Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/30/2014
01:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Sony Hacked By N. Korea, Hacktivists, Ex-Employee, Or All Of The Above?

FBI gets briefed on ex-Sony employee's possible role in hack as questions remain about who did what and when in epic breach of the entertainment company.

Researchers at Norse Corp. who say an ex-Sony employee may have had a hand in the epic breach of the entertainment company shared their intelligence on the finding with the FBI yesterday. But the FBI today still maintained its stance that North Korea is behind the massive cyber attack.

Norse found no link whatsoever with North Korea in the intelligence it gathered independently on the attacks, which evolved out of its interest prior to the breach in landing Sony as a security customer. But an FBI spokesperson -- who declined to comment on the Norse research and briefing -- today reiterated the agency's unwavering position that North Korea was behind the attack: "Nothing has changed" in that assessment, the spokesperson told Dark Reading.

"There is no credible information to indicate that any other individual is responsible for this cyber incident," according to a statement provided today by the FBI spokesperson.

Interestingly, however, the FBI's statement specifically calls out North Korea for "theft and destruction" of data. Missing from that attribution is the initial intrusion into Sony's network and servers -- the phase researchers from Norse think may have occurred with the assistance of a former Sony employee with an axe to grind.

"The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment," the FBI's latest statement says.

The agency on December 19 provided an update on the breach investigation, confirming that North Korea was responsible for the attack, pointing to the data-wiping malware used that had ties to North Korean hackers; the command and control infrastructure containing IP addresses tied to known North Korean systems; and attack tools with similarities to the attacks waged by North Korea against South Korean banks and media outlets in March of 2013.

Meanwhile, Reuters reported last night that North Korea likely hired hacking help from outside its borders to hit Sony. According to the sources, North Korea alone would have been unable to wage some phases of the attack, and officials are investigating whether Pyongyang subcontracted some of the technical know-how to perpetrate the breach.

Kurt Stammberger, senior vice president at Norse, says the common interest between "Lena," the former Sony employee identified and traced by his firm, and the Guardians of Peace is likely their mutual anger toward Sony: Lena, for getting laid off, and the Guardians for Sony's legal moves in the anti-piracy space. Norse believes Lena, based on her communications and movements, may have teamed up with hacktivists to help carry out the attacks.

He says none of the people Norse has identified are North or South Korean -- they are Americans and Canadians, and a Singapore national as well as individuals from other countries. "None of these people had any kind of obvious tie to the North Korean government that we can see," he says.

But security experts say the breach could well have been the handiwork of a combination of actors and attacks, resulting in a possible "pile-on" effect.

Mark Weatherford, the former undersecretary for cyber security at the Department of Homeland Security, says he initially questioned how the FBI could have drawn its conclusion about North Korea's involvement so quickly. "It's just mindboggling. But on the other hand, the FBI are not dummies, and they know that these statements are going to have great gravity. There must be some smoking gun or some irrefutable evidence they can point to but can't release" publicly, says Weatherford, who is a principal with The Chertoff Group.

"Norse is not going to put themselves out there, either… unless they have something irrefutable themselves," he says.

Richard Bejtlich, chief security strategist for FireEye, a firm that is investigating the Sony breach, says "responsibility" is a nuanced term, especially in the Sony breach. "The attribution debate may depend on how observers define responsibility," he says, noting that the FBI doesn't appear to be differentiating the specific level of involvement North Korea may have had. He points to an FBI statement to The Daily Beast today that adds a twist to the debate over additional actors being involved: "We're not making the distinction that you're making about the responsible party and others being involved."

Bejtlich, who recently blogged about the different levels of attribution for nation-states, says the FBI may have a broader definition of North Korea's actual role in the multi-faceted attack. "They don't think in terms of differentiating state-integrated, state-executed, state-ordered, or state-coordinated activity. If a state has any of those roles, the FBI may consider the state 'responsible,' " he says.

Norse's Stammberger doesn't dismiss the possibility of multiple attacks on Sony by different groups, either: "It may come out in the wash that the big exfiltration attack is actually a series of two or three different attacks or two or three different groups who came together and shared a common cause."

Lena, the disgruntled ex-Sony employee
At the center of Norse's findings is Lena, a woman who had worked for Sony for 10 years in a senior technical position until she was laid off in May during a corporate restructuring. "Lena had the technical knowledge to facilitate the type of attack Sony had, which is why… she remains a person of interest," Norse's Stammberger says. "There are other individuals as well. There's a pretty short list of specific individuals, and we know their names, addresses, and nationalities. They seem to have some connection to this incident."

Norse researchers examined the malware used in the attack and found it was pre-compiled with the addresses for Exchange and Active Directory servers and other specific machines inside Sony's network where "specific" files resided, says Stammberger. Usernames, passwords, and digital certificates also were found. "So this malware was precompiled with some of the keys to the kingdom," he says, adding that the malware was first compiled in July, long before the breach was revealed.

"This was more of a cruise missile than carpet-bombing, which is the typical way malware operates. This was much more targeted."

So if Lena was no longer with Sony, how did she still have access to the network and servers there?

