The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here’s a brief look the FBI’s statement, what experts are learning about North Korea’s cyberattack capabilities, and what this incident means for other corporations going forward.
In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.
The FBI said it couldn’t disclose all of its sources and methods, but that the conclusion was based, in part, on the following:
-“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”
-“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”
-“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”
The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there, and that the FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential information.
“Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” the FBI said. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”
SPE was hit with a strain of malware designed to wipe all computer hard drives within the company’s network. The attackers then began releasing huge troves of sensitive SPE internal documents, and, more recently, started threatening physical violence against anyone who viewed the Sony movie “The Interview,” a comedy that involves a plot to assassinate North Korean leader Kim Jong Un. Not long after a number of top movie theater chains said they would not show the film, Sony announced that it would cancel the movie’s theatrical release.
Apparently emboldened by Sony’s capitulation, the attackers are now making even more demands. According to CNN, Sony executives on Thursday received an email apparently from the attackers said they would no longer release additional stolen Sony Pictures data if the company announced that it would also cancel any plans to release the movie on DVD, Netflix or elsewhere. The attackers also reportedly demanded that any teasers and trailers about The Interview online be removed from the Internet.
A ‘MAGIC WEAPON’
Little is publicly known about North Korea’s cyber warfare and hacking capabilities, but experts say North Korean leaders view cyber warfare capabilities as an important asymmetric asset in the face of its perceived enemies — the United States and South Korea. An in-depth report (PDF) released earlier this year by HP Security Research notes that in November 2013, North Korea’s “dear leader” Kim Jong Un referred to cyber warfare capabilities as a “magic weapon” in conjunction with nuclear weapons and missiles.
“Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities closely mirrors their kinetic warfare tactics,” HP notes. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare. North Korea has used various unconventional tactics in the past, such as guerilla warfare, strategic use of terrain, and psychological operations. The regime also aspires to create viable nuclear weapons.”
Sources familiar with the investigation tell KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.
Headquarters of the Chongryon in Japan.
According to HP, a group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. The report quotes Japanese intelligence officials stating that “the Chongryon are vital to North Korea’s military budget, raising funds via weapons trafficking, drug trafficking, and other black market activities.” HP today published much more detail about specific North Korean hacking groups that may have played a key role in the Sony incident given previous such attacks.
While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack, skeptics could be forgiven for having doubts about this conclusion. It is interesting to note that the attackers initially made no mention of The Interview, and instead demanded payment from Sony to forestall the release of sensitive corporate data. It wasn’t until well after the news media pounced on the idea that the attack was in apparent retribution for The Interview that we saw the attackers begin to mention the Sony movie.
In any case, it’s unlikely that U.S. officials relish the conclusion that North Korea is the aggressor in this attack, because it forces the government to respond in some way and few of the options are particularly palatable. The top story on the front page of the The Wall Street Journal today is an examination of what the U.S. response to this incident might look like, and it seems that few of the options on the table are appealing to policymakers and intelligence agencies alike.
The WSJ story notes that North Korea’s only connections to the Internet run through China, but that pressuring China to sever or severely restrict those connections is unlikely to work.
Likewise, engaging in a counter-attack could prove fruitless, or even backfire, the Journal observed, “in part because the U.S. is able to spy on North Korea by maintaining a foothold on some of its computer systems. A retaliatory cyberstrike could wind up damaging Washington’s ability to spy on Pyongyang…Another former U.S. official said policy makers remain squeamish about deploying cyberweapons against foreign targets.”
IMPLICATIONS FOR US FIRMS
If this incident isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working — and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.
A critical step that many organizations fail to take is keeping a basic but comprehensive and ongoing inventory of all the organization’s IT assets. Identifying where the most sensitive and mission-critical data resides (identifying the organization’s “crown jewels”) is another essential exercise, but too many organizations fail to take the critical step of encrypting this vital information.
Over the past several years, we’ve seen a remarkable shift toward more destructive attacks. Most organizations are accustomed to tackling malware infestations within their IT environments, but few are prepared to handle fast-moving threats designed to completely wipe data from storage drives across the network.
