"The malware samples contain hardcoded names of servers inside Sony's network and even credentials/usernames and passwords that the malware uses to connect to systems inside the network," he said.
Former Sony employees might have that kind of network knowledge, but hackers also often do reconnaissance on networks prior to an attack, looking for weak points to exploit.
Although attributing cyberattacks is difficult, it's unlikely North Korea is behind Sony's troubles, said Scot. A. Terban, a threat intelligence analyst who writes under the Twitter handle @krypt3ia.
The style of malware used against Sony, which corrupts a computer's master boot record, has been around for 16 years, Terban said in a phone interview Wednesday.
It is possible that the Sony attackers obtained the same malware that was used against South Korea last year, as the malware is available on the internet. The attackers may have changed it a bit to avoid security software and then repurposed it, he said.
Terban said the use of Korean language encoding in the malware is still "not a lot to hang your hat on as far as attribution goes."
If North Korea had indeed struck Sony, "there would be no evidence of Korean coding" in the malware, Terban said.
McAfee, a computer security company now owned by Intel, did extensive research into the Dark Seoul attacks, publishing a technical report on the malware in July 2013.
Its analysts wrote the March 2013 attacks were actually the conclusion of a four-year covert espionage campaign that also sought classified military data.
Two groups, called the Whois Hacking Team and the NewRomanic Cyber Army Team, conducted the Dark Seoul attacks, but McAfee concluded they were likely part of the same team since they used similar attack code.
McAfee declined an interview request Thursday asking if its researchers were still tracking the groups.
Sign up for CIO Asia eNewsletters.