Update: Adds comment from Anonymous
The hacker collective Anonymous has denied that it took part in the attack on Sony's systems, saying that the group or its members have not been known to steal credit card numbers.
A press release posted on Daily Kos, by Barret Brown, who claims extensive contacts with the collective, says, Anonymous as never been known to have engaged in credit card theft. The release also says that the perpetrator could have left a 'calling card' to frame the group's members.
Sony was hit with a massive cyber attack on April 19, which resulted in the theft of details for nearly 100 million users of the PlayStation Network and Sony Entertainment Online. Credit card details for millions of users were also taken. Sony has said that the attack displayed a high level of sophistication, and that it came right on the heels of a distributed denial of service attack that took Sony's PlayStation Network offline for a few hours.
In a letter to congress Sony's Executive Deputy President, Kazuo Hirai, said that there was a file with the name Anonymous and a snippet from the group's motto, We are legion. We do not forgive. We do not forget.
But one problem with speaking of Anonymous as an entity is that there is no formal membership or even structure. So it is entirely possible that the file left behind was a fabrication in an attempt to convince investigators (such as the Federal Bureau of Investigation) to look in the wrong place.
The press release addresses that point. Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history. No one who is actually associated with our movement would do something that would prompt a massive law enforcement response. On the other hand, a group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track.
Some security experts agree with that assessment, if not with the release. 'Anonymous' is really just a banner used by individuals, it isn't a group as such and with no leadership or structure the motivations used by different people calling themselves 'Anonymous' may vary widely, said Graham Cluley, senior technology consultant at Sophos, a U.K.-based security computer security firm. I think discussion of 'Anonymous' is a red herring. We should be focusing on the fact that Sony was hacked, and that it was a criminal act, and that the people who broke into Sony's systems should be brought to justice. Whether they choose to affiliate themselves to Anonymous or not is, frankly, irrelevant.
In an email, Brown said, Until we see reports of any of those credit cards actually being used in the manner in which one would expect them to be had this been done for traditional criminal profit motive, I'm going to continue to suspect that this may very be a false flag/disinfo measure by one of the many intelligence agencies, 'law enforcement' bodies, or federal contractors that are known to have engaged in that very thing.
Leaving aside who might have attacked Sony, one thing both Brown and Cluley agreed on was that the DDoS attack that Sony reported would not necessarily be much of a distraction to the security staff, as the mechanism of such attacks is different. Cluley said that whatever the problem was, it likely involved an underlying weakness in Sony's security.