As I note in my book Spam Nation, miscreants who were once content to steal banking information and blast out unsolicited commercial email increasingly are using their skills to hold data for ransom using malware tools such as ransomware. I’m afraid that as these attackers become better at situational awareness — that is, gaining a better understanding of who their victims are and the value of the assets the intruders have under their control — these attacks and ransom demands will become more aggressive and costly in the months ahead.
I suspect that suspecting North Korea is a ploy of some sorts. I would also suspect it was a government but doubt it was North Korea!
I am curious why you think the North Koreans are not responsible and who else you think would have the motivation to do this. please comment further.
“I am curious why you think the North Koreans are not responsible and who else you think would have the motivation to do this. please comment further.”
I am skeptical because it was too neat of a tie end to North Korea. We didn’t hear anything about the Interview Movie until later on. If they were just going to do this for the stunt of removing the movie. Why not just come out and say it when they first made their announcement. This doesn’t make any sense. Secondly, if they were clever enough to get all that access, you better believe they’d be able to hide their trail and even their IP from anyone who might be looking at the evidence later on. They had enough access to get into the EMAIL servers. So what would prevent them from going back and deleting all the log files. It doesn’t make a lot of sense in my book not to cover you footsteps. This is why I am skeptical that it was another government and North Korea is just a scapegoat and a ploy for the media.
Actually I’m surprised they tried to hide their trail at all. Many times the Chinese were so arrogant they didn’t even try to hide the facts, and even left notes in the target computers taunting any forensic investigators after the attack.
Do we know for sure that their email servers were compromised and mail spools stolen?
Much more likely IMHO is that the bad guys just needed to browse PC/laptop HD’s and network drives and collect all the PST files they could find…and I bet there were masses of them.
Unless blocked via a GPO, users have a terrible habit of depositing PST’s all over the place with no regard for security
Ok, So you have a point but we also know of the SMB Worm I (Server Messaging Block) and that if the user did have a password PST file then it was unlikely to be a high ranking person in Sony. So let’s just try to brute force attack all PST files and there must of been massive amounts because of how many GB of data stolen. It wouldn’t be as quick as just copying the email has it is being delivered. That was probably what the SMB worm was doing until the C&C said told it to do a self destruct on which ever computer or server it was in. Now this is a theory nonetheless but I can’t see them getting the good juicy emails from top executives by trying to guess the password. On the other hand they could of had a keylogger installed and found the password that way. Again, if we knew the details this would be so much easier to understand but because the FBI is pointing fingers makes me skeptical and somewhat dubious of the who NK did it routine! Also Sony could of gotten the government to say that so they wouldn’t be AS Liable as before. Just saying…
I don’t buy this for a second. Easy scapegoat in my opinion. They may not be as good as the Russians or the Chinese, but even the North Korean’s are better than this…
Again, who else could be responsible for this? And please explain what you mean by “even the North Korean’s are better than this”. Do you mean better at evading detection or what?
“Again, who else could be responsible for this?”
The correct answer: Just about anyone. There’s nothing about this incident that couldn’t have been done by just about any hacking group anywhere in the world. Granted, the likelihood is that it was done by some group located in Asia – but that’s about it. It could have been done by groups in China, South Korea, Japan, and other areas.
There is also the question of how this much data got removed from Sony’s systems without the aid of an insider.
The article says “there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.” Someone could be working for Sony in Japan, yes?
“Again, who else could be responsible for this?”
The Sony Playstation was recently under attack by the Lizard Group. Several years ago Lulzsec went at the Sony Playstation network as well. There are other accounts of attacks on Sony from other less known hackers.
If you understand hacker culture you’d recognize Sony has long been a target of hacking groups. Perhaps it’s a reaction to what they see as being heavy handed with copyright legislation? Perhaps it’s Sony BMG rootkit scandal years back?
I find it very difficult to believe this is a case of “nation hacking”. It looks to me very much like an organized crew of black hats. There is the grandiose (ego) nature in the public announcement of the hack. There is the classic pastebin dump of the data. There is all the classic glory & ego typical of that subculture. And just as important is the release of emails which embarrass those running the corporation. To the hacker culture, the “1%” and government is the enemy. I doubt this is a case of doing it for the “lulz”. It looks more like a case of a group of black hats hired to commit corporate espionage & embarrass the company.
