Sony Breach Linked To North Korean Attackers, FBI Says
The Sony Pictures data breach, which wrangled the company’s systems and exposed a mountain of sensitive data, contracts and unreleased movies, have been traced to attackers from North Korea, according to FBI investigators in an official statement Friday.
"The FBI now has enough information to conclude that the North Korean government is responsible for these actions," according to the official statement.
Investigators identified infrastructure used in the Nov. 24 attack against Sony, which was used in previous cyberattacks linked to North Korea, according to the FBI statement. The North Korean attack ’intended to pose significant harm on a U.S. business,’ the FBI said. ’Technical analysis of the deletion of malware used in this attack reveals links to other malware that the FBI knows that North Korea previously developed.’
[Related: Sony Pictures Breach: Saga Yields Insight On Basic Security Lapses]
The FBI links North Korea to the attack based on:
• Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods and compromised networks.
• The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyberactivity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several IP addresses associated with known North Korean infrastructure communicated with IP addresses that were hard-coded into the data deletion malware used in this attack.
• Separately, the tools used in the attack have similarities to a cyberattack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
The FBI said the U.S. will pursue those behind the attack and threatened consequences against nation-states that carry out attacks against the U.S. and its interests. North Korean government officials deny involvement in the attack against Sony, but praised the hacktivist group behind the breach.
The attackers attempted to cover their tracks by using computer servers in China, but investigators say analysis of the malware used in the attack found subtle clues that it was created by a Korean language speaker. The attack was carried out by a group calling itself ’Guardians of Peace,’ and initially the group attempted to extort money from senior Sony executives. The malware stole data and then wiped the company’s systems, crippling the company’s recovery process and making it difficult to identify the extent of the data breach.
The attackers then demanded Sony pull the upcoming comedy, ’The Interview,’ which depicts two journalists attempting to assassinate North Korean leader Kim Jong Un. Sony and theater owners capitulated to the request this week, pulling the movie’s scheduled Christmas release after the attackers threatened harm to theatergoers with a reference to the September 11, 2001, terrorist attacks.
Security experts said that the tactics used and the custom malware is unlike any kind of threat seen on U.S. soil. Sony Pictures contracted with Mandiant, the digital forensics arm of FireEye, to support the investigation. Kevin Mandia, founder of Mandiant and currently senior vice president and chief operating officer at FireEye, called the attack an ’unparalleled and well planned crime.’
Solution providers with strong security practices and staff penetration testers said nation-state-funded targeted attacks of this nature could infiltrate just about any organization, regardless of their security posture. While few details are known about the initial access to Sony, the extent of the data leaks and the multistaged attack appears to have included reconnaissance activity and remained persistent on the Sony’s corporate network for an extended period of time, all signs of a well-funded, advanced persistent threat.
The Sony breach may have uncovered basic security lapses at Sony that ultimately gave the criminals behind the attack unfettered access to their database servers. Sony recently agreed to a $15 million settlement in June for the lapses that led to the massive data breach that took out its Playstation Network in 2011. The chances are that any Fortune 500 company would have difficulty thwarting a determined adversary, said Justin Kallhoff, CEO of Lincoln, Neb.-based security consultancy Infogressive.
’There’s too much threat surface and not enough people trained in the area of security and not enough top-level people in organizations who understand the risks posed by a threat until it’s too late,’ Kallhoff said.
Security experts tell CRN that positive attribution is extremely difficult with cyberattacks. But the response by Sony and investigators underscore the seriousness of the threat, Kallhoff said.
’I’m surprised to see the canceling of the movie and this huge response means to me that these are more credible threats than the media is giving credit for," Kallhoff said. ’The U.S. doesn’t have a dramatic cyber advantage at the moment on the Internet.’
The apparent link to North Korea in the attack against Sony underpins the backdraft that the U.S. may have started in its attack using Stuxnet, the worm that was aimed at an Iranian unranium enrichment facility in 2011. The offensive cyberattack opened the door to the use of cyberattacks by any nation, Kallhoff said.
Andrew Sherman, security practice lead at Eden Technologies, a New York-based security consultancy, said he was surprised at how long it has taken for Sony to recover critical systems following the attack. Endpoint systems and the company's email server were offline for days while investigators attempted to uncover the scope of the breach. The destructive malware used in the attack may have further hampered recovery efforts, Sherman said.
"It's still a speculation game until all the facts come in," Sherman said. "In almost every breach I've seen there have been security technology and processes that could have made it much more difficult for the attackers, but the sophistication and the wherewithal of some of these targeted attacks has made it difficult to keep cybercriminals out."
PUBLISHED DEC. 19, 2014