Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/30/2014
01:15 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Sony Hacked By N. Korea, Hacktivists, Ex-Employee, Or All Of The Above?

FBI gets briefed on ex-Sony employee's possible role in hack as questions remain about who did what and when in epic breach of the entertainment company.

Researchers at Norse Corp. who say an ex-Sony employee may have had a hand in the epic breach of the entertainment company shared their intelligence on the finding with the FBI yesterday. But the FBI today still maintained its stance that North Korea is behind the massive cyber attack.

Norse found no link whatsoever with North Korea in the intelligence it gathered independently on the attacks, which evolved out of its interest prior to the breach in landing Sony as a security customer. But an FBI spokesperson -- who declined to comment on the Norse research and briefing -- today reiterated the agency's unwavering position that North Korea was behind the attack: "Nothing has changed" in that assessment, the spokesperson told Dark Reading.

"There is no credible information to indicate that any other individual is responsible for this cyber incident," according to a statement provided today by the FBI spokesperson.

Interestingly, however, the FBI's statement specifically calls out North Korea for "theft and destruction" of data. Missing from that attribution is the initial intrusion into Sony's network and servers -- the phase researchers from Norse think may have occurred with the assistance of a former Sony employee with an axe to grind.

"The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment," the FBI's latest statement says.

The agency on December 19 provided an update on the breach investigation, confirming that North Korea was responsible for the attack, pointing to the data-wiping malware used that had ties to North Korean hackers; the command and control infrastructure containing IP addresses tied to known North Korean systems; and attack tools with similarities to the attacks waged by North Korea against South Korean banks and media outlets in March of 2013.

Meanwhile, Reuters reported last night that North Korea likely hired hacking help from outside its borders to hit Sony. According to the sources, North Korea alone would have been unable to wage some phases of the attack, and officials are investigating whether Pyongyang subcontracted some of the technical know-how to perpetrate the breach.

Kurt Stammberger, senior vice president at Norse, says the common interest between "Lena," the former Sony employee identified and traced by his firm, and the Guardians of Peace is likely their mutual anger toward Sony: Lena, for getting laid off, and the Guardians for Sony's legal moves in the anti-piracy space. Norse believes Lena, based on her communications and movements, may have teamed up with hacktivists to help carry out the attacks.

He says none of the people Norse has identified are North or South Korean -- they are Americans and Canadians, and a Singapore national as well as individuals from other countries. "None of these people had any kind of obvious tie to the North Korean government that we can see," he says.

But security experts say the breach could well have been the handiwork of a combination of actors and attacks, resulting in a possible "pile-on" effect.

Mark Weatherford, the former undersecretary for cyber security at the Department of Homeland Security, says he initially questioned how the FBI could have drawn its conclusion about North Korea's involvement so quickly. "It's just mindboggling. But on the other hand, the FBI are not dummies, and they know that these statements are going to have great gravity. There must be some smoking gun or some irrefutable evidence they can point to but can't release" publicly, says Weatherford, who is a principal with The Chertoff Group.

"Norse is not going to put themselves out there, either… unless they have something irrefutable themselves," he says.

Richard Bejtlich, chief security strategist for FireEye, a firm that is investigating the Sony breach, says "responsibility" is a nuanced term, especially in the Sony breach. "The attribution debate may depend on how observers define responsibility," he says, noting that the FBI doesn't appear to be differentiating the specific level of involvement North Korea may have had. He points to an FBI statement to The Daily Beast today that adds a twist to the debate over additional actors being involved: "We're not making the distinction that you're making about the responsible party and others being involved."

Bejtlich, who recently blogged about the different levels of attribution for nation-states, says the FBI may have a broader definition of North Korea's actual role in the multi-faceted attack. "They don't think in terms of differentiating state-integrated, state-executed, state-ordered, or state-coordinated activity. If a state has any of those roles, the FBI may consider the state 'responsible,' " he says.

Norse's Stammberger doesn't dismiss the possibility of multiple attacks on Sony by different groups, either: "It may come out in the wash that the big exfiltration attack is actually a series of two or three different attacks or two or three different groups who came together and shared a common cause."

Lena, the disgruntled ex-Sony employee
At the center of Norse's findings is Lena, a woman who had worked for Sony for 10 years in a senior technical position until she was laid off in May during a corporate restructuring. "Lena had the technical knowledge to facilitate the type of attack Sony had, which is why… she remains a person of interest," Norse's Stammberger says. "There are other individuals as well. There's a pretty short list of specific individuals, and we know their names, addresses, and nationalities. They seem to have some connection to this incident."

Norse researchers examined the malware used in the attack and found it was pre-compiled with the addresses for Exchange and Active Directory servers and other specific machines inside Sony's network where "specific" files resided, says Stammberger. Usernames, passwords, and digital certificates also were found. "So this malware was precompiled with some of the keys to the kingdom," he says, adding that the malware was first compiled in July, long before the breach was revealed.

"This was more of a cruise missile than carpet-bombing, which is the typical way malware operates. This was much more targeted."

So if Lena was no longer with Sony, how did she still have access to the network and servers there?

"Perhaps her credentials were not properly retired. Or a very technical person could have easily placed backdoors in servers if they had enough notice before they had to leave… If they were sufficiently pissed off, that would be straightforward to do."

Stammberger notes that the Christmas Day distributed denial-of-service attacks on Sony's PlayStation and Microsoft's Xbox network by the Lizard Squad hacker group were not connected. "They had completely different motives," he says of the attackers.

Meanwhile, the FBI's statement today cited the DHS as one of its sources of intelligence in the investigation. "Attribution to North Korea is based on intelligence from the FBI, the US intelligence community, DHS, foreign partners, and the private sector," the FBI said. "The FBI is committed to identifying and pursuing those responsible for this act and bringing them to justice. While it remains an ongoing investigation, no further information can be provided at this time."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/30/2014 | 3:42:57 PM
N Korea
Unraveling this attack -- who did what when & why -- would be a much better movie script than "The Interview."
<<   <   Page 3 / 3
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11289
PUBLISHED: 2021-05-07
Out of bound write can occur in TZ command handler due to lack of validation of command ID in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice &amp; Music, Snapdragon Wearables, Snapd...
CVE-2020-11293
PUBLISHED: 2021-05-07
Out of bound read can happen in Widevine TA while copying data to buffer from user data due to lack of check of buffer length received in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Vo...
CVE-2020-11294
PUBLISHED: 2021-05-07
Out of bound write in logger due to prefix size is not validated while prepended to logging string in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
CVE-2020-11295
PUBLISHED: 2021-05-07
Use after free in camera If the threadmanager is being cleaned up while the worker thread is processing objects in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
CVE-2021-1891
PUBLISHED: 2021-05-07
A possible use-after-free occurrence in audio driver can happen when pointers are not properly handled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice &amp; Music, Snapdragon Wearables, Snapdrago...