If you ask me the whole “North Korea did it” seems like a quick and easy way to deflect attention from Sony. We’ll all start focusing on Kim Jong instead of the content of the emails of the management at Sony.
I don’t see why you’re making a distinction between “nation hackers” to use your words and any other hacker(s) and further why you think the two groups you imagine exist would act any differently to each other in the current situation.
Thank you for finally providing some evidence. It felt like mostly claims and here say before reading this blog post. I’ll admit until the gritty details are released and our research people confirm, I’ll be skeptical. I’m skeptical mainly because this attack seemed so much like an inside job. It also seems like the people behind this attack are very sensitive to American culture.
Before idiots start demanding we bomb North Korea – actually, major idiot Newt Gingrich already has – let’s remember some facts:
1) North Korea has a motivated million-man army, with 120,000 Special Forces, scores of thousands of tanks and artillery. This is far more important than the few “dud” nuclear weapons they might possess.
2) North Korea can destroy Seoul, the capital of one of our largest trading partners, within 72 hours of a conflict beginning via artillery and missile attacks.
3) Pentagon war games indicate fifty thousand US casualties in the first ninety days of a conflict – no doubt including the 20-odd thousand troops stationed in South Korea as a first reaction force.
As far as the FBI attribution of the Sony hack to North Korea per se as a nation state, almost no one in the infosec community is buying it, based on the well-known figures I follow on Twitter. A lot of them believe that a Sony insider is more likely given the massive amount of data that was removed from Sony’s systems.
Given that the FBI bases it proclamation on known tools and techniques previously used and widely available in North Korea, South Korea, Japan and China – not to mention just about everywhere else in the world – there is unlikely to be a “smoking gun” anywhere to prove it one way or the other.
What is totally clear is that Sony’s pulling of the movie from distribution – and let’s not forget the numerous theater chains who refused to run it in any event – has demonstrated a degree of corporate cowardice in the face of random hacker threats which clearly were without significant probability of being carried out. This is what happens when you let lawyers run your company.
The REAL story of importance is that some of the stolen Sony emails reveal that a Rand Corporation contractor acting as a consultant on the movie, with the support of a member of the US State Department, convinced Sony to leave the actual assassination scene in the movie, despite Sony’s trepidations on the advisability of showing the assassinstion of an actual sitting state leader (especially given the known belligerence of North Korea). This was done on the incredibly stupid notion that once the DVD somehow got imported into Norrth Korea someone in North Korea might actually be tempted to assassinate the leader.
Given the unlikelihood of that scenario, not to mention the advisability of advocating the assassination of state leaders as a matter of diplomatic practice, one wonders how stupid the people working at the State Department actually are.
However, one should also remember the movie of last year – Olympus Has Fallen – which basically accused North Korea of being insane enough to attack the White House with a handful of terrorists (and a gun ship). That movie was released without any regard for North Korea’s sensitivities. So why is Sony caving in over a comedy movie, which, note, most critics have panned?
The theory I hear is that Sony is more concerned over the effects of the release of its data than any threat by random hackers to blow up theaters. Part of those effects may well be its bowing to US State Department pressure to insult North Korea.
If we’re concerned over “censorship” of movie content, perhaps we should look more deeply into Sony’s relationship with the State Department than its relationship with North Korea.
Olympus Has Fallen was used as a news piece saying “see what we did!?” to the DPRK faithful. It wouldn’t get condemned by them because it was an attack on the US. Now take the name of the Dear Leader in vain (or have a scene where you’re arguing for weeks about how many bloody chunks his head explodes into) and that’s a nuke attack.
My point is that Sony wasn’t concerned about North Korea’s reaction over Olympus Has Fallen either way, regardless of how North Korea might have spun it.
The fact that the plot involved a North Korea dissident might have caused NK to react badly. Also, the mere fact that the movie was entirely a smear on North Korea itself could have caused a bad reaction.
