According to multiple reports, unnamed government officials have said that the cyber attack on Sony Pictures was linked to the North Korean government. The Wall Street Journal reports that investigators suspect the attack was carried out by Unit 121 of North Korea’s General Bureau of Reconnaissance, the country’s most elite hacking unit.

But if the elite cyber-warriors of the Democratic People’s Republic of Korea were behind the malware that erased data from hard drives at Sony Pictures Entertainment, they must have been in a real hurry to ship it.

Analysis by researchers at Cisco of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures revealed that the code was full of bugs and anything but sophisticated. It was the software equivalent of a crude pipe bomb.

First draft malware

Compared to other state-sponsored malware that researchers have analyzed, “It's a night and day difference in quality,” said Craig Williams, senior technical leader for Cisco’s Talos Security Intelligence and Research Group, in an interview with Ars. “The code is simplistic, not very complex, and not very obfuscated.”

The Talos team performed its analysis with the goal of creating a better signature for malware detection systems to catch the wiper on other networks that might already be compromised. What they found was code that was hardly professional grade—it didn’t present as “something I thought somebody spent some significant amount of money developing,” Williams said. Part of the code involved in transmitting the “beacon” message from the malware back to the command and control servers had a buffer overread, meaning it read beyond the area of memory allocated by the program, “reading past the amount of data they’re supposed to read on the (memory) stack,” Williams explained.

But as Cisco research engineer Christopher Marczewski and Williams wrote in a Cisco Talos blog post today detailing their analysis, the wiper malware didn’t have to be very complex to do what it was intended to do. “Data is the new target, this should not be a surprise to anyone,” Marczewski wrote. In addition to denying the victim access to corporate data and doing harm to their business, “wiping systems is also an effective way to cover up malicious activity and make incident response more difficult, such as in the case of the DarkSeoul malware in 2013,” he added.

As crudely as it was built, it’s clear that the wiper malware compiled for the actual attack on Sony Pictures was packed with deep intelligence on the company’s network, exploiting knowledge of Windows Server infrastructure to send management commands over Microsoft’s NetBIOS protocol to shut down mail servers and possibly to spread itself across the network through Windows services. And it still remains unclear how the malware was implanted on Sony Pictures’ network in the first place—or how multiple terabytes of data from corporate systems could have been hauled out of the network within just a few days of the wiper attack.

Faking hacktivism

Based on the mailbox files leaked by the attackers, data was being pulled from the network—likely from desktop backups—as late as November 23, the day before the attack wiped disk drives. While data may have been extracted over a much longer period of time, it seems likely that it was retrieved in bulk directly from Sony Pictures’ network on the Sunday before the attack by someone with direct access to the network and that the wiper malware was implanted at the same time.

That approach would have required inside help or the insertion of operatives into Sony’s organization. Such an operation might not exactly be high-tech, but it would certainly require organizational sophistication and significant intelligence collection in advance—both things that play to the strengths of a state actor like Unit 121.

According to South Korean reports, North Korea has been building a cyber-army of incredible magnitude for over a decade. In an interview with the Korea Herald, Professor Lee Dong-hoon of the Korea University Graduate School of Information Security said that North Korea has the third largest military cyber-warfare unit in the world, with over 3,000 troops—more than China. And the cyber force, Dong-hoon said, is directly under the control of North Korean leader Kim Jong-un.

In a 2009 paper, Steve Sin—then an Army major serving as a senior analyst at the Open Source Intelligence Branch of the Directorate of Intelligence at US Forces Korea and now a lead investigator and senior researcher at the National Consortium for the Study of Terrorism and Responses to Terrorism (START) at the University of Maryland—wrote that North Korea was the source of the largest number of attempts to connect to US military websites and networks and placed North Korean spending on cyber-warfare capabilities at $3 billion per year. He estimated the number of actual hackers in Unit 121 at about 100 in 2009. “The unit’s reported capabilities include moderately advanced Distributed Denial of Service (DDoS) capability and moderate virus and malicious code capabilities,” Sin wrote.

That level of capability is commensurate with what would be needed to attack a “soft” target like Sony Pictures’ network. While the company had a heightened awareness of denial-of-service attacks and other threats at the edge of the network, its internal IT staff was stretched thin. Earlier this year, Sony Pictures experienced repeated trouble with e-mail service, as its Microsoft Exchange 2007 infrastructure strained under the company’s e-mail load and its retention policy that forced users to keep e-mail in their inboxes forever, which had been in place for nearly seven years. A reduction in the amount of IT support from corporate parent Sony Corporation of America and poor support team training exacerbated the problems, according to e-mails leaked out of Sony Pictures.

The international aspect of Sony Pictures and the layoffs that the company had undertaken earlier this year overseas and in the US gave some credence to the claims by the “Guardians of Peace” that they were acting on behalf of former employees. The unprofessional nature of the code used in the “Destover” wiper malware adds to that illusion. It used commercial components and looks like something hobbled together from a well-worn malware kit bought off an underground web forum.

However, the communications and tactics used that mirrored other “hacktivist” attacks could have just as easily been adopted by Unit 121 or another state actor to mimic a hacktivist attack, achieving the goals of the state while giving North Korea plausible deniability. Pinning the attack with certainty on North Korea will be difficult precisely because it’s the sort of thing any determined attacker, state or otherwise, could have achieved if properly motivated.