Computational linguists at Taia Global, a cybersecurity consultancy, performed a linguistic analysis of the hackers' online messages -- which were all written in imperfect English -- and concluded that based on translation errors and phrasing, the attackers are more likely to be Russian speakers than Korean speakers.
Such linguistic analysis is hardly foolproof. But the practice, known as stylometry, has been used to contest the authors behind some of history's most disputed documents, from Shakespearean sonnets to the Federalist Papers.
Shlomo Argamon, Taia's Global's chief scientist, said in an interview Wednesday that the research was not a quantitative, computer analysis. Mr. Argamon said he and a team of linguists had mined hackers' messages for phrases that are not normally used in English and found 20 in total. Korean, Mandarin, Russian and German linguists then conducted literal word-for-word translations of those phrases in each language. Of the 20, 15 appeared to be literal Russian translations, nine were Korean and none matched Mandarin or German phrases.
Mr. Argamon's team performed a second test of cases where hackers used incorrect English grammar. They asked the same linguists if five of those constructions were valid in their own language. Three of the constructions were consistent with Russian; only one was a valid Korean construction.
"Korea is still a possibility, but it's much less likely than Russia," Mr. Argamon said of his findings.
Even so, Taia Global's sample size is small. Similar computerized attempts to identify authorship, such as JStylo, a computerized software tool, requires 6,500 words of available writing samples per suspect to make an accurate finding. In this case, hackers left less than 2,000 words between their emails and online posts.
It is also worth noting that other private security researchers say their own research backs up the government's claims. CrowdStrike, a California security firm that has been tracking the same group that attacked Sony since 2006, believes they are located in North Korea and have been hacking targets in South Korea for years.