All sorts of theories about who really made off with terabytes of Sony Pictures Entertainment’s corporate data and then set off malware erasing the company’s hard drives have emerged over the past week in the wake of Sony’s release of The Interview. While the FBI is insistent that the responsibility for the Sony breach and cyber-defenstration rests solely on the Democratic People’s Republic of Korea, security analysts who have conducted their own examination of the malware and other information suggest that the attack was at least partially an inside job.

But there’s been another strange twist in the Sony Pictures saga: now Lizard Squad, the DDoS attackers involved in the Christmas denial-of-service attacks against Sony’s PlayStation Network and Microsoft’s Xbox Live network, have claimed they were tangentially involved in the breach. Someone claiming to represent Lizard Squad told The Washington Post’s Brian Fung that Lizard Squad had sold Sony Pictures' usernames and passwords to the Sony attackers (the "Guardians of Peace"). Fung said that his contact confirmed his identity by posting something to the group’s Twitter feed.

"We handed over some Sony employee logins to them," said Fung's source. "For the initial hack. We came by them ourselves. It was a couple."

Off to see the lizard

Lizard Squad’s spokesmen have been getting a lot of media attention recently, even providing a live radio interview on the BBC and debating alleged members of Anonymous. Security reporter Brian Krebs has published an analysis of the identity of the Lizard Squad’s most public members, who broke off their attacks on Sony’s Playstation Network and Microsoft’s Xbox Live service after (though they claim not because) Kim Dotcom offered them $300,000 worth of MegaUpload vouchers to cut it out so he could play Destiny.

Dotcom then brokered some sort of peace deal between Lizard Squad, “FinestSquad” (a group that claimed to be feeding information about Lizard Squad to law enforcement), and some self-identifying members of Anonymous on the YouTube channel #DramaAlert, and it was declared that Lizard Squad would never, ever attack game networks again. (Dotcom said in a Twitter conversation that if they did, their vouchers would be revoked.)

If Seth Rogen needs an idea for his next film, there it is.

Lizard Squad then apparently turned its attention to the Tor network, creating a large number of Tor relays in an attempt to corner the network and demonstrate that they could de-anonymize traffic. "Right now, if we wanted to, we could redirect most of outgoing Tor traffic to lizardsquad.ru," the Lizard Squad "spokesperson" claimed.

In a post to the Tor Project Twitter feed, a spokesperson said that the Tor team was working to remove the wave of new relays configured for the attack, "but even though they are running thousands of new relays, their relays currently make up less than 1 percent of the Tor Network by capacity."

Inside and out

Meanwhile, analysts at Norse Corp., a network security firm that monitors cyber-attacks, have been building a case that the attack on Sony’s network was largely internal. In a blog post, Norse’s Anthony Freed wrote that the firm had identified at least six possible former employees of Sony who may have been involved in the breach of the network, including one (referred to as “Lena,” a name used in the Guardians of Peace e-mails) that had the previous access and technical skills required to steal the data. The insiders may have worked with “pro-piracy hactivists,” Freed wrote.

Kurt Stammberger, Norse’s senior vice president, said, “We think we see indicators of those two groups of people getting together.”

One indicator that insiders may have been involved was the targeting of information in the company’s human resources system, which provided details on the massive layoffs Sony Pictures undertook in April and May of 2014. Some of the data pulled from Sony included credentials for Workday, Sony Pictures’ service provider for human resource management.

Ars has attempted to reach Sony Pictures and Workday about what data may have been accessible through those exposed credentials—certificates or tokens which may have allowed Sony employees access without a password. Neither company has responded. However, knowledge of the Workday system and access to the terminal applications that were screen-shotted by the attackers showing payroll data, would seem to indicate that either Sony’s HR department grossly mishandled personal identifying information of employees, or the attacker was someone intimate with those systems.

Listing image by National Park Service