Who knew that Sony’s top brass, a line-up of mostly white male executives, earn $1 million and more a year? Or that the company spent half a million this year in severance costs to terminate employees? Now we all do, since about 40 gigabytes of sensitive company data from computers belonging to Sony Pictures Entertainment were stolen and posted online.
As so often happens with breach stories, the more time that passes the more we learn about the nature of the hack, the data that was stolen and, sometimes, even the identity of the culprits behind it. A week into the Sony hack, however, there is a lot of rampant speculation but few solid facts. Here’s a look at what we do and don’t know about what’s turning out to be the biggest hack of the year—and who knows, maybe of all time.
Who Did It?
Most of the headlines around the Sony hack haven’t been about what was stolen but rather who’s behind it. A group calling itself GOP, or Guardians of Peace, has taken responsibility. But who they are is unclear. The media seized on a comment made to reporter by an anonymous government source that North Korea might be behind the hack. The motive? Retaliation for Sony’s yet-to-be-released film The Interview, a Seth Rogen and James Franco comedy about an ill-conceived CIA plot to kill North Korean leader Kim Jong-un.
If that sounds outlandish, that’s because it likely is. The focus on North Korea is weak and easily undercut by the facts. Nation-state attacks don’t usually announce themselves with a showy image of a blazing skeleton posted to infected machines or use a catchy nom-de-hack like Guardians of Peace to identify themselves. Nation-state attackers also generally don’t chastise their victims for having poor security, as purported members of Guardians of Peace have done in media interviews.
Nor do such attacks result in posts of stolen data to Pastebin—the unofficial cloud repository of hackers everywhere—where sensitive company files purportedly belonging to Sony were leaked this week.
We’ve been here before, with nation-state attributions. Anonymous sources told Bloomberg earlier this year that investigators were looking at the Russia government as the possible culprit behind a hack of JP Morgan Chase. The possible motive in that case was retaliation for sanctions against the Kremlin over military actions against Ukraine. Bloomberg eventually walked back from the story to admit that cybercriminals were more likely the culprits. And in 2012, U.S. officials blamed Iran for an attack that erased data on thousands of computers at Saudi Aramco. No proof was offered to back the claim, but glitches in the malware used for the attack showed it was less likely a sophisticated nation-state attack than a hacktivist assault against the oil conglomerate’s policies.
The likely culprits behind the Sony breach are hacktivists—or disgruntled insiders—angry at the company’s unspecified policies. One media interview with a person identified as a member of Guardians of Peace hinted that a sympathetic insider or insiders aided them in their operation and that they were seeking “equality.” The exact nature of their complaints about Sony are unclear, however.
Similarly, in a cryptic note posted by Guardians of Peace on Sony machines, the hackers indicated that Sony had failed to meet their demands, but didn’t indicate the nature of those demands. “We’ve already warned you, and this is just the beginning. We continue till our request be met.”
One of the purported hackers with the group told CSO Online that they are “an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.”
The person said the Seth Rogen film was not the motive for the hack but that the film is problematic nonetheless in that it exemplifies Sony’s greed. “This shows how dangerous film The Interview is,” the person told the publication. “The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money. The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures.”
How Did the Hack Occur?
This is still unclear. Most hacks like this begin with a phishing attack, which involve sending emails to employees to get them to click on malicious attachments or visit web sites where malware is surreptitiously downloaded to their machines. Hackers also get into systems through vulnerabilities in a company’s web site that give them access to backend databases. Once on an infected system in a company’s network, hackers can map the network and steal administrator passwords to gain access to other protected systems on the network and hunt down sensitive data to steal.
How Long Had Sony Been Breached Before Discovery?
It’s unclear when the hack began. One interview with someone claiming to be with Guardians for Peace said they had been siphoning data from Sony for a year. Last Monday, Sony workers became aware of the breach after an image of a red skull suddenly appeared on screens company-wide with a warning that Sony’s secrets were about to be spilled. Sony’s Twitter accounts were also seized by the hackers, who posted an image of Sony CEO Michael Lynton in hell.
News of the hack first went public when someone purporting to be a former Sony employee posted a note on Reddit, along with an image of the skull, saying current employees at the company had told him their email systems were down and they had been told to go home because the company’s networks had been hacked. Sony administrators also reportedly disabled VPN connections and Wi-Fi access in an effort to control the intrusion.
What Was Stolen?
The hackers claim to have stolen a huge trove of sensitive data from Sony, possibly as large as 100 terabytes of data, which they are slowly releasing in batches. Judging from data the hackers have leaked online so far, this includes a list of employee salaries and bonuses; Social Security numbers and birth dates; HR employee performance reviews, criminal background checks and termination records; correspondence about employee medical conditions; passport and visa information for Hollywood stars and crew who worked on Sony films; and internal email spools.
All of these leaks are embarrassing to Sony and harmful and embarrassing to employees. But more importantly for Sony’s bottom line, the stolen data also includes the script for an unreleased pilot by Vince Gilligan, the creator of Breaking Bad as well as full copies of several Sony films, most of which have not been released in theaters yet. These include copies of the upcoming films Annie, Still Alice and Mr. Turner. Notably, no copy of the Seth Rogen flick has been part of the leaks so far.
Was Data Destroyed or Just Stolen?
Initial reports have focused only on the data stolen from Sony. But news of an FBI flash alert released to companies this week suggests that the attack on Sony might have included malware designed to destroy data on whole systems.
The five-page FBI alert doesn’t mention Sony, but anonymous sources told Reuters that it refers to malware used in the Sony hack—though it’s not clear they’re in a position to know this. “This correlates with information about that many of us in the security industry have been tracking,” one of the sources said. “It looks exactly like information from the Sony attack.”
The alert warns about malware capable of wiping data from systems in such an effective way as to make the data unrecoverable.
“The FBI is providing the following information with HIGH confidence,” the note reads, according to one person who received it and described it to WIRED. “Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”
The FBI memo lists the names of the malware’s payload files—usbdrv3_32bit.sys and usbdrv3_64bit.sys.
It’s unclear if these files were found on Sony systems. So far there have been no news reports indicating that data on the Sony machines was destroyed or that master boot records were overwritten. A Sony spokeswoman only indicated to Reuters that the company has “restored a number of important services.”
No comments:
Post a Comment