Sony Hack – the consequences

December 9, 2014 |

The Sony Hack demonstrates that the legal consequences of a breach of cyber security are but a mere tremor compared with the commercial losses not to mention the reputational damage to a major corporation.  Risk Based Securitym in  A Breakdown and Analysis of the December, 2014 Sony Hack has set out in detail the ever growing calamity of the hacking attack on Sony.  The impact of the hack has resulted in leakage of both Sony’s IP but also confidential information such as employee information and payments to actors.  In an industry that is protective of its IP and sensitive about releasing information the impact on the brand has been immense.  The embarrassment to the management of Sony is huge.  The cost, in terms of revenue foregone and remedying the breach, releasing product early and improving security will be significant. As with the Target breach of this year it is destined to be both a salient lesson on the need to maintain proper data security and a case study in how to deal with a breach when it occurs.

Since the breach on 25 November, less than 2 weeks ago, remedial work is being done at a frenetic pace, as is the case with these types of breaches.  At this time the effectiveness of the contingency plans that every organisation should have will be tested.   And the coverage has been equally frenetic.  For example Variety, not known for its hard hitting reportage but hugely influential has been all over this story with  Sony’s New Movies Leak Online Following Hack Attack on 30 November followed in sequential order by Sony Pictures Hack: Operations Slowly Resuming Monday, Sony Bosses’ Alleged Salaries Leak Online Amid Hacking Fallout, Sony Cyber-Attack: Employee Information, Internal Documents Leak (Report), Sony Execs Confirm Authenticity of Leaked Documents in Staff Memo, Sony Pictures Hack Embroils Accounting Firm Deloitte, Sony Hackers Reveal Seth Rogen and James Franco’s Pay for ‘The Interview’, Sony Hack ‘Unparalleled and Well Planned Crime,’ Cyber Security Firm Says, Sony Hacking: North Korea Denies Involvement, Praises Attack.  The press coverage has been international and in Australia it has been equally feverish with ‘Hacked by #GOP’: staff at Sony Pictures resort to paper and pen after hack shuts computer system and Sony hires Mandiant to clean up after cyber attack, FBI starts probe to name but two articles.

The Risk Based Security article , absent graphics, provides:

On November 25, a new chapter was added to the chronicles of data theft activity. A group calling itself GOP or The Guardians Of Peace, hacked their way into Sony Pictures, leaving the Sony network crippled for days, valuable insider information including previously unreleased films posted to the Internet, and vague allegations it all may have been done by North Korea in retribution for the imminent release of an upcoming movie titled “The Interview”.

While politically motivated attacks and theft of intellectual property is nothing new, this incident certainly stands out for several reasons. First, via a Pastebin link, the group released a package and links to torrent files hosted on four sites consisting of 26 parts, broken out into 25 1GB files, and one 894 MB rar file. The files were also uploaded to the file sharing giants MEGA and Rapidgator, but removed by site managers shortly after. The researchers at RBS were able to access the files and analyze the content prior to the information going off-line, as well as reach out to GOP..

The results of the analysis provide unprecedented insight into the inner workings of Sony Pictures and leaked the personal information of approximately 4,000 past and present employees. As if the sensitive employee information wasn’t troubling enough, the leak also revealed curious practices at Sony, such as money orders used to purchase movie tickets that were apparently re-sold back to Sony staff.

The Guardians Of Peace made their contact information available for a brief time. RBS researchers used that opportunity to contact to the group seeking comment and received the following response:

I am the head of GOP.
I appreciate you for calling us.
The data will soon get there.
You can find what we do on the following link.

The link provided only led to a Facebook page that was not in use. The following time line gives more perspective and analysis of the details of the intrusion based on information made available via public sources.

The Beginning (November 24)

On November 24th, a Reddit post appeared stating that Sony Pictures had been breached and that their complete internal network, nation-wide, had signs that the breach was carried out by a group calling themselves GOP, or The Guardians Of Peace. This comes three years after a large series of attacks against Sony became public.

Within hours, Geek.com had reported that “Sony just got hacked, doxxed, and shut down” as Sony went into panic mode over the breach. Minutes after the original reddit post appeared, the thread exploded with comments and feedback about the content. Several links to additional files were included within the comments that included two text files that listed additional file names that were said to be coming in a subsequent leak of information from the Sony network.

In order to better understand the breach and the ramifications, Risk Based Security (RBS) reached out to the Guardians of Peace and asked for more information. During the brief email conversation, they stated that additional data leaks were forthcoming, and that they had obtained over a dozen terabytes of data from various Sony servers. The mail went on to say that additional information would be published soon, and provided a link to a Facebook page that appeared to be closed.

Movie Leaks (November 26th)

A few days after the the initial breach report was announced, four torrent links were published to torrent trackers that contained unreleased movies from Sony, obtained by GOP during the attack. These titles included Annie (December 19), Mr Turner (December 19), and To Write Love On Her Arms (March 2015). According to several torrent tracking sites, these files have been downloaded over 100,000 times.

