Bluecoat_FROM_SEOUL_TO_SONY2-24-16.pdf (3 MB)

Blue Coat connects the Sony Pictures intrusion malware Destover to earlier destructive activity associated with the DarkSeoul or Silent Chollima threat complex. The report states that technical indicators link Sony to destructive events going back to at least 2009, while noting that the perpetrators are unknown and that some earlier events were attributed by others to North Korean actors. The group is described as still active as of the report, primarily targeting South Korean organizations across multiple sectors, with malware from the same threat complex apparently produced as late as January 2016. The source focuses on the evolution of common attacker tools and provides indicators of compromise and mitigation information, alongside parallel Novetta Operation Blockbuster research.