Sony Security Breach: Unprecedented and Unparalleled. Or Is It?

Posted by George Yunaev on 2014-12-19 15:48:00

If you thought the Apple iCloud breach was the biggest security hit on Hollywood this year, you’d be wrong. The recent attack on the film studio Sony Pictures is considered the biggest one yet, as the damage affects not only the company, but also its employees and film collaborators. The attackers, who call themselves the Guardians of Peace #GOP, leaked a treasure trove of internal data: high-quality screening copies of Annie, Fury, Mr. Turner and Still Alice, sales projections for a number of TV shows, company budgets, IT security plans and access credentials, personal information of employees and artists working with Sony, as well as payroll and compensation data. Given the amount of top secret data leaked, the US FBI department has jumped on the investigation, along with the security company that Sony hired to clean up its networks and restore its systems.
So we’ve got the crime, the good guys and the bad guys (talk about Hollywood movies!), but what about the motive? If initially there were rumors that North Korean hackers wanted to take revenge for the fact that Sony’s upcoming movie, The Interviewer, mocks the state’s politics, recent findings indicate that the attackers wanted equality and protested against Sony’s “greed” and “indiscriminate restructuring”. We’re talking hacktivism.

And what about the ‘weapon’? Representatives of the security company hired by Sony to investigate the case have reportedly called the breach “unprecedented in nature and an unparalleled crime”[1], and described the malware as “undetectable by industry standard antivirus software”[2] However, these claims have been criticized by security professionals , who dismissed them as attempts to help Sony hide from liability, behind the veil of advanced persistent threats.

sony_security_breach


Let’s look at recent findings to shed some light on the matter.

According to FBI investigation notes, the malware used to perform the Sony security breach is similar to the one used in attacks on South Korea in 2013, and it:

  • Installs on a user machine after the user clicks on an infected e-mail attachment (fortunately, this capability has not been called an “advanced”, “unprecedented technique” that no antivirus could detect);

  • Communicates with the attackers’ C&C network through IP addresses hard-coded into it (as many other malware have been doing during the last decade)

  • Steals the data from the infected machine (again, nothing new here – remember the CardSystems Solutions breach of 2005?);

  • Wipes the data on the user's machine - the old-timers will surely remember Chernobyl/WinCIH of 1998, which destroyed not only data on the hard drive, but also the BIOS of the machine, making it pretty much impossible to even reinstall the system.

So far, nothing unheard of. And the more research comes of this malware[3], the less advanced it looks.

The fact that it can both steal and wipe data does not make it unique – every remotely controlled bot, which can execute commands on the infected machine, is capable of doing so if instructed. The unusual aspect about it seems to be the use of the kernel driver for wiping the data at the physical level, which can go unnoticed by monitoring tools, assuming there are tools which actually monitor such activity as mass file deletion.

Conclusions


The value of data stolen and the damage caused on Sony can pass as unparalleled. But the method of attack itself cannot be accurately described as unparalleled or unprecedented, since it presents similarities with previous attacks.

So why has the breach been called “unparalleled” and “unprecedented” despite the obvious evidence of the contrary? We can only speculate at this point, but the most discussed explanation is that it has been done to cover up Sony's blatant flaws in security[4]. Besides the huge amount of data (by volume) released, nothing in this attack is unprecedented nor novel. And we’ve already seen articles hinting that the security at Sony was way below what a reasonable person would expect, which opens up the possibility of potential lawsuits for damages.[5] “It was a state-sponsored attack which nobody would be able to defend against” sure sounds better than “it probably was not wise to keep all passwords together in the folder named Passwords[6] ”.

As we’ve pointed out before, there are different opinions as to what constitutes an advanced threat, and how exactly a modern security solution differs from a traditional one. However, when it comes to massive breaches like the one experienced by Sony, it is imperative that security experts come to an agreement on what threats can be classified as “unparalleled” or “unprecedented”. Otherwise, controversy and speculation are prone to rise, affecting the compromised company even more.

Advanced Persistent Threats

 

One last point: even as of December 15th – two weeks since the hack – some security vendors still do not detect this malware, which makes it even more important to ensure you choose your security vendor carefully.

 

Virus_Total

Source: Virus Total

 

 


Notes:

[1] “Sony Pictures Entertainment made its first substantive comments […] calling the effort “unprecedented in nature” and an “unparalleled crime” carried out by “an organized group.” The comments, attributed to Kevin Mandia — head of security firm Mandiant, which has been helping Sony in its investigation of the incident”. Source: http://recode.net/2014/12/07/sony-describes-hack-attack-as-unprecedented/

[2] “The truth is, there is nothing new about what these attackers are doing,” [Ken Levine] said. “They are using the same tactics they’ve used before to get inside these organizations—someone clicks on an attachment with malware and the malware sits and waits—and FireEye and/or other security products could have, should have caught this, especially given the volume of data that was stolen.” Source: http://arstechnica.com/security/2014/12/unprecedented-cyberattack-no-excuse-for-sony-breach-pros-say/

[3]  See: http://securelist.com/blog/research/67985/destover/, http://www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-

[4] “To protect [Sony's] image, they need this to be an unpreventable, incredibly sophisticated attack.” Source: http://mashable.com/2014/12/08/sony-hack-unprecedented-undetectable/

[5] “Our source told us that Sony's security was "outdated and ineffective." The person described Sony's security policies as "idiotic" and expected more from a company with more than 100,000 employees worldwide.” Source: http://www.businessinsider.com/sony-insider-the-security-team-has-no-fing-clue-2014-12

[6]  “The exposed Sony passwords were included in a file directory called "Password. The directory held 139 Word documents, Excel spreadsheets, zip files, and PDFs containing thousands of passwords to Sony Pictures’ internal computers, social media accounts, and web services accounts." Source: http://www.businessinsider.com/sony-leak-reveals-thousands-of-passwords-in-obvious-password-folder-2014-12 

 

George Yunaev

George Yunaev is a Senior Software Engineer at Bitdefender. He joined the company's OEM Technology Licensing Unit in 2008, after working at Kaspersky Lab for seven years. Aside from developing SDKs for various OEM solutions, George is also providing partners and prospects with useful insights into emerging threats and potential pitfalls of technology licensing. His extensive software engineering experience of 19 years also covers reverse-engineering and malware analysis. He is based in Silicon Valley, California, and enjoys traveling and active sports such as skydiving and wakeboarding.

Topics: Threats, Cloud Security, Network Security