Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

2/4/2015
11:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Report: Russian Hacker Broke Into Sony & Is Still There

But can we trust the words of black hat hackers with unclear motives for candor? Either way, report supports credible theory of multiple attackers hitting Sony.

Sony Pictures Entertainment might have been compromised this fall by Russian attackers, who are still lurking within Sony's network now. These Russian criminals were probably not working with the North Korean government. Bad news: the intel about the existence of said Russian cybercriminals may not be reliable, in the opinion of a recently retired US Naval intelligence officer. 

A report released by Taia Global reveals some new information about threats to Sony. While it doesn't provide a wealth of damning evidence pointing to any particular perpetrator, it does serve as a reminder of why attribution continues to be such a persistent problem in fighting cybercrime. Just because your organization was compromised in several ways at the same time doesn't necessarily mean the attacks were related. Just because two malicious parties have compromised you at the same time doesn't mean they're working together.

"The reason why it's so confusing [in the Sony case] ... is because the evidence is so conflicting," says Taia Global founder and CEO Jeffrey Carr.

In the report, Carr describes what he learned through conversations with a blackhat hacker who goes by the name "Yama Tough." Carr explains that he and Yama Tough have established a trusting relationship -- they've known each other a long time and Carr knows Yama Tough's true identity, says Carr.

Carr says he asked Yama Tough directly if he was personally involved with the attack. He said he was not, and Carr believes him. However, at Carr's request, Tough used his own contacts to find some information about the people behind the Sony attacks. Tough then related to Carr what he'd been told by an unnamed Russian hacker (referred to as "URH" in the report), who Tough described "as a long-time black hat hacker who does occasional contract work for Russia’s Federal Security Service." From the report:

URH told Yama Tough that he sent spear phishing emails to Sony employees in Asia and Russia and then used an advanced pivoting technique to move inside the SPE network... The email sent by URH and his 12 team members contained a .pdf attachment, which was loaded with a Remote Access Trojan (RAT) that isn’t in any AV signature database.

To back up his words, URH shared Sony documents that were not found in the big data dumps that other attackers had published on Pastebin. Among those documents were Sony emails dated as recently as Jan. 23.

The participation of Russian-speaking cyber actors fits with earlier research conducted by Carr and Taia Global. They conducted a linguistic analysis of all the messages (about 2,000 words in all) written by the "Guardians of Peace" -- the hacking group that took responsibility for at least some of the attacks on Sony -- and exposed all manner of sensitive Sony documents. That analysis indicated that the authors were native Russian speakers, according to the research.

This all leads Carr to the conclusion that either a group of Russian hackers and a group of North Korean attackers were running separate, simultaneous attacks against Sony, or perhaps North Korea was never involved at all, and it was simply another group that included at least one Russian individual. He does not think that a party of Russians and a party of North Koreans were working collectively.

"They said they had nothing to do with North Korea," says Carr of the unnamed Russian hacker. He further remarks that he can't see why North Korea would hire a group of Russian hackers to do their dirty work -- because the country already has its own state-sponsored cyber army and it had already damaged any attempt at plausible deniability when it made threats against Sony months before the attacks. "What I think is that there were multiple parties in there [in Sony]."

The next question then is, which party did what?

Carr doesn't think that URH was necessarily involved in the wiper attack that turned so much Sony hardware into bricks. The only malware URH discussed was a remote access tool, not a wiper. Then again, Guardians of Peace (GOP) took responsibility for the wiper -- their name was pasted on every locked computer screen -- so if the linguistic analysis of the GOP's messages is accurate, then the wiper was also used by Russian-speaking attackers, possibly, but not necessarily, including the individual URH referenced in Carr's report.

Carr says that one of the troubles with cyber crime attribution may be that the security industry has become too reliant on just analyzing signal data and machine communications, while forgetting the value of analyzing human communications.

On that point, retired U.S. Naval intelligence officer Tom Chapman, now director of the Cyber Operations Group at EdgeWave, agrees. Yet, Chapman is still skeptical about Carr's report, saying that there's "nowhere near enough" information to draw confident conclusions from it.

"It's possible, but it's weak," says Chapman. "Human sources are always the least credible."

Chapman is particularly suspicious about the motivations of Yama Tough and his source. Yama Tough is not taking credit for the attack himself, so he doesn't get hacker bragging rights. He could also be hurting his reputation in the black hat community, since he's sharing details given to him by another black hat. As for Tough's source, Chapman acknowledges that criminal hackers may trumpet their exploits more than other kinds of criminals, but says that professional, financially motivated hackers "stay quiet" (especially if they're going after Russian targets).

"When the [Sony] attack came out," says Chapman, "I was skeptical it was North Korea alone. I'm still a bit skeptical."

He says he believes the FBI's official word that the North Korean government was behind the attacks; but that they haven't publicly released enough supporting data for him to draw that conclusion himself.

Chapman says he puts more credence in some "official" statements than others, depending upon whose mouth the words are coming out of. For example, when FBI Director James Comey said “I have very high confidence in this attribution, as does the entire intelligence community,” Chapman believes it, because military and intelligence officials cannot, by law, lie to the American public. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
2/5/2015 | 2:27:34 PM
Re: Pascal Resigns - No Surprise
Best news I have heard in a long time !    What took them so long ?  Some justice finally.  Now the CEO and CIO should get there paperwork ready as well.
jastroff
50%
50%
jastroff,
User Rank: Strategist
2/5/2015 | 1:05:28 PM
Pascal Resigns - No Surprise
From the Times:

LOS ANGELES — Amy Pascal, whose passion for stars and story marked her as one of the last of Hollywood's old-style studio chiefs, has resigned as co-chairwoman of Sony Pictures Entertainment and as chairwoman of Sony's motion picture group.

Hard for a CEO to survive this, and given all the other comments, even more difficult
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18165
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
CVE-2020-19275
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
CVE-2021-29511
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
CVE-2020-19274
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
CVE-2021-30211
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.