Malware involved in the hack against Sony has been linked to earlier attacks in South Korea by the security firm Symantec.
Some Destover samples are reporting to the same command and control (C&C) server used by the trojan Volgmer, which makes the company believe the same group is behind both attacks.
Symantec said: "Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution."
"Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers."
Volgmer is capable of opening backdoors in computers, facilitating communication between the machine and the C&C server to download more malware, remotely execute commands and steal data.
"Interestingly, the variants of Volgmer that share a C&C server with Destover are configured to end execution if the compromised computer’s region is not ‘Korea’," the company added.
Symantec also found that Destover has techniques and component names in common with Jokra, also called DarkSeoul after the group behind it, which hit banks and news groups in South Korea in what is thought to have been a politically motivated attack.
In addition Destover shares drivers with Shamoon, a piece of malware that a company insider used to attack oil company Saudi Aramco, deleting data on three-quarters of the firm’s computers and posted a picture of a burning US flag.
Kaspersky Lab, another security company, said that the groups behind Destover, Shamoon and Jokra had "operational and toolset characteristics [that] all carry marked similarities", but like Symantec did not conclude they were necessarily the same actors.
"In this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon," Symantec added.
