Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12/17/2014
06:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Sony Cancels Movie, US Confirms North Korea Involvement, But Were Bomb Threats Empty?

After the Sony hackers issue threats of physical violence and 9/11-style attacks, The Interview is being killed before it even premieres. But would the attackers have really blown up theaters?

ORIGINALLY RELEASED 6:24 p.m. Dec. 17. UPDATED 7:00 p.m. Dec. 17: Unnamed American intelligence officials concluded Wednesday evening that the North Korean government was "centrally involved" in the attacks on Sony Pictures, The New York Times reports. According to the NYT, "Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was still debating whether to publicly accuse North Korea of what amounts to a cyberterrorism campaign."

Also this evening, Sony Pictures Entertainment announced it was dropping its plans for a Dec. 25 release of The Interview -- Sony's upcoming comedy about assassinating North Korean leader Kim Jong-Un. Sony had already canceled the film's New York premiere yesterday, in response to hackers' thinly veiled threats of physical violence at the event. The film's stars, James Franco and Seth Rogen, have canceled all public appearances, and movie theaters are beginning to declare they will not show the film at all.

Yet were the warnings of physical violence empty threats?

The Guardians of Peace (GOP), the hacking group that has accepted responsibility for the massive cyberattacks against Sony Pictures Entertainment, told a reporter weeks ago that they were not backed by any nation-state, were not based in North Korea, and were not explicitly motivated by protesting The Interview. North Korea denied any role, and some security experts stated that there was no technical evidence to the contrary. Yet rumors about North Korea continued anyway.

Are the cyberattackers simply being opportunistic -- using the rumors to create more mischief, draw more attention, and create more problems for Sony?

Probably, say some security experts.

Does the threat match the MO?
On Tuesday, the GOP issued a message that warned people about visiting cinemas showing the movie: "Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you'd better leave)."

Ominous. However, acts of physical terrorism don't fit the Sony hackers' apparent MO.

"These guys don't sound like terrorists," says Tom Chapman, director of the Cyber Operations Group at EdgeWave, who was a US Navy intelligence officer until he retired in September. "They don't really match to the definition."

In interviews and statements, the GOP certainly has demonstrated a great understanding of American English. Chapman says the group is also very attuned to American culture. Some people have compared these attackers to Dark Seoul -- which went after South Korean private industry, posing as hacktivists, while really digging up national secrets -- but Chapman says the Dark Seoul attackers were less conspicuous than the Sony hackers.

The acts against Sony "seemed personal to me," he says. The threats made yesterday were probably just another way for the attackers to cause Sony -- and law enforcement -- strife. "Some people just wanted to watch the whole thing burn. Someone's really enjoying this."

Rob Sadowski, director of technology solutions for RSA, says that a scenario of hacktivists proceeding to acts of physical terrorism is "certainly inconsistent" with the norm. However, he won't rule out the possibility.

Different types of cybercrime actors are motivated by different things, Sadowski says. For example, those looking for financial gain and those gathering international intelligence generally keep quiet about it, while hacktivists trying to draw attention to something will be quite vocal. "What's tricky is that we're seeing blurring of those motivations and of those lines."

Nevertheless, he says, it's unusual to see attackers execute a big cyberattack and then add on a physical attack for good measure. Usually, it's the other way around -- the cyberattack will be to support or augment the primary attack.

Bill Barry and Terrence Gareau of Nexusguard are also skeptical of the notion that the hackers really meant the threats made Tuesday, but they won't rule it out entirely.

"Yesterday's rock through the window is today's DDoS," says Barry, Nexusguard's executive vice president, describing what drives hacktivists. However, the people with the motive and the people with the skills to carry out an attack are not necessarily the same.

"We still don't know who these guys are," says Gareau, Nexusguard's chief scientist, so this would be a very unusual case, but we can't know for sure. Maybe the intention was never to conduct physical attacks. Maybe the threats were made simply to cost money -- which they certainly will.

Though the folks who conduct cyberattacks are not usually the same folks who set off bombs, if cybercrime groups can have marketing departments (and some do), then there's no reason they can't have a bomb department or another "department of havoc," Barry and Gareau say.

Was an insider involved?
In January, Sony Pictures laid off an undisclosed number of employees in its technology unit. Considering the nature of the attack -- destroyed machines, public disclosure of terabytes of company data, declarations denouncing Sony's social responsibility, a general glee about the entire thing -- and the extent of the knowledge the attackers had about the company's IT infrastructure, could one of the attackers be a disgruntled, laid-off Sony IT staffer?

