"Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack," the Kaspersky researchers said. "It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack."
A more direct connection was established by Symantec between Destover and a backdoor program known as Volgmer that allows attackers to retrieve system information, execute commands, upload files, and download files for execution.
"Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets," the Symantec researchers said. "The shared C&C indicates that the same group may be behind both attacks."
The apparent links between Destover and malware that was used to target South Korean organizations will likely fuel ongoing speculation that North Korea might be behind the attack against Sony Pictures Entertainment, supposedly as retaliation for an upcoming comedy film called "The Interview" in which two reporters are asked by the CIA to assassinate North Korean leader Kim Jong Un. North Korea reportedly denied its involvement in the attack.
These commonalities "do not prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover," the Kaspersky researchers said. "But it should be noted that the reactionary events and the groups' operational and toolset characteristics all carry marked similarities. And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities."
Sign up for CIO Asia eNewsletters.