On December 1st, NBC News aired a segment reporting that the FBI were investigating the breach and the possibility that North Korea was involved. While this may sound far-fetched at first, North Korea has a clear motive in attacking Sony. On December 25th, Sony is releasing a movie called The Interview, which follows the story of two celebrity TV hosts that get a chance to interview Kim Jong-un. Before heading to North Korea, they are asked by the C.I.A. to assassinate him. Despite the movie being labeled a comedy, North Korea has stated that if the movie is released, they would consider it an “act of war”.

When the BBC reached out to North Korean officials asking if they were behind the attack on Sony, they were given a curious response of “Wait and see.” North Korea had also complained to the United Nations about the movie earlier this year in July, while not naming it specifically.

First of the Leaks (December 1)

On December 1st, GOP started publishing the full cache of data files taken from Sony’s servers with the first chunk totaling a respectable 24.87GB of compressed files. Surprisingly enough, the  GOP appears to have used compromised servers on Sony’s network to upload and seed the torrent for the leaked data, as well as uploading it to MEGA and RapidGator. Within hours of the upload, MEGA removed all links to the data.

Second Round of Leaks (December 3)

By this point, we can only imagine how Sony was in full panic mode attempting to respond to, and contain the breach. By this point, Sony executives had confirmed the leaked data was authentic. The mainstream media was coming to grips with the ordeal, exploring ideas on the ramifications, and the resulting fallout. Initial analysis of the data from the first set of files disclosed had begun, as the second disclosure of files occured. A GOP member identifying themselves as the leader of the group told RBS “Today more interesting data will be presented for you.” before pointing RBS to a new link containing additional files, as part of the email dialogue established (interestingly, one mail came from Hushmail who is known to cooperate with federal agencies). The second leak was considerably smaller, a mere 1.18GB containing two files named “Bonus.rar” and “List.rar”. While the files are small, they perhaps contain the most sensitive data to be disclosed by this point. This includes full security certificate information, internal and external account credentials, authentication credentials with plaintext passwords for systems such as the Sony YouTube page, UPS accounts.

The Analysis Game (December 4)

When analyzing high-profile breaches, it is common for the media and security companies to make mistakes. This often occurs due to conflicting or unclear information that seems valid on the surface, but falls apart under heavy scrutiny. For example, a Gizmodo article says that Sony stored password information in a folder called ‘Password’. A better explanation is that the archive released by GOP was created, and the hackers named that folder, not Sony. Below is a screenshot of some of the contents of the ‘Password’ folder from the GOP ‘Bonus.rar’ file:

As more journalists commit time to covering the breach, more details emerge, making this a constantly unfolding story. It also lends to a form of public debate, where one journalist may call into question conclusions of another. For example, Wired released an article today that went into detail about how the compromise may have happened (malware dubbed “wiper”) and also called out other journalists saying the North Korean link is not likely. While they make good points about the GOP group and how nation states generally conduct computer intrusions, there is also the possibility that it was specifically designed not to look like such an attack for plausible deniability. Or it may be as simple as North Korea suggesting they may have had a hand in it, to bolster the notion that they are serious contenders in International computer intrusions for espionage and spying, like their counterparts.

What is curious in this story, is that the FBI released a “Flash Alert” regarding malware that comes after the reported attacks on Sony. This warning comes very late in the game, and also leads to more questions about the security analysts brought in to figure things out. The same article mentions that Mandiant was brought in to address this breach before it became public. Yet, Mandiant has not made a statement on the matter, while being notoriously media-friendly in blaming hacker sources, specifically the Chinese, even if they may not have been involved.

According to Re/code, Sony is set to announce that they have attributed the attacks to North Korea, making this a he-said, she-said ordeal in the short term. For those interested in more details on the malware found in Sony systems that may have been the point of compromise, Ars Technica has released a more detailed article focusing on it.

The Next Chapter (December 5)

As mentioned, this story is unfolding every day. New information, new perspective, and new deductions come every day. Risk Based Security has been tracking breaches for a very long time, and has frequently seen such high-profile breaches unfold over years. After the initial weeks or months of a breach, most news outlets and security companies lose interest. Long-term though, part of the story includes the eventual investigation, consultants, lawsuits, stock price fluctuations, and more. The entire picture of a major compromise is the real value, as that is where companies can fully learn of the risks of a breach.

Today the Guardians of Peace have contacted RBS, and likely other companies or journalists, with a third link to leaked data along with a short statement and request calling for others to join them:

Anyone who loves peace can be our member.
Please tell your mind at the email address below if you share our intention.
Peace comes when you and I share one intention!

jack.nelson-63vrbu1[at]yopmail.com

You can download a part of Sony Pictures internal data the volume of which is tens of Terabytes on the following addresses. These include many pieces of confidential data.

The data to be released next week will excite you more.