I think the fact that Sony actually was hacked contributes more to their pulling of the movie – not to mention they’re probably reacting to their lawyer’s claims about liability – than any actual belief that the later threats were real.
Unfortunately for Sony, they are still being hacked and the hackers are now threatening more data release unless Sony complies with new demands. So Sony’s capitulation has backfired completely.
Wasn’t Newt one of the politicians who was so upset about a film being made showing the attempted assassination of a US president?
I know that consistency is not high on any list of politicians’ values, but one would hope Newt and others might have a look in the mirror before deciding that the US should “forcefully insist on regime change”. Gingrich may also want to consider how that went with Iraq, and the ‘quality’ of the ‘evidence’ he accepted in that case.
Are the North Koreans are really behind this?
Alternative:
Sony make a film showing CIA trying to get foreign Head of State killed.
A bit embarrassing (particularly at the moment), so how do they get it pulled?
Get their friends in NSA to hack Sony (not exactly difficult – they could have done it themselves)
Phone a few cinemas, plant stories of threats in press
Sony then pull the film
CIA (and others) then blame North Korea for violation of free speech. Win-Win. They want us to believe that “our data” will be hacked by foreign governments (so why not let our governments do it as well?). They want us to believe that we are under attack and need to be more compliant to be protected.
http://wp.me/pSvdp-C6
Is that narrative any less credible?
Given that you just made it up and showed no evidence it is much less credible.
As in it’s a product of your imagination.
I hope you are able to distinguish between reality and your own imagination better than this post might indicate…
The FBI said it “couldn’t disclose all of its sources and method” because you know it came from directly from the N.S.A. which mean everything is labeled top secret in the name of national security,
Oh geez, you mean the NSA did the job they are supposed to be doing?
“The NSA/CSS core missions are to protect U.S. national security systems and to produce foreign signals intelligence information. ”
Let us all tremble in fear!
Being a “Info Security Pro ” you would think that a person of your background wouldn’t believe the government lies and that they monitor the phone and internet access of most American people. Come on now we are slowly living in a police state.
We might not have it as bad as the North Korea people now but we are slowly moving towards that in the United States in the distance future.
The B.S. extortion attempts from North Korea are just going to make people in the United States want to see this movie even more, which in the end will pay off for S.P.E.
I’ve seen the teasers and trailers, it doesn’t look like a movie worth paying money for anyway.
How can we prepare, identify and prevent this sort of an attack, with a zero day exploit and activity that does not trigger anomalous behavior. The attackers mentioned that they were in the network for over a year, which I dont believe if it was in reaction to the movie, unless they knew about the movie, had threatened sony not to release it and when their threat was ignored, they unleashed the “bomb”
FYI 11/13 it was public that The Interview was about an assassination and as early as 1/11/14 that it was about NK.
Based on just having looked up the IMDB page on the wayback machine.
That /could/ fit the time line. Not saying it proves anything, other than they couldve known.
I read that North Korea officially registered its displeasure at the movie back in June. If they knew about it as far back as January, it seems they weren’t all that concerned about it.
And it could just as easily be explained by a group using the movie and North Korea’s known belligerency as a means of covering their tracks. Again, the movie wasn’t mentioned by the hackers for the first 11 days after the exposure of the hack until the media jumped on that aspect of the story.
I wasn’t asserting this as proof of anything, other than they /could/ have known over a year ago. Upcoming movie plots aren’t exactly state secrets.
I’m not sure I believe the arguments on any side of this, as I just don’t have enough information. On one side, it /could/ have been NK, on the opposite spectrum, it could be that we are falling victim to the same kind of propaganda and media control that NK uses on its people – and a lot of plausible theories in between.
My biggest thought on this, is the lack of attempt to monetize the hack for those responsible, which leads to /some/ sort of political motivations, state based or not. Someone spent a LOT of time and energy doing this, IMO, and they don’t want money from it….no matter the aggressor, that’s a dangerous thing.
If North Korea hacked Sony to prevent the release of The Interview, why was the scene showing Kim Jong-un’s death leaked online? Why would the hackers do precisely what they want to prevent?