"Perhaps her credentials were not properly retired. Or a very technical person could have easily placed backdoors in servers if they had enough notice before they had to leave… If they were sufficiently pissed off, that would be straightforward to do."

Stammberger notes that the Christmas Day distributed denial-of-service attacks on Sony's PlayStation and Microsoft's Xbox network by the Lizard Squad hacker group were not connected. "They had completely different motives," he says of the attackers.

Meanwhile, the FBI's statement today cited the DHS as one of its sources of intelligence in the investigation. "Attribution to North Korea is based on intelligence from the FBI, the US intelligence community, DHS, foreign partners, and the private sector," the FBI said. "The FBI is committed to identifying and pursuing those responsible for this act and bringing them to justice. While it remains an ongoing investigation, no further information can be provided at this time."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/30/2014 | 3:42:57 PM
N Korea
Unraveling this attack -- who did what when & why -- would be a much better movie script than "The Interview."
Rafer33
0%
100%
Rafer33,
User Rank: Apprentice
12/30/2014 | 7:34:39 PM
Re: N Korea
"Epic breach".....learn to write....my God are you 16??
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/31/2014 | 8:48:47 AM
Re: N Korea
@Rafer33 Like, totally. ;-)
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/30/2014 | 9:38:58 PM
Re: N Korea
@Kelly   Agreed !  : ) 
shakeeb
50%
50%
shakeeb,
User Rank: Apprentice
12/31/2014 | 1:34:04 AM
Re: N Korea
I'm sure an ex-employee should be part of it, at least helping the hackers with a backdoor. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/31/2014 | 11:55:10 AM
Re: N Korea
I would have to agree. The amount of pre-compiled inside pieces leans toward the idea that inside intelligence was provided. I will be interested to see how this progresses.
shakeeb
50%
50%
shakeeb,
User Rank: Apprentice
12/31/2014 | 2:01:20 AM
Re: N Korea
@Kelly – I am just waiting to see who was involved in this and how they did it. Seen it as a movie will be wonderful than having it as a script. 
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
12/31/2014 | 11:32:54 AM
Re: N Korea
Kelly, actually, you may really be on to something here.  Of course all the facts are not out yet but most of them will eventually become known.  The right movie, docu-drama, or expose, done well, could really do us a great and needed service.  Given that this happened to the entertainment industry what better source for turning this really tough issue into a public forum.  The media can capture the imagination, fire the interest, and feed the need for some real awareness.  I don't mean another silly comedy movie, but one that really highlights the issues, risks, and importantly the abilities of our  cyber-adversaries.  Maybe it'll wake some folks up !!   
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/31/2014 | 11:41:34 AM
Re: N Korea
@Ed Telders That would be really intriguing IF it was done correctly and Sony was willing to share its lessons learned, etc.

It's yet another example of how a detailed incident response plan (including PR, public disclosure strategy/plan) is crucial to a company's image and how something like this can take on a life of its own in the media if you don't have a good game plan.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
12/31/2014 | 11:58:11 AM
Re: N Korea
Yes indeed.  In a previous role many years ago I conducted a Business Continuity exercise for my company.  The Public Affairs team was very confident in their relationships with the media and their ability to handle the crisis communications for an event.  So we put them to the test.  I hired some Journalism students from the local university, had them using commercial grade video cameras (tells you how long ago this was) and microphones.  They were given the assignment to simply act as they really would pursuing a story and had them interview the public affairs team, in the room designated for press releases.  They had no script, they simply did exactly what a real live media team would do to cover a story.  Later we had the public affairs team review the tape and critique their own performance.  It was an eye opening experience for them.  They immediately reworked and refined their methods and procedures so that they would be better prepared for the real thing.   Its one thing to create an incident response procedure, it's another thing to actually do it.  Getting some "near reality" exercises improves their abilities as it would for any other team in a disaster scenario.  If more companies spent time exercising their response they would perform better when the real thing happens.  It also gives them the opportunity to find any flaws and weaknesses in their current response procedures and refine them.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/31/2014 | 12:03:56 PM
Re: N Korea
Yep, those simulated events/fire drills are very valuable and IR companies highly recommend businesses practice them.
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
12/31/2014 | 4:49:31 PM
Re: N Korea .. Much better movie
Yeah, but only to us.

Not going to make $1M the first day of release, either.
BertrandW414
50%
50%
BertrandW414,
User Rank: Strategist
12/31/2014 | 12:10:09 PM
Title of movie about all this
@kelly - I think the title of the movie should be "EPIC BREACH". ;-)
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/31/2014 | 12:47:51 PM
Re: Title of movie about all this
:-) #epic
Eric Kruse
50%
50%
Eric Kruse,
User Rank: Apprentice
1/4/2015 | 1:17:00 PM
Ongoing
Kelly.

 

First off way to be the first person who I have seen that actually wrote a decent article on this.  Going to take a piece of the writing out and write a opinion.

      "differentiating state-integrated, state-executed, state-ordered, or state-coordinated activity. If a state has any of those roles, the FBI may consider the state 'responsible,' " he says."