The leaked data has been uploaded as BitTorrent links to various file sharing sites via the same methods used in previous disclosures, some of which are served off breached Sony Pictures EC2 servers as well as being uploaded directly to the RapidGator file sharing service. As before, RapidGator quickly removed the data within three hours of it being posted.

The torrent is broken into 22 files spanning 52 parts which appear to be just over 100GB of compressed data. This leak has been titled “Financial data of Sony Pictures” so it likely contains financial details of Sony Pictures, the budgets of movies, or more.

Based on the history of contact from GOP, it appears that each day a new email address is used, and it suggests the accounts may be compromised email accounts. Whether these are fallout from the Sony breach or via another source remains unknown.

The Analysis Continues (December 7)

There have been several news outlets and security firms researching the Sony Pictures breach and analyzing the disclosed files as a result of the compromise. An interesting and unexpected development surfaced on today, when security researcher Dan Tentler announced early in the day that he had had a visit from FBI but was not home at the time.

Just to warn other security folk working on the Sony leaks – the FBI just visited my home. I wasn’t there, so I’m not sure what they wanted.

He followed up with a comment that was made to his wife:

according to my wife, who answered the door, they started the conversation with the words “illegally downloading”.

Mr. Tentler has been conducting his own analysis and has reported on the Sony incident. He posted a list of nodes where the leaks could be found which may explain the FBI’s interest and the subsequent “illegal downloading” comment made to his wife.

Now that the files have been downloaded from the publicly available sources, RBS has had a chance to do a preliminary analysis of the contents. The following is a screenshot showing a sample of the files, to put it into better perspective what is leaked. Note that filenames are logical, not descriptive and human-friendly:

Ongoing (December 7th on…)

The LA Times reported on December 5th, and has said that the FBI have confirmed it, that just hours before the 3rd leak was published online, an unknown amount of Sony employees received threatening emails which are believed to have been sent by the GOP.

The emails which were written is what was described as “broken English”, wanted employees to sign a statement disassociating themselves with Sony, and if they did not, were warned that “not only you but your family will be in danger”. According to the LA Times, the email included a statement that makes suggests the digital headaches for Sony are going to continue to for some time to come.

“It’s false if you think this crisis will be over after some time,” the email said, according to a copy obtained by Variety. “All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony Pictures.”

Adding to the speculation about how the compromise happened, Bloomberg is reporting that the compromise and first leak of data happened at the St. Regis Bangkok hotel in Thailand according to an unnamed person “familiar with the investigation”.

Fifteen Days Under Siege (December 8th)

Late last night, after a long week of previous disclosures, the GOP has released the next batch of leaked data. The new round consists of four archives making two large files, currently being seeded from servers owned by Sony Pictures as before. The torrent that includes all files is only 2.8GB this time and has also been uploaded to a few file sharing websites, although we expect them to be taken down quickly like previous GOP uploads.

Unlike previous disclosures that were straight-forward, this group of files comes shortly after the appearance of a Pastebin link (now 404) that purports to be from the GOP, and gives a reason for the attacks on Sony Pictures, linking it to the now controversial movie, “The Interview”. There is speculation that the new announcement may not be authentic as it did not get sent out via the previous channels, and suggests an almost afterthought of blaming the movie for their actions. Within hours of this being published on Pastebin it had been removed but was cached by Google on December 8, 2014 15:43:58 GMT. Since then, the cache has also been removed which may be due to Sony complaints. According to Owen Williams, Sony has been sending out Digital Millennium Copyright Act (DMCA) take-down requests related to the breach and subsequent disclosures. RBS managed to capture the text before it was removed from both Pastebin and Google cache:

Speculation and analysis of the original compromise method is ongoing. The Register reports that Kaspersky has published details on the malware that allowed the attackers to gain a foothold into the organization. According to the researchers, the malware has been named BKDR_WIPALL by Trend Micro and Destover by Kaspersky (which elicited a warning from the FBI), and was previously seen in attacks against Saudi Aramco by the “WhoIs Team” in 2012. Kaspersky researchers went on to say that this backs claims that the malware was used in the 2013 Dark Seoul attacks, possibly linking the same group or groups to a multi-year campaign of high-profile computer intrusions.

Seemingly unrelated to the GOP breach of Sony Pictures, but coincidental in timing, the Sony PlayStation Network appears to be suffering their own problems as a group called Lizard Squad is taking credit for a coordinated large-scale denial of service attack, that follows a previous one August of this year. Via Twitter, Sony PlayStation Network has acknowledged that customers are experiencing problems, but do not specifically cite why.

Culver City Sony employees will be briefed by the Federal Bureau of Investigation (FBI) on Wednesday regarding the recent attacks, according to the Hollywood Reporter. Michael Lynton, Entertainment Chief at Sony, has also called for an all-hands meeting on Friday to further discuss the issue.

One Response to “Sony Hack – the consequences”

  1. Sony Hack – the consequences | Australian Law Blogs

    […] Sony Hack – the consequences […]

Leave a Reply