At least one appeared to be an administrator who had access to Sony's installation of Microsoft's System Center Configuration Manager (SCCM) 2007, an enterprise tool for managing large numbers of corporate computers. Among SCCM's duties: Distributing software to employees' personal computers.
"When I saw an administrator for SCCM [among the usernames and passwords in the malware], I want, 'Wow, okay, this is probably the scenario,'" said McClure, who mimicked the hackers by cross-checking leaked credentials with LinkedIn entries for Sony employees. "The attackers had software distribution rights throughout the enterprise. That made perfect sense."
McClure speculated that one reason why the attack was initially attributed to an insider was that it may have looked like an inside job. Armed with stolen SCCM credentials, the hackers could have used the software to distribute their malware to Sony's PCs. The malware could have been pitched to employees as a necessary update or new internal-only software, and because it originated from SCCM, would have been seen as entirely legitimate.
"Honestly, this is speculation, but it is a reasonable approach based on the evidence," said McClure. "The question is, 'How could this most likely have gone down?'"
Sign up for CIO Asia eNewsletters.