 

This is exactly what most poeple dont understand.  I love reading the articles by every major media outlet that talks to some cyber-security research firm who all have conflicting opinions about attribution.  The thing it, you do not know how the FBI (Intelligence Community in general) came to that conclusion.  For a company to say that makes me very weary of adding a talking point to selling their product with respective customers.  

 

I'd place a little bit of faith in the intelligence community on this one as no one is really looking for another black eye and congressional inquiry on a topic like this.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/5/2015 | 8:11:52 AM
Re: Ongoing
Thank you, @fpdesignco. You are spot on: the bottom line is we really don't know what the FBI knows. 
SamsonY579
50%
50%
SamsonY579,
User Rank: Apprentice
1/5/2015 | 3:54:47 PM
Petition the Whitehouse to allow an independent review of the evidence.
On November 24th, 2014 Sony Pictures Entertainment, was the victim of a cyber-attack, and on January 2nd, 2015, the Treasury imposed sanctions against the Democratic People's Republic of Korea, more commonly known as North Korea.

The premise of the sanctions is the assertion by the FBI that the cyber-attack was committed by North Korea, an assertion that has been publicly refuted by computer security experts based on information available to them.

To avoid a repeat of the "WMDs in Iraq" debacle, the President could allow a well-respected, non-partisan, independent audit by a cyber-security firm, of the evidence linking North Korea to the cyber-attack as the FBI's "just trust us" stance is insufficent, especially in the face of North Korea's denial of their involvement.

If you agree with this, please sign my petition at whitehouse.gov.

Since URLs are blocked the URL is: wh dot gov slash iggO4

wh.gov/iggO4
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
1/5/2015 | 4:10:28 PM
So confuised
I wonder if this will be one of these things that the government will classify and we'll learn the truth 50 years from now. The people I've spoken to have said everything from "an insider MUST be involved" to "no insider would be needed at all, and probably wasn't."

The whole thing just seemed too snarky to me to not include an insider somewhere in the process. Also, the North Korea connection was not acknowledged by Lena -- at least not at the beginning. In November Lena was quoted saying that NK was NOT involved. It's all very perplexing.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/5/2015 | 4:14:41 PM
Re: So confuised
I hear ya, @Sara!

I still think this was not just one attack, but multiple attacks/layers by different actors that everyone is trying to understand as one big breach, which is why it's hard to wrap your head around it as a classic insider attack, hacktivist attack, or nation/state attack. It's not just one of those, really.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
1/5/2015 | 4:17:59 PM
Re: So confused
@Kelly  Yeah, I feel like there were multiple groups involved, possibly working together, possibly not. If the N.K. government was at the root of it, it seems like they must have hired independent attackers to carry the thing out. Maybe one of those attackers was a disgruntled insider. Who knows?!
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/6/2015 | 2:36:35 PM
Re: So confuised
@Kelly Jackson Higgins...

After this new revaluation about an "ex-Sony employee(s)" came out I started thinking about a few things, first of all my initial feelings that regardless who was responsible, Sony still bears the blame and we should not lose sight of their (Sony's) responsibility to protect their resources.

That said, I started thinking about the company that I work for... so I'm comfortable that our SIEM is collecting the information, but are we looking in the right places? What if WE lose someone with specific admim privileges to a lay-off or if that person is fired or even if they leave on good terms, are we revieiwing everything they do/did (administratively) and are we making sure that it's all within his\her job?

The first thing I pulled out was a report that I generate quarterly (maybe I should force it to monthly)... that does not come from the SIEM, "WHO ARE THE PEOPLE WITH ADMIN\ROOT\SCHEMA ACCESS"? I use PowerGui Administrative Console to get this information for our Windows systems, unfortunately I have to rely on the UNIX\Linux Manager to get this information from those systems (but I'm working on that) too.

Then I reviewed the list of reports that I get and from the SIEM:

 - Account Creation
 - Privilege Escalation
 - Admin UserID Usage
 - Admin Database Access, Usage and Queries
 - Admin Access to Servers, DB's and Applications that are compliance applicable
 - Admin via Remote Access
 - Login Source
 - Admin Accounts with Failed Login Attempts & Locked Accounts
 - Admin Accounts with non-Expiring Passwords

This list started to get very long when I compared what I was looking at to what I wasn't. Then I started going through our security policies and I stopped at our policy that specified how "Terminations" should be handled. I recommended that we make the following changes:
  • Prior to any planned termination a review of administrative activity for a period of at least 120 days be performed.
  • Upon receipt of resignation a review of administrative activity for a period of at least 120 days be performed.
  • Manager of employee and security must review\compare all work conducted by employee to a valid Change Management Request (CMR)
  • HR\Legal notification to former employee that this internal investigation is being conducted and that employee will be held liable (legally) for any discrepancies created using their admin UserID.
  • Notify ALL administrators and managers this is the policy going forward.

I know this sounds like I'm paranoid, but I am and I don't mind because it's what they pay me for and if I don't do it nobody will... besides my boss will be the first person raked over the coals if we get hit by CRYPTOLOCKER, so if we were hacked, they'd come looking for us both with pitchforks and torches, so why not put the onus on "them" and give someone else the opportunity to say NO?
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.