Good question. I wondered the same thing myself. It makes no sense.
Brian,
I attended your Dec. 4th Spam Nation presentation. From your comments that evening I have the distinct impression you are one of the skeptics who could be forgiven. True?
It’s irritating that the FBI is being secretive. Let us hope that an independent commission reviews their work before anyone starts taking actions that might escalate into international incidents.
Correct. It just doesn’t smell right. Too many inconsistencies in motivation, action and reaction. Whoever is responsible seems to understand Western media culture quite well. Despite what’s been said in the media, this does not appear to be a sophisticated attack, and — with a little inside help — this could have been done by an amateur group initially for the lolz, and later for more political reasons that matched the media frenzy about all of this.
Brian, do you really believe Sony’s security is so pathetic that amateurs would be able to deliver this entire package so effectively and with no evidence left to identify them? That seems pretty incredible on its own.
As for Sony’s pathetic security, read this:
Sony, Hacked: It’s Not One Massive Breach – It’s More Than 50 Breaches in 15 Years
https://www.emptywheel.net/2014/12/13/sony-hacked-its-not-one-massive-breach-its-more-than-50-breaches-in-15-years/
Quote:
The industry’s insiders shifted gears once again it was revealed that Sony’s passwords were in a password-protected file, and the password to this file was ‘password.‘
End Quote
Considering the scuttlebutt is that this all started with a single compromised sony user password, everything else becomes pretty trivial with a little time and money.
Remember that we’re talking Sony Pictures here, which is effectively just Columbia Pictures with a Sony badge rather than a division developed from scratch by Sony Corporate, so it’s a different mindset.
Very few people in Hollywood take security seriously unless it’s their movie footage they’re protecting. The security demands they place on third party vendors are far more strict than the standards they adhere to themselves.
That’s the really frustrating thing about this hack, Sony Pictures keeps all of it’s movie footage on air gapped networks with very strict access controls (networks that were completely unaffected by this hack) – the movies that were leaked were screener copies on a cloud server with a compromised password – if they’d kept all of their sensitive information on the same network as their raw movie footage, none of us would be having this conversation (assuming it is indeed Best Korea and not a disgruntled employee).
“Sony Hack: What they’re not telling you”..Its on You Tube..
Is the Sony Hack connected to the Cybersecurity Bill languishing in Congress?
It it wasn’t before, it is now.
Just as if the renewed Russia relations with North Korea weren’t part of it, it is now.
Last year, Iran and Syria were the Big Bad. Now it’s Russia and North Korea. Nothing like anteing up the likely consequences of a misstep leading to war…
My personal feeling is that the attack was initially extortion/revenge motivated, but may well have pivoted to the movie when it became apparent that Sony weren’t going to pay up.
NK may have even been in contact with the group responsible and offered to pay them to kill the movie.
It would fit with the timeline that we’re aware of and also implicate NK, but after the fact, rather than as a prime motivator.
Ah yes personal feelings, always a good guide as to what happened in reality 😀
Well, I have yet to hear a convincing argument as to why a group of hackers, ostensibly motivated by a desire to kill a movie, would have spent the first couple of weeks trying to extort money out of Sony instead.
Personal feelings … often a better guide to the truth than what our government tells us. Decades of evidence on that one, I’m sorry to say.
That was my initial reaction and I’m still suspicious. It could be any one of a number of malcontents with inside access.
But to those who contend it couldn’t be N Korea because they would have covered their trail better, I disagree. I believe N Korea wants the world to think they are responsible for this (maybe even if they aren’t).
The real beauty of this is, if the real perpetrator is someone with inside access, using N Korea as a “fall guy”, they picked a fall guy who wants to take the blame. This might make a pretty good movie, someday.
Yea, I’m not buying. There’s too much revenge involved. Too much known about where to look for data. The “GOP” didn’t even mention The Interview until their second or third threat, after the media got on board. You can proxy an attack from anywhere. This was an insider.
