First of all, let's review the United States Computer Emergency Readiness Team review of the attack.
https://www.us-cert.gov/ncas/alerts/TA14-353A
The attack spread via the Server Message Block protocol. SMB is well-known as a vulnerable entry point. If you've ever used a Samba file share from Linux, you've used an implementation of SMB. SMB implementations often allow older and vulnerable types of authentication. Using SMB without proper configuration is a major security risk because it allows you to enumerate and map a network, and possibly escalate privileges if compromised. The SMB worm spread via Windows shares over well-known port 445. The SMB worm uses two threads: One to dial home with a list of names and passwords, the other to bruteforce the next host.
The attack used a backdoor component to remote execute CLI commands and open firewall ports, it used UPNP to enumerate hosts on the network and to allow the remote attacker to access internal devices that were hidden behind NAT. There is also a remote listener component that uses a DNS query to dial home.
The Sony Malware also included a hard drive wiper which destroyed the contents of the target HDD completely and made it unusable. The malware checked to see if the following shares were activated: “\\hostname\admin$\system32” and “\\hostname\shared$\system32”. If these were not shared, the malware created a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once access is granted, the malware uploads a file “taskhostXX.exe”, which then executes: “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”"; the target hosts credentials are now fully compromised. Finally, the Malware executes: “cmd.exe /q /c net share shared$ /delete” to remove the share.
The HDD wiper wipes up to four physical discs, and plants a logic bomb in the MBR so if you try to boot up again, further damage occurs. The MBR rewrite is composed of a binary, a dynamic linked library, and an encrypted command list file which lists the actual commands which are to be run.
The HDD wiper component is known as "Dark Seoul" and was also used in a major attack on South Korean banks in 2009. A smoking gun? I don't think so. All of the evidence is absolutely circumstantial. Which, the FBI is finally realizing:
http://www.politico.com/story/2014/12/fbi-briefed-on-alternate-sony-hack-theory-113866.html
Most of the code in these attacks is available on the black market, for a price. Based on the way the Malware was set up, and the incredible footprinting the attacker must have conducted to be able to set it up this way, it seems like an inside job. For the SMB attack vector to work properly, for all of the pieces to come together, it all points to an ex-employee with knowledge of the exact vulnerabilities and specifications of the Sony network.
http://nypost.com/2014/12/30/new-evidence-sony-hack-was-inside-job-cyber-experts/