The attack against Sony Pictures Entertainment
Date : December 07, 2014
The attack that targeted Sony Pictures Entertainment (SPE) company figured prominently in the news in December 2014, with the long series of events: sabotage of the Sony IT system, blackmail, disclosure of confidential information, withdrawn of the "The Interview" movie and even US government charges against North Korea. Things took such a magnitude that it is difficult to now sort out the truth and falsehood in the statements of stakeholders. To clarify this, we present below a summary as factual as possible.
Chronology of events
November 24, 2014: The message "Hacked by #GOP" ("GOP" stands for "Guardian Of Peace") is suddenly displayed on all SPE computers that are connected to the corporate network. The message further announces that if SPE does not obey the pirates, confidential data will be made public. All the impacted computers are then blocked, and employees must work without computers for several days.
November 25, 2014: 5 films produced by SPE (including 4 yet unpublished ones) are made public by hacker, by dropping them on file sharing sites.
November 28, 2014: According to unofficial information, SPE seems to suspect that the incident is related to North Korea and to the upcoming release of "The Interview" movie, which mocks the North Korean leader.
December 1, 2014: The salaries of firm top executives are disclosed on Internet. In the following days many internal information is also published: copy of actor’s passports, budgets and contracts of certain films, scenario for the next James Bond, etc. One can imagine that hackers secretly discuss with Sony and that the successive disclosures are part of blackmail. Press analyzes the disclosed documents and relays the most "juicy" information.
December 9, 2014 and later: Disclosure escalation gets worth with the release of SPE top management emails. And the hackers announce that they are preparing a mass publication for Christmas Day. Sony will announce later that it thinks that hackers have stolen many personal data related to employees (including medical records). Hackers claim to have in their possession 100 terabytes of data. Sony employees later start a "class action" against their employer for "failure to protect" their personal data.
December 16, 2014: The hackers send emails to the press announcing physical attacks against theatres that would broadcast "The Interview" movie. The day after, Sony announces that it cancels the movie (originally scheduled for the Christmas day). At that date, it seems that the attackers suddenly stopped communicate and disappeared, and the case turned into a political matter.
December 19, 2014: The FBI announces that it thinks that North Korea is responsible for this attack against SPE. President Obama mentions the fact in his press conference. A series of diplomatic exchanges then take place between North Korea and the US, in parallel with multiple speculations from experts about the possible perpetrators of these attacks (see below).
December 23, 2014: Sony announces that "The Interview" movie will finally be available for Christmas, as video on demand, and in theatres wishing to broadcast it. The movie was actually released on December 25, 2014.
Is North Korea involved in these attacks?
The FBI justifies its charge by several observations:
- North Korea has complained repeatedly about the forthcoming release of "The Interview" movie. In July 2014, for example, it talked about it of apology of terrorism and acts of war (see this article of TheGuardian).
- The communication style, the malware (dubbed as “Destover”) used to block targeted computers, and the IP addresses involved are similar to those already seen in previous attacks also attributed to North Korea, and in particular to the attack (dubbed as “DarkSeoul”) seen in 2013 that targeted South Korea.
Note: On December 22nd, North Korea was impacted by an incident which cut it connections with Internet during about 10 hours (see this UsaToday.com article). It is difficult to tell if this is either accidental or real attack, and who would have launched such attack. The Press also indicated that Sony launched DDOS attacks to block file sharing web site where the hackers dropped the data they steal to Sony. Again it is very hard to know if this information is true or not.
The hypothesis that Sony attack was done (or driven) by North Korea is disputed by several analysts who argue that:
- The request for the withdrawal of « The Interview » movie was not in the initial demand of the attackers. This new demand could have been opportunistically adopted when this topic was publicized.
- The same kind of malware (which overwrite the MBR of infected computers to block them at startup) has also been seen in the “Shamoon” incident which blocked the Aramco petroleum firm in 2012. “Shamoon” was later attributed to Iran and has no link with North Korea.
The other hypothesis about the attackers
Several other hypothesis were made about this attack:
- The Norse company thinks that the attack was probably performed with the help of a former Sony Pictures Entertainment employee. This assumption relies on the fact that the malware used for this attack includes hardcoded names and password for several SPE servers. By looking at the last restructuring plan done by SPE (in May 2014), Norse found one person who was made redundant and could have assist the attackers.
- The Taia Global Company, which is expert in language analysis, claims that the mistakes done in the English texts written by the attackers suggest that the attackers are Russians.
- A member of the “Lizard Squad” hacker group (this group is known for its DDOS attacks against several game servers, and in particular for the attack on Chrismas day against Xbox Live et Playstation Network) told during an interview, that he gave several logins and passwords of Sony Pictures Entertainment Pictures employees to the attackers (the GOF group). The attacker could have breached SPE network using these logins.
- Finally, the FBI director recently told that the hacker could have breached SPE network in late September using a “Spear phishing” email (a trapped email sent to a targeted recipient inside the company).
Conclusions
This SPE case probably has not finished reveal all its secrets. But it is impressive to see the multiple impacts that the successive disclosure of stolen data had (beyond the down times for the SPE IT system):
- Loss of profits on the films that have been made public (it is estimated that a film loses 19% of its value when it is made available for free on the Internet)
- Destabilization of company top managers by publication of their salaries and private conversations
- Impact on employees privacy, due to the disclosure of personal data,
- Disclosure of strategic information of interest for competitors,
Apparently, the hackers gained access to a large range of information (emails, HR, contracts, movie footages, etc.). This lead to the conclusion that either their IT system is not very compartmented, or the hackers got access to multiple privileged accounts.
For further information
- Chronology of the events :
http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
http://www.theguardian.com/film/2014/dec/18/sony-hack-the-interview-timeline
- About possible North Korea involvement:
http://bits.blogs.nytimes.com/2014/12/24/new-study-adds-to-skepticism-among-security-experts-that-north-korea-was-behind-sony-hack/
http://www.counterpunch.org/2014/12/30/who-was-behind-the-cyberattack-on-sony
- About Russian involvement:
http://www.nydailynews.com/news/national/theory-emerges-sony-hacking-suggesting-russian-hackers-article-1.2057181
- About insider complicity:
http://www.theguardian.com/film/2014/dec/30/sony-hack-researchers-claim-sacked-employees-could-be-to-blame
- About Lizard Squad involvement:
http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/29/a-qa-with-the-hackers-who-say-they-helped-break-in-to-sonys-network/
- About possible Spear Phishing attack (last § of the article):
http://www.dnaindia.com/scitech/report-fbi-director-sheds-light-on-sony-hackers-cyber-threats-2052538