In early 2014, George Kurtz and I predicted, in our "Hacking Exposed: Day of Destruction" presentation at the RSA Conference, an increase in data destructive attacks and even showed demos of attacks that can achieve physical destruction. On Nov. 24, that prediction came true with an attack on Sony Pictures Entertainment (SPE) from a SILENT CHOLLIMA adversary, which CrowdStrike attributes to North Korea.
The Sony attack consisted of four phases:
1. The initial infiltration into SPE network, likely through a spearphish email, and the subsequent reconnaissance of that network, theft of administrative passwords, and exfiltration of sensitive data, including confidential emails and unreleased movies and scripts.
2. Deployment of the wiper malware on Nov. 24 across the SPE network with hardcoded administrative credentials inside, which enabled the malware to automatically spread. The malware proceeded to securely overwrite data files and Master Boot Record (MBR) to make the machine un-bootable, as well as launch a local web server hosting a menacing skeleton image and bearing a blackmail threat.
3. In the weeks after the wiper attack, the adversaries have carried out an orchestrated public release (doxing) of sensitive data, with direct outreach to media organizations and the hosting of stolen data on BitTorrent sites. The goal of the release was to bring further embarrassment and damage to the SPE executives, as well as hurt their business, by revealing highly proprietary and confidential business strategies and salary information.
4. Lastly, on Dec. 16, the attackers published a threat of physical violence on Pastebin against movie theaters that carry the film “The Interview,” resulting in the initial cancellation of the theatrical release of the movie.
None of the elements of the attack had been truly novel or unprecedented. Certainly, intrusions and exfiltration of data from corporate networks are a daily occurrence these days. Wiper malware variants, while less common, have been seen in use pervasively by SILENT CHOLLIMA against government, media, and financial institutions in South Korea since 2009; as well as by other adversaries against a variety of targets in the Middle East in recent years. Confidential data releases have been perfected by hacktivist groups like Anonymous over the last decade and physical threats on Pastebin are a dime a dozen.
However, what made the attack on Sony Pictures Entertainment so unique is the highly effective combination of these tactics into a single orchestrated campaign designed to bend a victim to the will of the attackers and blackmail them into canceling the release of the movie that they had found objectionable. Remarkably, they had achieved some success in getting the movie pulled from most of the theaters across the country -- a truly unprecedented event!
This incident also highlighted another important point. It doesn’t matter what business or industry you are in; if you have valuable information that someone might want or if someone has a grudge to bear against you, you are a target. Nation-state attacks are not just something that defense contractors or the financial sector have to worry about. At CrowdStrike, we routinely help companies of all sectors and sizes recover from intrusions by a variety of nation-state sponsored adversaries.
Another important lesson learned from this incident is how critical it is to stop an adversary before they are able to steal credentials. Administrative credentials are the necessary oxygen that fuel the lateral movement and action on objectives stages of the attack kill chain. Without these credentials, an adversary is contained to just the initial machines they have breached. They cannot freely move around the network, access and exfiltrate any part of your data they wish to have access to, or even deploy a wiper malware across your entire network. In other words, you can stop them in their tracks and contain the damage they can possibly cause.
The advantage of focusing detection and prevention efforts on monitoring endpoints and Indicator of Attack (IOA)-based hunting for credential theft activities is that it doesn’t matter how an adversary breached your network or whether their intent is exfiltration or destruction; you can find them and thwart their objectives long before they can act on them.
For the first time publicly, I will be showing the effects of the malware used to target Sony on a real network, in a live simulation Tuesday, Feb. 17 at 2 p.m. EST, on crowdstrike.com. See what Sony employees saw on their machines when they got to work on Monday, Nov. 24 and learn how to keep your organization protected from today’s increasingly sophisticated attackers.