US government monitored North Korean hackers since 2010
The Interview is given as the reason for blaming North Korea Sony Pictures

Seth Rogen hacked Sony Pictures. No, wait, it was James Franco. No, sorry, it was Taylor Swift. Justin Bieber? Barack Obama? The Dalai Lama?

Of course none of these people hacked Sony Pictures, but the idea they did is about as ludicrous as suggesting that North Korea was behind the attack. An attack which on Wednesday culminated with Sony Pictures cancelling the release of The Interview.

The identity of the hackers, who go by the name Guardians of Peace, is still a complete mystery. Many theories have been espoused about who they are, where they are located, and what their motivation has been in carrying out a devastating attack on Sony Pictures' systems which after three weeks sees the studio still not back to full capacity.

Here we look at four possible groups behind the attack, but first up is the case for Guardians of Peace (GOP) not being from Pyongyang.

Why North Korea isn't behind the Sony Pictures hack

The popular narrative is that North Korea is behind this devastating attack. It is a great story for the media. Anything to do with the secretive dictatorship is catnip to reporters and readers alike. Sadly, there is very little evidence that North Korea is behind the attack.

Sony and the FBI, who are investigating the attack have both failed to point the finger at Kim Jong-un.

While US officials have told the New York Times they believe North Korea was "centrally involved" in the attack, this belief is likely politically motivated rather than based on hard evidence.

But what about The Interview? Is this not the main reason for the attack? No. The hackers made no mention of the film in their initial email to Sony on 21 November and in an interview with CSO Online at the beginning of December, specifically said the attack was not related to the film.

The media linked the two based on a complaint Pyongyang made in July about the film, and the attackers have clearly capitalised on this to their advantage.

Kim Zetter from Wired has written a detailed investigation about why the evidence against North Korea is flimsy at best.

So, who is behind the Sony Pictures hack?

  • A. N. Other Nation State

So if not North Korea, then what about another nation state. In situations like this the finger of blame typically waves between two countries: Russia and China.

While there have been some murmurings that China was involved, and the broken English used in communications suggests a non-English speaker, there has been little in the way of hard evidence that it is hackers from China or Russia.

The question of why a nation-state would attack Sony remains the biggest stumbling block in attributing the hack to a country other than North Korea. There is one other possibility however.

The Washington Post reported that the wiper malware (called RawDisk) used against Sony Pictures was similar to that used in attacks in South Korea, and also in the Middle East - specifically against Saudi Aramco, the world's largest oil company, which knocked 30,000 computers offline.

That attack, which took place in 2012, has been linked to a group of Iranian state-sponsored hackers, and this month they were revealed to be carrying out an on-going and sophisticated cyber-attack called operation Cleaver.

Also in 2012, Iran signed an extensive agreement for technology cooperation agreement with North Korea, which would allow for collaboration on various efforts including IT and security.

That said, we still have to remember that the hackers specifically said they are "an international organisation not under direction of any state" and members include "famous figures in the politics and society from several nations such as United States, United Kingdom and France."

  • Cyber-criminals

Cyber-crime is fast replacing traditional forms of crime as the biggest threat to our security, and cyber-criminals are becoming increasingly sophisticated at targeting specific companies.

Tailored phishing emails and malware would have been used in this attack, giving the criminals access to the systems of Sony Pictures.

They could have spoofed the fact that the malware looks to have been compiled on machines which used Korean as the encoding language.

The other piece of evidence which suggests a cyber-crime gang is behind the attack is the demands in the original public messages and emails to the company which suggested that theirs was a financial motive for the attack:

"Monetary compensation we want," the hackers said in an email to the studio. "Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You'd better behave wisely."

  • For the lulz?

Could this be the work of Anonymous, or another hacktivist group who are doing it for the lulz? It could be, but it is unlikely.

Anonymous is well known for its trolling of companies and for pointing out gaping holes in their security, and of course the Anonymous-offshoot LulzSec famously hacked Sony Pictures back in 2011.

But whatever you think of Anonymous, the group always has a motive behind their attacks, and getting a film about a dictatorship banned is not something which the group would want.

Is is possible that an unknown group of hackers are just doing this purely for their own pleasure, but if so, they are playing a dangerous game.

  • A disgruntled employee
    Sabu Returns to Twitter Anonymous protest
    Former LulzSec hacker-turned-FBI-informant Hector Monsegur warns that there is no real security, and if they wanted, hackers could break into airports, phone systems, and water supplies, and shut them down. CBS

This is, to date, the most plausible explanation for who is behind the attack.

Hacker Marc Rogers has made a very convincing case against any other possibility and for the likelihood that the origin of the attack comes from inside Sony Pictures.

Rogers' argument is based on the fact that whoever carried out the attack had detailed and deep knowledge of Sony's systems:

"It's clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony's internal architecture and access to key passwords. While it's plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam's razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as."

Rogers also points out that while the attackers may have claimed the motive was financial gain, this is clearly not the case. If someone wanted to make money, they would have quietly used the critical login details to Sony's financial information for huge monetary gain.

Rogers said: "From simple theft, to the sale of intellectual property, or even extortion – the attackers had many ways to become rich. Yet, instead, they chose to dump the data, rendering it useless."

Well known hacker Grugq also points out that unlike the stilted rhetoric typically sprouted by North Korea on social media channels, the attackers behind the Sony Pictures hack carried out "a media blitz campaign that is steeped in Internet culture and knows how to play to it" suggesting the attackers are well-versed in how the media works.

I suggest that all other Hollywood studios give all their employees a big, fat bonus this Christmas, or face the possibility that they will be next to face the wrath of a former employee.