FROM SEOUL TO SONY: THE HISTORY OF THE DARKSEOUL GROUP AND THE SONY INTRUSION MALWARE DESTOVER
Contents
FROM SEOUL TO SONY:
THE HISTORY OF THE DARKSEOUL GROUP
AND THE SONY INTRUSION MALWARE
DESTOVER
By Snorre Fagerland, Blue Coat Systems Inc.
February 2016
EXECUTIVE SUMMARY
The attack on Sony Pictures Entertainment in November 2014 was not a single incident. Through technical
indicators, we connect the attack to several destructive events going back to at least 2009.
The identity of the perpetrators is unknown, but several of these previous events have been attributed by others to
North Korean threat actors. In this report, we show how we have connected these events to the threat actors
known as DarkSeoul or Silent Chollima.
Whoever they are, this group is still active, mainly going after South Korean targets in several sectors. Malware
belonging to this threat complex has apparently been produced as late as January 2016.
We detail the evolution of some of the most common tools used by these attackers and present indicators of
compromise and mitigation information where we can.
In parallel with this report, the …
THE HISTORY OF THE DARKSEOUL GROUP
AND THE SONY INTRUSION MALWARE
DESTOVER
By Snorre Fagerland, Blue Coat Systems Inc.
February 2016
EXECUTIVE SUMMARY
The attack on Sony Pictures Entertainment in November 2014 was not a single incident. Through technical
indicators, we connect the attack to several destructive events going back to at least 2009.
The identity of the perpetrators is unknown, but several of these previous events have been attributed by others to
North Korean threat actors. In this report, we show how we have connected these events to the threat actors
known as DarkSeoul or Silent Chollima.
Whoever they are, this group is still active, mainly going after South Korean targets in several sectors. Malware
belonging to this threat complex has apparently been produced as late as January 2016.
We detail the evolution of some of the most common tools used by these attackers and present indicators of
compromise and mitigation information where we can.
In parallel with this report, the …