Sony is trying to stem the bleeding of its most recent colossal, complex cyberattack, but new corporate secrets keep spilling out. The latest leak is a draft script for the next James Bond film, Spectre.
This week, Sony alerted its staff to be on the lookout for fraudulent use of their identity information. The company confirmed that employees' Social Security numbers, credit card details, bank account information, healthcare information, and data about salary and compensation were exposed.
Also, journalists picking through the pile of internal Sony emails are unearthing conversations between company executives and others in Hollywood that are embarrassing, to say the least. BuzzFeed published some emails between Sony Pictures co-chair Amy Pascal and Scott Rudin, the producer of Moneyball, The Girl With the Dragon Tattoo, and many other big Hollywood movies.
Before a fundraiser for President Obama, Pascal and Rudin had a conversation that devolved into them joking about what the president's favorite films might be. They mention movies about slavery (Django Unchained and 12 Years A Slave), a movie about an African-American servant who works in the White House (The Butler), and two movies that star the African-American comedic actor Kevin Hart (Think Like A Man and Ride-Along).
In a long series of emails published by Gawker, Rudin called Angelina Jolie a "minimally talented spoiled brat" and producer Megan Ellison (daughter of Larry) a "28-year-old lunatic."
In response to those disclosures, Sony is now threatening the news media with legal action. Saturday, David Boies, a famous attorney representing the company, issued a letter to news organizations Saturday -- including Re/code, Gawker, The New York Times, The Wall Street Journal, the Los Angeles Times, Variety, and Bloomberg -- demanding that they cease using leaked data and destroy all copies of it.
- We are writing to ensure you are aware that [Sony Pictures Entertainment (SPE)] does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen Information, and to request your cooperation in destroying the Stolen Information...
Failure to comply means SPE will have no choice but to hold you responsible for any damage or loss arising from such dissemination by you, including any damages or loss to SPE or others, and including, but not limited, to any loss of value of intellectual property and trade secrets resulting from your actions.
It's rumored that Sony has also gone on the offensive in other ways. Re/code reported that two unnamed sources told them Sony was using Amazon Web Services servers in Asia to launch DDoS attacks against websites where the stolen data is available. Amazon has denied being a part of any such activity.
The scope of the Sony attack is certainly broad. "This attack is unprecedented in nature," Kevin Mandia, COO of FireEye and founder and CEO of Mandiant -- which is conducting the forensic investigation -- wrote in a Dec. 8 letter to Sony. "In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared."
Yet other security experts are challenging that assessment. In an interview with Dark Reading last week, Oren Falkowitz, founder and CEO of Area 1 Security, dismissed the definition of "unprecedented," saying, "Our team has seen these things before."
Ken Levine, president and CEO of Digital Guardian, said in an email:
- We have tremendous respect for Kevin Mandia and the team he's assembled at FireEye's Mandiant, but we completely disagree with the statement he made over the weekend. He is clearly offering Sony the opportunity to hide behind the veil of advanced persistent threats or APTs...
The truth is, there is nothing new about what these attackers are doing. They are using the same tactics they've used before to get inside these organizations (someone clicks on an attachment with malware and the malware sits and waits) and FireEye and/or other security products could have, should have caught this.
Whether or not the nature of the attack is revealed to be relatively commonplace, one thing may make recovering from it uniquely difficult. The breached data included network maps, credentials, and nearly everything else a person would want to know about SPE's IT infrastructure -- making it impossible for the company to simply recover. It may need to rebuild entirely. Otherwise, it is setting itself up to be compromised all over again.