Sony Pictures - The Full Story

A bit of history

In the world that we live in today, it is not uncommon for big organizations to face some cyber-attacks. In fact, any decent sized organization would have faced some heat in the last few years. JP Morgan, LinkedIn, Microsoft, Standard Chartered, Alibaba, Home Depot, I could go on and on, have all been in the news. Eventually, if the adversaries are motivated enough, and given enough resources, it is only a matter of time before an organization gets compromised.

Sony is no exception to this rule. As per the public records available, Sony was compromised a whopping 21 times, between Apr-2011 and July-2011 alone. That is an average of more than once per week, during that time. As a response, they beefed up their security, and announced a new CISO (Philip Reitinger), around Sep-2011.

Goes without saying, one person cannot change the security posture of a company overnight. In fact, they continued to get compromised in Oct-2011, and Sep-2012, and again in Jul-2013. I am not trying to pass any judgment, but it did seem as if Sony was not taking security too seriously, at the time. Nevertheless, things did appear to have improved after early 2012.



Sony Pictures Hack

When Sony Pictures employees got into the office on Monday, 24-Nov-2014, they discovered that their corporate network had been hacked by “#GOP”. The attackers took terabytes of private data, deleted the original copies from Sony computers, and left threatening messages, on the computer screens of the employees. Apparently they had some demands, and Sony was given one day to comply, but I am not sure what these demands exactly were.

The impact: The organization had to switch to typewriters and fax machines, just because the network was so badly compromised, that no workstation or server could be trusted. In fact, even at the time of writing this, Sony is still not confident if their network is clean and trusted.



Lost, Leaked, Damaged?

It is estimated that about 100 TB of data was stolen. Not all has been leaked on the internet. What we do know so far:
  • Five Sony movies were leaked on peer-to-peer networks (torrents). Four of these movies were unreleased at the time (including ‘The Interview’). Meaning, a direct impact to the revenue of the company.
  • The employee’s healthcare, social security numbers, and salary data was leaked. In fact the employees later filed a class-action law suit against Sony, because of the lost personal data.
  • Internal email communication, which put some of the famous actors in bad light. So, these actors may now think twice about working with Sony again.
  • There was even an internal email, with a racist joke on President Obama
  • Budgets of some movies (like the upcoming James Bond Spectre), and what aliases are used by the Hollywood stars
  • Passport details of actors, movie crew, etc.

  • Worse, company lost the private keys to its digital certificates. This was later used to sign malware, and make it look like legit Sony products. The certs were quickly revoked by their CA (DigiCert). However, it is still a kick to the company’s goodwill to have malware signed as ‘trusted’ under their name.



The Interview

Now supposedly this whole attack is in retaliation to a movie called “The Interview”, a comedy movie that makes fun of the North Korean leader Kim Jong-un, and has a plot built around his assassination. The hacking group Guardians of Peace (GOP) issued a warning to Sony to not release the movie. In fact the employees of Sony too got some scary threats, to leave the company. Moreover, the movie theaters were threatened as well, and were warned to not play the movie.

Under pressure, Sony decided to stop all TV advertisements of the movie, and to scrap the planned Christmas Day release. However, after President Obama gave some confidence to the company, Sony made a U-turn on their decision, and finally did release the movie in theaters and VOD.




Blame North Korea!


The FBI, and even The President himself, has clearly pointed at North Korea for being the mastermind behind this attack. They are so sure of themselves that the Government even imposed some sanctions on North Korea. On the other hand, the Korean government has repeatedly denied any involvement in the hack. In fact, they even volunteered to help with the investigation.

Some evidence suggests that a former Sony employee may have provided information to Lulzsec members (a hacktivist organization), thus enabling the attack. While some sceptics believe this was all a publicity stunt, orchestrated by Sony.

There is another theory, that the hackers may not even be linked to North Korea. After all, at the  time of the hack, there was no mention of this movie. At the time it was all an extortion attempt. It is only after the media started suggesting that the hack was linked to ‘The Interview’, did the hackers conveniently get inspired by the idea, and played along.



Attribution is Difficult

Why is it so complicated to confirm who were these cyber-criminals? Here let me quote Bruce Schneier, who explains this very well.

Ordinarily, you could determine who the attacker was by the weaponry. When you saw a tank driving down your street, you knew the military was involved because only the military could afford tanks. Cyberspace is different. In cyberspace, technology is broadly spreading its capability, and everyone is using the same weaponry: hackers, criminals, politically motivated hacktivists, national spies, militaries, even the potential cyberterrorist. They are all exploiting the same vulnerabilities, using the same sort of hacking tools, engaging in the same attack tactics, and leaving the same traces behind. They all eavesdrop or steal data. They all engage in denial-of-service attacks. They all probe cyberdefences and do their best to cover their tracks.

So in other words, a cyberattack investigation will never lead to a smoking gun, or a video footage of the bad guys, patriotically holding their country’s flag, and typing furiously at their computers.



Known Facts

For obvious reasons neither FBI nor Sony has released all the facts publically. From what we do know, below is a list of some of the facts. Now some of these facts help point at North Korea, whereas most of these are inconclusive.

  1. The threats were written in broken English and North Korea had condemned “The Interview” in a July letter to the U.N. Secretary-General. Hence, they for sure had a motive. They had even called the movie an act of terrorism
  2. After examining the malware used to infiltrate the studio, the FBI said it found similarities with software used in previous cyber-attacks carried out by North Korea
  3. The IP addresses used in the attack are addresses used by North Korea in previous attacks attributed to their government
  4. Guardians of Peace (GOP) had previously sent threatening emails to Sony, sometimes using an Internet provider address used exclusively by North Korea
  5. The malware that was found on Sony’s systems was reverse-engineered, and had Korean language. However, some say it is in a different dialect
  6. Privileged passwords were used for the hack. So, maybe an insider was involved. Alternatively, it is also possible that the hackers were in the network long enough to break into the accounts. In some cases the privileged password was ‘password’ itself. So, cannot take too long to brute-force
The list goes on, but I try to cover the main ones here.



Conclusion

Personally I believe the whole theory of North Korean government being the sponsor of the attack is very circumstantial. In the unlikely scenario that a suspect is taken to the court, I do not see s/he getting prosecuted (based on the evidence we have so far).

Maybe it’s possible that a North Korean, with no links to the government, is behind it. What if there are multiple parties involved here? One who actually did hack and leak the internal data, and another who is just taking advantage of the situation and fueling their own propaganda.

Update 03-Mar-2016:  Some report about Operation Blockbuster & Lazarus Group ?!

2 comments:

vilakshan said...

I was looking to read into the threat model of the Sony attack and found it here. Would not have minded the story to have been presented with Geographic specific. Where all were the Sony systems located etc.

KunSeh said...

@vilakshan: Not sure if I follow your suggestion. I imagine - Sony's servers are all hosted in their own data-center in US. Pls feel free to correct me, if I am mistaken.