Who is really behind the cyber attack on Sony Pictures? The FBI has placed the blame for the attack, which caused the entertainment giant to temporarily halt its Dec. 25 release of its film "The Interview," squarely on North Korea, but some security experts are not convinced. After its investigation, based on undisclosed “sensitive sources and methods,” the FBI concluded that “the North Korean government is responsible for these actions.” But some experts argue that the FBI's evidence against North Korea, linking it to the Guardians of Peace (GOP) — the hacker group taking credit for the attack — is flimsy. They suggest several other possibilities, not all of them involving North Korea. Based on available evidence, they say that the Sony data breach could have been accomplished by North Koreans inside North Korea; expatriates in China loyal to North Korean leader Kim Jong Un; international hackers abroad sponsored by Pyongyang; or simply bored hackers from another continent doing it for the lulz.

Two similar warnings posted by hackers: left, GOP’s warning to Sony, and right, a warning from hacker group Whois Team.

In a statement released Friday, the FBI said it had discovered malware “North Korean actors previously developed"; IP addresses of “known North Korean infrastructure” that were “hardcoded into the data deletion malware used"; and “similarities to a cyber attack in March of last year against South Korean banks.” North Korean state media denied on Sunday that it carried out the attack on Sony, even as it praised the hackers. “The NDC [National Defense Commission] of the DPRK highly estimates the righteous action taken by the ‘guardians of peace,’ though it is not aware of their residence,” the statement said. There are some similarities between GOP and another hacker group, Whois Team, that has targeted South Korea in the past. Whois Team claimed responsibility for a series of attacks on South Korean banks and television stations in 2013. GOP’s warning to Sony in late November, placed beside a screenshot of a message left by “Whois Team,” show striking visual similarities: macabre skeletons, a bright green typeface and a long series of malicious data threats. Both GOP and Whois Team have reportedly used “wiper” malware to erase data from victims’ servers. The malware is dropped into a machine and then executed at a specific time to carry out a threat, similar to the deadline that GOP gave Sony. But such links, some experts say, are not conclusive proof that North Korea is behind the Sony attack directly, although it may have enticed or encouraged it. "None of the evidence presented is sufficient to blame the North Korean government,” security researcher Jeffrey Carr told Al Jazeera in response to the FBI’s statement. “But there is ample evidence to suggest other options." Those other options are groups of hackers who exist in a shadowy online world that is difficult for outsiders to penetrate. Such groups have little respect for international borders, and it can be close to impossible to divine their intentions, let alone the identities of those involved. The “Lords of Dharmaraja,” or LOD, is a prime example of such a group. They appear to be Russian hackers who pose as Indian hackers. LOD, in 2012, leaked vital code related to anti-virus software produced by tech firm Symantec. One of LOD’s members, Yamatough, was then quoted as saying: "We tricked them into offering us a bribe so we could humiliate them.” This apparent extortion attempt is similar to one made by GOP, which also appeared to initially seek payments from Sony in return for not publishing the contents of its hack. Whether or not the group is responsible for the Sony hack, its emergence shows an ever-expanding world of hackers borrowing tactics from each other and seeking targets across the globe.

Sony security woes

While the exact identity of the hackers remains a mystery, the vulnerability of one of the world’s biggest companies have been exposed. Security researcher Brian Martin has identified two dozen security breaches at Sony since 1999. Hector Xavier Monsegur, a former hacker affiliated with the groups Anonymous and LulzSec, became an FBI informant in early June 2011. He recalled being offered Sony login credentials by another hacker in 2012. “Sony was negligent on their security practices," Monsegur, formerly known by his online alias “Sabu,” told Al Jazeera. Chat logs collected in 2011-2012 by the FBI and kept under seal for the U.S. government's case against hacker Jeremy Hammond illustrate Sony’s persistent security problems. According to conversations among hackers, finding an initial open door into Sony’s systems wouldn’t have been very difficult.

Jan 6, 2012, chat log from U.S. v. Hammond.

In the above excerpt, taken from a Jan. 6, 2012 chat, a hacker simply volunteers Sony login credentials to Monsegur. The username and password appear to have been gleaned from a database within one of the Sony’s European servers. Monsegur believes the massive ebb and flow of data involved in the recent hack suggests the perpetrators must have been at work for many months or even years.

June 2, 2011, #lulzsec chat log, sealed evidence from U.S. v. Hammond.