The destructive "wiper" malware that was used to infect and erase hard drives at Sony Pictures Entertainment has been identified as "Destover," which is also known as "Wipall." Security experts say it's the first time such an attack has been launched against a U.S. organization (see Sony Hack: FBI Issues Malware Alert).

Anti-virus vendor Trend Micro has tied the Nov. 24 hack attack against Sony to a Dec. 1 FBI warning and Dec. 2 FBI Flash alert, which said that a destructive malware attack had been launched against an unnamed U.S. business (see Defending Against 'Wiper' Malware). Trend Micro says it has recovered samples of the malware referenced in the FBI alert and found that after erasing a PC's hard drive and rebooting the system, the malware would then display a copy of a bitmap image that multiple Sony employees reported finding on their machines, which told them that they had been hacked by a group calling itself "G.O.P."

"This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase "hacked by #GOP," Trend Micro says. "Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures."

Sony has declined to respond to multiple requests for comment on the hack attack against it.

Following the attack against Sony, a group called Guardians of Peace claimed credit. An e-mail sent to Information Security Media Group by someone claiming to be the leader of G.O.P. promised that the group would be leaking "tens of terabytes" of Sony data that attackers stole before wiping Sony hard drives and network drives. To date, however, the group appears to have leaked only about 30 gigabytes of data. But that reportedly includes not just high-quality digital versions of unreleased movies, including a remake of Annie and the Oscar-tipped Brad Pitt World War II drama Fury, but also sensitive internal documents listing all employees' salaries.

Security experts say, it's still not clear how attackers stole all of that data, and while they've found that the Destover malware has the ability to "wipe" hard drives, there have been no reports of malware modules designed to exfiltrate data.

Attackers Knew Sony's Network

The attackers appear to have had an edge, in that they seem to be very familiar with Sony's network topology. "We have been investigating the attack and discovered new pieces of malware that are likely related to the same attackers," says security researcher Jaime Blasco, labs director of security management and threat intelligence vendor AlienVault. "From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials/usernames and passwords that the malware uses to connect to system inside the network."

That suggests that the Sony hack may have been the work of one or more insiders. But security experts say that the attackers could also have been external, and simply had substantial time to conduct reconnaissance of Sony's network, and then create malware that was designed only to attack Sony's network. Creating that type of customized malware would mean that no anti-virus engines had a related signature for the attack code, which would make it harder to spot.

The hackers also went to great lengths to hide their related communications, and likely also associated data exfiltration. "The malware samples we have found talk to IP addresses in Italy, Singapore, Poland, U.S., Thailand, Bolivia and Cyprus - probably hacked systems or VPN/proxies that the attackers use to hide the origin," Blasco says, referring to virtual private networks or proxying services that can be used to obscure an attacker's IP address.