Chapman thinks an ex-employee, but not a current one, was probably involved. "I have a feeling if they were still employed by [Sony], the FBI would have them in custody by now."

Whether or not an insider was involved, Sadowski, Barry, and Gareau say that, though the attack was exceptionally well planned, it could certainly have been carried out without any insider help.

Sadowski says the attackers "clearly gained a foothold in the organization that was equivalent to an insider's," but it could have been obtained through the standard phishing, compromise, and privilege escalation.

Chapman says he might begin a hunt for the attackers by searching for someone who bought a great deal of cloud storage, considering the huge amount of information that was stolen from Sony. "Where do you put 100 TB of data?"

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/19/2014 | 10:02:15 AM
Re: Sony Cancels Movie
Alison, I agree that the best solution is to go to some sort of on-demand streaming or cable distribution. It's really sad to see the studios and movie theatres cave in to the threats of violence over a vigorous defense of free speech, but given recent history in Aurora Co and elsewhere, it is a precaution that will save lives... But definitely a loss for freedom of expession. In many ways, I think the loss is much greater than the typical retail hack of PII...

 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/18/2014 | 8:29:27 PM
It's all about the Numbers

"...In January, Sony Pictures laid off an undisclosed number of employees in its technology unit." 

 

Ah yes the yearly pruning  of the ol' tech workforce.  So what's wrong with that ?   

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/18/2014 | 8:23:53 PM
Is this a Riddle or Something ?
"Where do you put 100 TB of data?"

 

How about in 100 - 1 TB drives ?
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/18/2014 | 8:22:05 PM
We Know where it came from. Now What ?

What gets me is that the FBI and Sony actually think they are going  to find these individuals and bring them to justice.   Talk about fiction.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/18/2014 | 8:19:34 PM
Sony: Take Somber Responsibility

This issue is becomiing more bizarre by the day.   Now bomb threats ?   I am glad Sony did the socially responsible thing and chose not to place the movie in theaters.  ( which only makes one wonder what took so long ? ). This latest development does leave me a little more somber about this entire issue though.

This really has mushroomed out of control for the most part - but I hold fast to the fact that Sony has no one to blame but themselves.   We seem to hear everything from them but that.

Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
12/18/2014 | 5:30:55 PM
Re: Sony Cancels Movie
Hear, hear. The American government talks all the time about it never negotiates with terrorists (which, I'd argue, is debatable) but in this case Sony simply capitulated to vague threats. Granted, many major movie houses succumbed to the threats before Sony made its decision -- but what a terrible precedent to set. We've seen picket lines and protests outside movie theaters before. That's fine. That's people using free speech to show that they disagree with a movie's theme, an actor, whatever. But caving in like this is really sad.

I had thought Sony would go directly to video on demand, at least, or some other format that allowed consumers to show support for the movie. Have seen many social media posts from people who had planned to buy the movie, whether or not they wanted it, as a show of support. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
12/18/2014 | 1:47:00 PM
Sony Cancels Movie
It is unfortunate that Sony caved and cancelled the Premier of "The Interview" because by doing so, they have set themselves up for future censoring of potentially any movie they plan to produce. The sad part is that this does not apply only to Sony, but also to any movie production company. There is now a precedent set, where any activist group can simply threaten mass killing of people if a movie that they do not agree with is shown publicly. Furthermore, there wasn't even any evidence that the threat would have been carried out, so essentially, Sony chickened out, and is now being attacked in the media for succumbing to a terroristic demand. Black eye for getting breached, another black eye for capitulating. Bad deal all around. What Sony should do now is to release the film globally online, charge a minimal fee for viewing it ($5 would do nicely), and pledge that half of the proceeds would go to help feed starving children around the world until they recoup their initial investment, at which time all excess proceeds will go towards that food effort. Although investors might not like that idea, it would at least save some face for Sony, and make it a good year for the kids in need!
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
12/18/2014 | 12:19:30 PM
Disappointed
Whether the bomb threats were real or not, I'm still quite disappointed that most of the major cinemas caved to the threats. Sony I can understand doing so a little more, since the theatres had already backed out, but still. 

I hope this doesn't set a precedent where all groups have to do to silence artists is to threaten people with violence. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
CVE-2019-16768
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
CVE-2012-1105
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2019-16769
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...