If we want to get into more conspiracy theory ideas, there’s this:
Russia-North Korea Opening Sends Message to US, the Region
http://russia-insider.com/en/2014/12/18/2018
Given that Obama and the US State Deparment are clearly determined to restart the Cold War, it’s possible that the alleged Sony Hack is actually a response to closer Russia-North Korea ties. Perhaps far-fetched but the fact is the Sony Hack is going to bring US hostility to North Korea to the fore again.
Given Sony’s relationship with the US State Department, and the ridiculous idea floated there that the movie could actually inspire the assassination of the North Korean leader, is this any more ridiculous to suggest? There are some serious lunatics running the US State Department these days. (Look up Victoria Nuland, responsible for the Ukraine crisis..)
ErrataRob (Robert Graham) weighs in:
The FBI’s North Korea evidence is nonsense
http://blog.erratasec.com/2014/12/the-fbis-north-korea-evidence-is.html#.VJSGcl4BdA
He makes the same points I did above.
Why the Sony hack is unlikely to be the work of North Korea.
http://marcrogers.org/2014/12/18/why-the-sony-hack-is-unlikely-to-be-the-work-of-north-korea/
Many people keep insisting that there must’ve been insider help. While possible, for an attack like this against a company with a security track record as bad as Sony’s, it’s really not necessary.
Based on the varied amount of evidence at this point, I think it seems safe to say that North Korea were the root originators of the attack. Was the actual APT group composed of North Koreans, and/or people living in NK? Not necessarily. Some of the attackers may’ve even done it for money instead of nationalist zeal. But regardless, if you’re trying to argue that NK is being framed then you’re starting to sound like a conspiracy theorist. They clearly planned and funded it.
I think the main reason that infosec people are suggesting insider is because ot the massive amount of data exfiltrated., not so much the methods used in the hack.
There is ZERO evidence publicly available that the North Korea STATE per se “planned and funded it.” At best, it would appear that some group which either supports North Korea and/or hates Sony is behind it. This isn’t even certain. It could well be some group doing it for the “lulz”. As for “funding”, how much does a hack of a security-incompetent company cost? Not much.
North Korea apparently did officially register its displeasure at the production of the movie back in June. However, there were hacks at Sony before that in February, so the timing doesn’t jibe.
As for “framing North Korea”, that is undoubtedly in the interest of US hawks, because of long-standing hostility towards the country, especially in the light of Russia’s recent re-activation of its ties which have been dormant for decades.
It may seem like “conspiracy theory”, but framing one country for another’s hacks is not unknown. And framing a country for alleged hostile acts is a COMMON tactic for the US – e.g, Iraq, Iran, North Korea, Syria, Russia, China, ad nauseum.
Based on the FBI’s refusal to be specific, it seems likely that “the evidence is being fixed around the policy”, as the saying from the Iraq war goes.
Moving 100TB out of one of the largest entertainment / content creator networks in the world is a drop in the bucket. They are also an international organization too. Therefore, the idea that the network team wouldn’t spot movement of 100TB is not a concern or surprise to me.
It’s not how much the data is compared to the potential amount Sony stores, it’s how you MOVE that much data over the Internet even at gigabyte speeds.
Granted, if the hackers were in Sony for a year or more AND had access to Sony’s high speed corporate links, they could move it OUT pretty fast – but how about where it ends up being RECEIVED?
It would even be hard to move that much data if you were simply copying it to a high speed NAS and moving it physically off the premises.
Of course, perhaps the estimate of data stolen is incorrect by a factor of ten or a hundred. That would be more likely.
The hackers said they gained access to Sony’s networks from inside Sony.
“Sony left their doors unlocked, and it bit them,” a GOP member known as “Lena” told CSO Magazine. “They don’t do physical security anymore.”
The hackers reportedly stole a key password from someone in IT. US investigators told CNN the hackers stole the computer credentials of a system administrator, which gave them broad access to Sony’s computer systems.
Once on the network, they planted malware. Some security experts, and documents obtained by Ars Technica, say that this was a form of “wiper” malware. Generally, that refers to malware designed to destroy the data, although in this case they used malware to collect data, too. The malware used Microsoft Windows management and network file-sharing features to spread, shut down the network, and reboot computers, reports Ars Technica.
