MY TAKE: Was Sony Pictures hacked by two different intruders?

By Byron V. Acohido

Hot on the heels of Sony Pictures’ massive network breach, the FBI today issued an unusual “flash alert” to U.S. businesses to be on the lookout for a nasty, data-destroying malware attack.

The FBI stopped short of directly connecting its warning to the Sony hack, leaving cybersecurity experts to debate several plausible scenarios, including the possibility that Sony was hit by a succession of distinct attacks.

Lucas Zaichkowsky, a defense architect at Resolution1 Security, tells ThirdCertainty he can envision a scenario in which Sony sustained two attacks, from two different intruders, one overlapping the other.

“Corporations face cyberattacks on a regular basis, so overlap in timing on two high profile attacks is a likely explanation,” Zaichkowsky posits. “One attack appears to involve North Korea with the goal of destroying data using custom-made malware. The other is being conducted by the Guardians of Peace (#GOP).”

More: Posting of Sony’s contracts opens Pandora’s box of liabilities

Zaichkowsky reasons that the release of blockbuster Sony movies and business documents is a tactic one can expect from hacktivists leveraging insider help. And #GOP’s demands that Sony practice employment equality and restructure its corporate hierarchy fall in line with classic hackivist behavior .

Wiping hard drives clean, on the other hand, is a classic tactic of nation-state-backed espionage, he says.

Sony employees exposed

Meanwhile, security blogger Brian Krebs of KrebsOnSecurity is reporting that the block of stolen data released thus far by #GOP includes 25 gigabytes of data on Sony’s own employees.

Now circulating on the Internet, Krebs reports:

  • a global Sony employee list
  • a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals
  • an April 2014 audit report listing names, dates of birth, SSNs and health savings account data on more than 700 Sony workers

This is on top of the sales and syndication contracts, production schedules, phone lists, private key files, source code files, password files for Oracle, SQL and other databases, hardware inventory and network maps and outlines that surfaced over the weekend.

More: Running summary of Sony hack major developments

“Sony has been hacked in at least two different ways, via an exfiltration attack and a malware attack,” observes Russell Stern, CEO of networking vendor Solarflare Communications. “This highlights one of the problems with cybersecurity detection systems today. These systems may be able to block traffic coming in but rarely block traffic going out.”

Kevin Bocek, vice president of threat intelligence at security firm Venafi, says the loss of cryptographic keys and digital certificates guarding sensitive systems should be especially unnerving for Sony.

“Once these keys are stolen, the attackers can get access to other systems, and then it just goes from bad to worse,” Bocek says. “The only way that the attackers can truly be stopped from accessing these systems is by replacing the keys and certificates. Until then, they will continue to wreak havoc and cause more damage with elevated privileges, the ability to decrypt sensitive data in transit, and spoof systems and administrators.”

Data wiping not new

The FBI and Sony have declined to comment specifically about the Sony hack.

According to Krebs, the FBI’s warning notes that an unnamed attack group has been taking steps to wipe computer hard drives—and specifically the underlying “master boot record,” or MBR, on the affected systems—of all data.

If that turns out to be true in Sony’s case, the damage to the entertainment and media giant could run very, very deep.

Craig Williams, a senior technical leader on Cisco’s Talos team tells Third Certainty that data-wiping malware is nothing new.

Cisco’s Talos team has examples of this type of malware dating back to 1998, and recent headline-grabbing examples include Cryptowall and Cryptolocker, the tools used in ransomware attacks.

In a ransomware attack, the victim gets an infection that locks up his or her computer. The attacker demands a payment to return control. But after a ransom gets paid, the lost data doesn’t necessarily get restored.

Williams notes that wiping systems also is a means to hide the attacker’s tracks. It’s an “effective way to cover up malicious activity and make incident response more difficult,” he says.

The FBI’s flash alert notes that the agency “has high confidence that these indicators are being used by CNE [computer network exploitation] operators for further network exploitation,” and that some of the coding language is in Korean.

North Korea connection

On the surface, the use of Korean language in the coding lends credence to speculation that the hackers are nation-stated-backed by North Korea to punish Sony for a movie it is about to release: The Interview, a Seth Rogen and James Franco black comedy about a CIA plot to assassinate North Korean leader Kim Jong-un.

But in the anonymous Internet, not everything is what it seems. #GOP could, in fact, be backed by another party motivated to damage North Korea’s global standing.

Or as Zaichkowsky, the expert from Resolution1 Security suggests, it could be a case of  two separate attacks.

“North Korea has been known to use their own cyber weapons in past attacks against South Korea to destroy data, causing disruption,” says Zaichkowsky. “The same tools have been observed by the incident responders investigating a Sony breach.’

Adds Solarflare CEO Stern: “Cyber attacks are now big business as well as a means of state-sponsored economic warfare. The war will continue. The bad guys will invest in the means to attack and the good guys will invest in the means to defend. It is an arms race.”


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone