At least one former employee of Sony Corp. may have helped hackers orchestrate the cyber-attack on the company's film and TV unit, according to security researcher Norse Corp.

The company narrowed the list of suspects to a group of six people, including at least one Sony veteran with the necessary technical background to carry out the attack, said Kurt Stammberger, senior vice president at Norse. The company used Sony's leaked human-resources documents and cross-referenced the data with communications on hacker chat rooms and its own network of Web sensors, he said.

The findings cast doubt on the U.S. government's claim that the attack was aimed at stopping the release of "The Interview," a comedy about a plot to assassinate North Korean leader Kim Jong Un. The FBI said Dec. 19 it had enough evidence to link the attack to the communist regime, prompting President Barack Obama to vow a response to the cyber-assault.

Story continues below advertisement

"When the FBI made this announcement, just a few days after the attack was made public, it raised eyebrows in the community because it's hard to do that kind of an attribution that quickly – it's almost unheard of," Stammberger said in a telephone interview from San Francisco. "All the leads that we did turn up that had a Korean connection turned out to be dead ends."

The information found by Norse points to collaboration between an employee or employees terminated in a May restructuring and hackers involved in distributing pirated movies online that have been pursued by Sony, Stammberger said. The initial demands by the group calling itself Guardians of Peace were extortion, rather than pulling the movie from release, he said.

July Timeline The earliest activity by the virus that ravaged Sony Pictures Entertainment's computers last month can be traced to July, Stammberger said. Norse uses a network of more than 8 million honeypots, or software traps that lure in hackers, to track malware activity on the Web, he said.

Norse briefed the FBI on the findings in St. Louis on Monday, Stammberger said. Joshua Campbell, an FBI spokesman in Washington, declined to comment in an when reached by e-mail.

The FBI made its conclusion based on technical analysis and infrastructure used in the attack, it said in a statement. Sony's internal probe linked the attackers to an organization known as DarkSeoul, people familiar with matter have said previously.

Cruise Missile The attackers released private e-mails, employee salaries and health records. They've been silent since Dec. 16, even as Sony reversed its decision to cancel the release of "The Interview."

While the virus used to attack Sony's computers was coded in a Korean language environment and is similar to the one that struck South Korean banks and media companies in 2013, that's not enough to link it to North Korea, according to Trend Micro Inc., a developer of security software.

Story continues below advertisement

The malware is available on the black market and can be used without a high level of technical sophistication, according to Trend Micro's Tokyo-based security evangelist Masayoshi Someya. It was customized for the company, targeting specific anti-virus software, he said.

"A lot of malware is kind of like a Roomba – it shuffles around the computer network, bumps into furniture and goes in spirals and looks for things kind of randomly," Stammberger said. "This was much more like a cruise missile.

"This malware had specific server addresses, user IDs, passwords and credentials, it had certificates. This stuff was incredibly targeted. That is a very strong signal that an insider was involved."