This so-called wiper was apparently a variant of the type that a group called DarkSeoul used on South Korean banks last year. The FBI confirmed that the Sony malware found resembled that used in the bank hack.
http://www.businessinsider.com/how-the-hackers-broke-into-sony-2014-12
Let me get this straight, if this is classified as a terrorist attack under The Patriot Act Sony can not be held liable for the data breach? In other words no one can sue Sony Pictures?
I would love to hear a attorney ring in on this.
Wasn’t this already blatantly obvious? Shame on Sony for thinking that a movie that was set to incite controversy should held on a server with a crappy security infrastructure. North Koreans are skilled with cyber security; thoughts of a possible breach should have at least been considered with all of the drama swirling around this film since it was first discussed. I just don’t understand how all of these major companies watch breach by breach happen but never think to invest more money into improving their security systems. Then, when the breach happens, millions more end up being lost.
It appears to me that the FBI proof just isn’t substantive enough–it’s too circumstantial. In their failure to release adequate proof of active North Korean governmental involvement, they are just adding flame to the fire. Looks like there is enough material here for another Roswell incident due to official mishandling.
Regards,
You realize that a lot of their corroborating evidence is probably the result of NSA signals intelligence? If they have access to North Korea’s infrastructure, they don’t exactly want to reveal that to the world.
I’m *definitely* not saying the FBI or the NSA are infallible, but they have a lot more data about this breach than anyone in the world (except the intruders), and if they are very confident it’s North Korea then I think that’s the simplest explanation, unless you want to go down the route of conspiracy theories by accusing them of intentionally lying.
In other words, your “simplest Occam’s Razor” theory is that the NSA, FBI and CIA never lie…
Right.
+1
I generally sooner believe the opposite of what those 3-letter agencies say.
Where, o where is Dennis Rodman now when we need him most?? Threatening to send a drunk Rodman back to Pyongyang may be our most proportionate response! 😉
It’s great to see so many commenters that arn’t stupid on this.
It’s clearly either a policial (false flag) move with a few hidden agendas yet to be seen.
Or possibley a hijacked hack.
Remember lots of hacking tools are multi packed so the real hack(ers) reasons (and possibley what they were after) are still likekly not known.
We are told things to make us draw the conclusions they want us to have.
While this capitulation just burns me to the core, North Korea must have something truly damning on everyone for them to be scrambling like this … I wonder what?
CERT just issued on advisory on the worm used to hit Sony…
Hackers Used Sophisticated SMB Worm Tool to Attack Sony
http://www.securityweek.com/hackers-used-sophisticated-smb-worm-tool-attack-sony
Quote:
“…connects to a C2 infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advistory said.”
End Quote
So, yeah, that totally proves North Korea was behind it. 🙂
Oh, and the worm “During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase “National Football League.”
We all know how North Korea really enjoys the National Football League… 🙂
Brian, are you being DDoS’d at this time? Your site is incredibly hard to get to. Numerous timeouts. Or is it just traffic from the Sony post?
Perhaps its your incessant commenting slowing down the site.
I think the most likely scenario is someone approached a laid off system admin or one who knew he was going to lose his job. I’ll bet they have a very flat active directory structure with links so that a senior admin could login to any of the Sony domains/sub domains without even providing credentials.
Once the hacker has the admins creds, then it would be trivial to move around laterally and exfiltrate tons of data.
Maybe North Korea did the actual attack but with admin creds how sophisticated an attack does it really need to be? It’s more like picking and choosing what data you want to take.
After all of that then the blackmail and extortion can take place. That wasn’t the initial attack and exfiltrate on though. As I see it.
Right. As Kevin Mitnick said on Twitter, getting admin creds…how hard is that…taking candy from a baby? 🙂
The main problem with the North Korea theory is that they had no initial reason to target Sony a year ago. The movie reason only cropped up later. One would have expected it to be the main reason and brought up early on by the hackers once the hack was exposed. They didn’t, even though North Korea itself DID complain back in June. That disconnect just doesn’t work. It almost certainly means the hackers latched onto the movie as a reason later after their initial monetary goals weren’t achieved. The hack changed from extortion to chaos. And Sony played right into it by capitulating.
