Sony hack fits pattern of recent destructive attacks
Sony Pictures Entertainment struggled to regain its footing Thursday, more听than a week after unknown attackers unleashed a furious assault on the company鈥檚听computer network.
In the days since the attack became public, the hackers have听released thousands of sensitive files: from pre-release feature films to detailed account information needed to run Sony鈥檚 day to day operations.
At a time when companies are warned to be on the lookout for 鈥渓ow and slow鈥 attackers who studiously avoid notice, the Sony breach will be remembered for its unusual ferocity. On Nov. 24, the assailants declared their presence by decorating employee desktops with a belligerent message before erasing the hard drives of computers and servers they compromised as a parting shot.
While destructive hacks such as the one on Sony are atypical, they are not unknown. In fact, the attack on Sony shares many similarities with at least two other recent, destructive cyberattacks: from the methods used to carry out the strike to the software used to compromise Sony鈥檚 computer systems. Those earlier hacks also suggest that attackers had access to Sony鈥檚 network long before they played their hand.
Two incidents in the last two years are worth particular notice: the August 2012 attack on oil giant Saudi Aramco that resulted in the destruction of an estimated 30,000 computer systems and a March 2013 attack on South Korean media outlets and financial institutions. That attack also destroyed around 30,000 computer systems. Both attacks used so-called 鈥渨iper鈥 malware similar to the attack on Sony.
If you are interested in stories like this, sign up for听, the Monitor's forthcoming site covering security and privacy in the digital age.
Similar the Sony hack, the attacks on Saudi Aramco in 2012 came at the hands of a shadowy hacking group, the 鈥淐utting Sword of Justice鈥 an 鈥渁nti-oppression hacker group鈥 that cited ideological reasons for the attack 鈥 in that case the 鈥渃rimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt.鈥
Both hacks also involved multistage attacks consisting of an initial infection by a malware 鈥渄ropper鈥 that downloaded and installed the actual 鈥渨iper鈥 malware. And both the Saudi Aramco hack and the Sony hack featured malware that "beaconed" to external IP addresses to inform the attackers of the progress of the hack.
Commercial tool used in attacks
In fact, the Sony malware and 鈥淒isstrack鈥 (the malware used in the 鈥淪hamoon鈥 attack on Saudi Aramco) relied on the same commercial tool to access and erase the hard drive, a program called RawDisk by the company Eldos, according to a source with knowledge of the attack.
RawDisk is a Windows library that is sold to software developers, providing tools for accessing the hard disk on a local system. The version used by the malware authors in the attack on Sony was an older version of RawDisk and was installed using a stolen license key, Eldos鈥檚 chief executive officer Eugene Mayevski tells Passcode.
鈥淭he idea behind our product is that the legitimate software is willingly installed by the limited user,鈥 says Mayevski.
There are even more similarities between the Sony attack and what has been dubbed 鈥淒ark Seoul,鈥 the March 2013 attack on media outlets and financial services firms in South Korea. That attack, like the Sony hack, has been linked 鈥 tentatively 鈥 to the government of North Korea.
In that attack, as in the attack on Sony, a previously unknown 鈥渉acktivist鈥 group claimed responsibility. In the case of the South Korean attacks, it was the NewRomantic Cyber Army Team. Like the Sony attacks, the hack of the South Korean firms involved a long-term infection and substantial theft of data from the target organizations before the 鈥渨iper鈥 component was deployed, destroying thousands of infected systems.
Subsequent analysis by the firm McAfee suggests that the wiper attack known as 鈥淒ark Seoul鈥 was just the d茅nouement of a much longer-lasting and sophisticated cyber-espionage campaign that they dubbed 鈥淥peration Troy鈥 and that involved hallmarks of so-called 鈥淎dvanced Persistent Threat鈥 (or APT) attacks, such as customized software 鈥 developed incrementally over years 鈥 targeted attacks and data exfiltration. That malware was used to gain access to software management tools that were then hijacked and used to distribute malicious code across the target networks, McAfee revealed.
Waiting to strike听
That may be the case with Sony, as well. Evidence suggests that the group behind the attack was at work honing their tools long before November. In fact, the wiper software with the same name and cryptographic signature as the malware used against Sony was observed in the wild as early as July 2014. The domains it communicated with were also noted at the time, according to the security firm PacketNinjas.
"That may be evidence that the attackers were already in Sony鈥檚 network and testing their final payload to make sure it would escape notice by Sony鈥檚 security software,鈥 says Dave Thompson, a Senior Director of Product Management at the cybersecurity firm LightCyber. 鈥淭hey had plenty of time to test against what Sony had in place,鈥 he says.
A detailed analysis of the Sony hack hasn鈥檛 yet been published, but cybersecurity experts say it is almost certain to reveal that the attackers had access to Sony Pictures Entertainment鈥檚 networks long before they revealed their presence last week, Thompson says.
鈥淭ypically breaches aren鈥檛 detected until almost a year after initial penetration,鈥 says Thompson. 鈥淚 think we can imagine that these hackers didn鈥檛 come in on Saturday and have their attack go off on Monday.鈥
The attack on Sony will be cold water in the face of many firms who have become accustomed to the idea of 鈥渓ow and slow-moving鈥 attacks. Thompson says that, while threat intelligence such as lists of malicious files and IP addresses are common, it can be hard for companies to grasp which information demands immediate action in the absence of any overt signs of trouble.
鈥淵ou have all these artifacts, but they don鈥檛 give you a good picture of the urgency of what鈥檚 happening,鈥 he says.
听
