The group behind the Sony attacks has been waging a sustained campaign against South Korean targets, according to new research revealed at the Kaspersky Security Analyst Summit and first reported by Wired. Researchers at Kaspersky and Alienvault Labs traced the campaign by comparing samples from the Sony attacks with other samples collected from attacks around the world. While the researchers declined to speculate on where the group is operating, the presented evidence supports the claim that the Sony attacks were performed by a state-sponsored group from North Korea, as reported by the FBI.
The evidence centers on software tools used by both the Sony attackers and the group behind the more recent South Korean campaign, many of which were customized or altered in extremely distinctive ways. In one instance, researchers found the same password used to trigger the "dropper" program, evidence of either a common group or a major breach in security. There was also a common user agent list between the attacks, and similar tactics in how the attacks were structured.
All told, Kaspersky and AlienVault tracked nearly 500 samples with ties to the group, all with one eerie thing in common: they were all turned against South Korean targets. There was also evidence that the computers that compiling the code were set to write in the Korean Hangul alphabet — another common piece of evidence from the Sony attacks.