And then the US government decided to go along for geopolitical reasons and possibly reasons involving the Cybersecurity bill.
The worm allegedly used to hit Sony also doesn’t appear to have any North Korea connection. Anyone could have used it, and it doesn’t appear to be particularly sophisticated compared to other malware out there. It’s also more destructive than anything else with an MBR wiper component, and a hard disk wiping component as well as data gathering. It brute forces SMB shares, not an exactly sophisticated approach needing nation state resources.
No initial reason?
You mean apart from the fact that they are at war with the USA and there appears to be a long history of attacking networks obviously.
I think you may be guilty of ignoring some evidence to make the theory fit.
Sony is not the USA.
Granted, North Koreans don’t like Japanese, either. But the main motivation here doesn’t target the US directly, but indirectly via the threats against the theater showings of the movie – which came up belatedly and which were blatantly not credible.
This is vastly more likely to be some more or less independent group that doesn’t like the US AND Sony and is using North Korea’s beefs with the US and Sony as cover. And North Korea is happy to go along with them (although we need to remember North Korea has denied any involvement other than “moral support”.)
Chongryon? Hmm! Sounds like the same nefarious activity SONY has been rumored doing too! Maybe the Yakuza Mob and the Chongryon can duke it out in the streets of Japan, and make a SONY movie about it called – wait for it – “Everybody was Kung Fu fighting!” – HA! 😀
Which came first? Did they steal the data and then put in place a wiper-type malware to burn down the place or did they actually use some malware to gain access?
Not clear to me as I haven’t been following all the analysis.
The SMB Worm Tool they used appears to be for moving around once inside the network, compromising more hosts via SMB shares. How they got in the first time isn’t clear, but probably was some sort of phishing (if it wasn’t an insider.)
A company the size of Sony, it’s nearly impossible to prevent a breach. What’s important is what happens after the initial breach. If they don’t detect it, the breach can spread fast until you practically have to tear down the network to get rid of the hackers. It’s clear Sony did not detect this breach for months at least. That’s the only way that amount of data could have been exfiltrated (if in fact it was a huge amount.)
Its also interesting to note that CNN is reporting the hackers were in China but were North Korean? Does that really make sense? Isn’t more likely the NKs just outsourced the job to the Chinese who clearly have the chops.
Or far more likely that Chinese hackers – and the Chinese aren’t terribly fond of North Korea – are using North Korea as the perfect cover.
Thats exactly what I was thinking!
Project Goliath retaliation? Elephant in the Room
Motive Method Opportunity
Attorney General Jim Hood of Mississippi on Friday agreed to call a “time out” in his fight with Google after the Internet giant filed a lawsuit accusing him of conspiring with the movie industry.
A very good recap of the situation and some good analysis can be found here:
A Breakdown and Analysis of the December, 2014 Sony Hack
https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/
Clarifies a number of things, including the fact that the actual amount of data leaked so far is in the gigabytes range, not terabytes (yet), which weakens the insider theory somewhat (not necessarily entirely.)
Someone anonymously posted on Pastebin the following: “Sony hackers DX. they hackers from Tunisia Hacker Team but covering as Guardians of Peace for op WeekofHorror to attack USA and support Syria and goverments that fight USA (china, korea, iran).”
That makes a lot of sense to me: a group that dislikes the US, dislikes Sony, and is using the name of a previously unknown group as cover. This matches with several other major hacking events where the name of a previously unknown group was used. Some of those incidents might be linked to North Korea and some to other regions.
That theory makes more sense than the FBI theory blaming it all on North Korea. Bob Graham put up a new blog post saying that it was done by the James Bond group Spectre – as an illustration how hacking groups work and how attribution is extremely difficult.
Anatomy of a NYT Piece on the Sony Hack and Attribution http://jerichoattrition.wordpress.com/2014/12/18/anatomy-of-a-nyt-piece-on-the-sony-hack-and-attribution/
Worth the read.