Photo: Michael Thurston/AFP/Getty Images

U.S. officials finally confirmed today that they believe North Korea was behind the Sony Pictures hack that led the studio to pull The Interview from theaters. Blaming the North Koreans is convenient, as it makes sense that they would be outraged by a film about the assassination of dictator Kim Jong-un, and Sony can argue that it stood little chance against a foreign government’s team of hackers. However, many don’t buy that a country with limited technological capabilities would be capable of such an attack and wonder why North Korea has repeatedly denied any connection to it (after all, it’s a country that’s fond of threatening to turn enemy nations into a “sea of flames”).

“There’s no evidence pointing to North Korea, not even the barest of hints,” Robert Graham, CEO of Errata Security, told Tom’s Guide. “Some bit of code was compiled in Korea — but that’s South Korean (which is banned in North Korea). Sure, they used threats to cancel The Interview — but after the FBI said they might.”

Naturally, in some corners of the internet, people are speculating about the U.S. government conspiring to frame North Korea, or Sony staging the hack to boost interest in the eventual release of The Interview. However, there are also many doubts among those who don’t usually subscribe to conspiracy theories. Here are the most popular theories about who was behind the Sony hack:

IT WAS A DISGRUNTLED SONY INSIDER, OUT FOR REVENGE

Marc W. Rogers, a “whitehat” hacker and security researcher at the online-traffic-optimizer CloudFlare, wrote on his personal blog that he’s betting on “a disgruntled (possibly ex) employee of Sony.” He notes that there were multiple ways hackers could have made money from stealing Sony’s information, and a nation-state could have used its access to Sony to gain more information about the film industry. Instead, Guardians of Peace chose to dump the information in a manner that’s extremely embarrassing to Sony.

He says there’s also a clue in how the hackers gained access to Sony’s systems:

It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.

This theory is supported by what people claiming to be affiliated with the Sony hackers told the Verge last month. “Sony doesn’t lock their doors, physically, so we worked with other staff with similar interests to get in,” a hacker going by the name “lena” said via email. “Im sorry I can’t say more, safety for our team is important [sic].” The group called Sony Entertainment CEO Michael Lynton a “criminal” on Twitter, and another hacker said, “We Want equality [sic]. Sony doesn’t. It’s an upward battle.”

A more mainstream variation on this theory is that North Korea was behind the attack, but they had help from someone affiliated with Sony. TMZ reported that multiple Sony sources said they believe this is what happened, with some suggesting “a possible link between the hackers and Sony layoffs, which included a large number of IT employees.” The New York Times report that revealed the government had concluded North Korea was “centrally involved” also noted that investigators are considering the possibility that it was partially an inside job:

At Sony, investigators are looking into the possibility that the attackers had inside help. Embedded in the malicious code were the names of Sony servers and administrative credentials that allowed the malware to spread across Sony’s network. “It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a researcher at AlienVault, a cybersecurity consulting firm.

IT WAS A GROUP OF HACKTIVISTS

In its excellent examination of the evidence in the Sony hack, Wired concludes that it’s more likely that the breach was the work of hacktivists such as Anonymous or LulzSec, rather than a nation-state. The FBI said it found “links to other malware that the FBI knows North Korean actors previously developed,” but hackers sophisticated enough to get into Sony’s systems would presumably also have the ability to plant false clues in their coding.

While North Korea complained about The Interview to the United Nations in July, it appears the film’s connection to the Sony attack originated in the media. In an email sent to Sony executives three days before the attack, the apparent hackers wrote in broken English, “monetary compensation we want.” There was no mention of The Interview in these initial communications, and on December 1 someone claiming to be a Guardians of Peace spokesperson told CSO Online that reports citing the film as the motivation for the hack were untrue. “We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France,” the hacker claimed. “We are not under direction of any state.”

Furthermore, the Sony hackers’ behavior doesn’t look like what we’d expect from a nation like North Korea. Wired explains:

Nation-state attacks aren’t generally as noisy, or announce themselves with an image of a blazing skeleton posted to infected computers, as occurred in the Sony hack. Nor do they use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of Guardians of Ppeace have done in media interviews. Nor do such attacks involve posts of stolen data to Pastebin — the unofficial cloud repository of hackers — where sensitive company files belonging to Sony have been leaked. These are all hallmarks of hacktivists — groups like Anonymous and LulzSec, who thrive on targeting large corporations for ideological reasons or just the lulz, or by hackers sympathetic to a political cause.

IT WAS THE CHINESE

The U.S. has already had multiple run-ins with hackers in the Chinese military, and last year it was reported that they were targeting various American companies. A U.S. official told Reuters on Friday that while North Korea was behind the operation, there was a link to China, either through collaboration with Chinese hackers or using Chinese servers to mask the hack’s origin. Statements from U.S. officials today did not mention China.

The cybersecurity firm Mandiant has been brought in to investigate the Sony hack, and according to Deadline, that could be another sign that the Chinese government was involved. “Mandiant has investigated so many Chinese attacks,” said a source. “It’s kind of their forte.”

“Most custom malware like this has been coming out of the Chinese cybercrime groups and is used for intelligence gathering,” the source added. “They have probably been inside Sony’s network for at least six months, maybe longer.”

It’s believed that the Chinese Army hacks every foreign company doing business in the country, but there are also signs that suggest China isn’t involved. It appears that this would be the first time China has released information obtained by its hackers.

EVERYBODY DID IT

There’s overlap in many of these theories, and it’s entirely possible that the answer is “all of the above.” Many have said Sony was lax about its cybersecurity, and as Wired notes, “we can’t rule out the possibility that nation-state attackers were also in Sony’s network or that a nation like North Korea was supportive of some of these hackers, since they shared similar anger over Sony.”