vulnerability for a successful compromise. Zero-day vulnerabilities are also typically used against military systems, in which the level of internal security is so high that new vulnerabilities must be unearthed in order to break in. By contrast, Sony Pictures was generally seen as having abysmal security practices, raising questions as to why a zero-day vulnerability would be necessary in the first place.