Moscow-based security software maker Kaspersky Lab said on Thursday it uncovered evidence that all three campaigns might have been launched by the same group, or facilitated by a single organization skilled in working with destructive malware.
In 2012, cyber attackers damaged tens of thousands of computers at Saudi Arabia's national oil company and Qatar's RasGas with a virus known as Shamoon, one of the most destructive campaigns to date. Some U.S. officials blamed Iran.
Last year, more than 30,000 PCs at South Korean banks and broadcasting companies were hit by a similar attack that cyber-security researchers widely believe was launched from North Korea.
Kaspersky researcher Kurt Baumgartner told Reuters there are "unusually striking similarities" related to the malicious software and techniques in the two campaigns and the Nov. 24 Sony attack in which a malware dubbed "Destover" was used.
He described the similarities in depth in a technical blog published on Thursday on Kaspersky's website.
"It could be a single actor or it could be that there are trainers or individuals who float across groups," Baumgartner said in an interview.
He said the evidence suggests hackers from North Korea are behind the attack on Sony, although it is unclear whether they work directly for the government.
Not all cyber-security researchers agree with Kaspersky's interpretation of the technical evidence.
"There is no evidence to suggest that the same group is behind both attacks," Symantec said on its blog.
The diverging views highlight the difficulties that law enforcement faces in determining the identity of the hackers responsible for the Sony breach.
Hackers often conduct attacks by digitally hopping through multiple computer severs around the globe to mask their real Internet address, or use "false flag" techniques to make it look as though the attack is the work of another nation or group.
© Thomson Reuters 2014