The “wiper” malware that knocked Sony Pictures’ corporate network offline for over a week, now being called Destover, bears a striking resemblance not only to the “DarkSeoul” malware that struck South Korean companies last year, but the Shamoon “wiper” that struck Saudi Aramco in 2012, according to analysis by Kaspersky Labs and other security researchers. While there is nothing in the analysis that would tie the three attacks to the same malware developers, they all used similar techniques, as well as some of the same commercial Windows drivers to attack the hard drives of their victims.

In an e-mail exchange with Ars, Kaspersky Lab security researcher Kurt Baumgartner said, “Of the three, the Shamoon and Destover implementations share the most similarities, and based on these similarities it is possible that there was shared guidance or expertise between the two projects. All three share operational similarities.”

The Sony Pictures malware used commercial software to do its damage to the victim computers’ hard drives—the RawDisk library from EldoS, which allows Windows applications to gain direct access to disk hardware without having to run in administrator mode. As EldoS advertises on its website for RawDisk, the library “offers software developers direct access to files, disks and partitions of the disks (hard drives, flash disks, etc,) for user-mode applications, bypassing security limitations of Windows operating systems.” This allowed the malware to skip past any restrictive security permissions in Windows’ NTFS file system and overwrite the data on the drive, including the master boot record (MBR). (Further details of the malware's behavior are in Ars' updated analysis article.)

This is the same technique used in both the 2013 Seoul cyberattack and the Shamoon attack in 2012, according to Baumgartner, who provided a detailed analysis of the similarities between the attacks in a blog post today. The Shamoon attack also used a trial licensed version of the commercial EldoS drivers. And there were other commonalities across all three attacks, Baumgartner noted:

Just like Shamoon, the Destover wiper drivers are maintained in the droppers' resource section. Just like Shamoon, the DarkSeoul wiper event included vague, encoded psuedo-political messages used to overwrite disk data and the master boot record (MBR). Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack…The Shamoon components were compiled in a similarly tight timeframe prior to their deployment. In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own. All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.

Even the visual elements of the Seoul and Sony attacks are similar. Destover used an internal webserver in the malware to display the message on the screen of affected PCs, just as DarkSeoul did, and the color schemes and themes of the messages displayed in both cases were the same.

The short timeframe between the compilation of the malware and the triggering of the attacks in each case would have precluded the use of shotgun methods like a phishing attack to infect the target networks. The malware would have to have been spread widely across the network days or even hours before it was triggered—indicating that the attackers may have been exploiting the targeted networks for long periods of time before they were brought down by the wiper bugs.

One major difference between the Sony and Seoul malware attacks is that the Seoul attacks included scripts to attack Unix and Linux systems; the Sony Pictures attack lacked these scripts, but it may have been because there were no Unix or Linux systems identified by the attackers prior to the installation of the malware. The Sony malware specifically sought out servers within the company's network by machine name to attack, demonstrating foreknowledge of the network's structure.

Baumgartner said that there was no proof that the three attacks were carried out by the same group, but the “operational and toolset characteristics all carry marked similarities. And it is extraordinary that such unusual and focused acts of large-scale cyber-destruction are being carried out with clearly recognizable similarities.