The Sony Hack - The Real Facts

"So to get a full picture you have to read a lot of very technical reports from the network security community. My understanding of the attack comes from reading (probably way too many) technical reports about it. I'll try and give the most readable sources here.

**November 24^th**

The first public notification of the hack came on [Reddit](http://www.reddit.com/r/hacking/comments/2n9zhv/i_used_to_work_for_sony_pictures_my_friend_still/). Within an hour [Deadline Hollywood](http://deadline.com/2014/11/sony-computers-hacked-skull-message-1201295288/) reported Sony had sent a memo to all employees warning of the hack. This was followed by a flurry of reporting then the release of [proof of the hack](http://pastebin.com/8HbbUSkr).

**November 26^th**

Three movies leak online, [the FBI begins investigating the breach](http://www.nbcnews.com/nightly-news/fbi-investigates-possible-north-korea-link-sony-hack-n259361). When the BBC asks North Korea if they were responsible they respond ["Wait and see"](http://www.bbc.com/news/world-asia-30283573).

**December 1^st**

The initial data leak. I won't post it here but it's still available if you look on torrent sites. [It's 26 GB of files and contained Social Security numbers, names, contact details, contact phone numbers, dates of birth, email addresses, employment benefits, workers compensation details, retirement and termination plans, employees previous work history, executive salaries, medical plans, dental plans, genders, employee IDs, sales reports, copies of passport information and receipts for travel of all Sony Pictures employees worldwide](http://www.identityfinder.com/us/Press/20141204210449). Much of this information notably "\HR\Benefits\Mayo Health\Mayo XEROX assessment feed" was stored in plaintext.

**December 3^rd**

The second data leak. This one garnered less press but contained was considerably more dangerous. It contained full security certificate information, internal and external account credentials, authentication credentials with plaintext passwords for systems such as the Sony YouTube page and UPS accounts. I've heard that much of this information was available because an IT director was comprised apparently he had no background in IT and was actually a marketing exec who reached the position (and thus higher salary) through corporate politics. You can see for example is was good at [naming files](http://i.imgur.com/GngopXj.png).

**December 4^th**

The FBI issued a confidential flash warning to the security departments of large American companies warning about a new malware called Destover Backdoor.

I can't post the notice itself (it's confidential) but I can post the [Symantec writeup](http://www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea) about it.

As people started to analyze the code sample provided we learned that it was [created on a computer using the Korean language](http://securelist.com/blog/research/67985/destover/) and included pictures with Sony's name written on a tombstone (meaning that it was a targeted attack). The picture also contained the text "We've already warned you, and this is just the beginning. We continue till our request be met." Note that no where did they say what their demands were though North Korea had previous threatened Sony over the release of The Interview.

We also learned [how to detect](https://malwr.com/analysis/MWZkZjU4Mjc1ZTNlNDQzN2FkOWFhNWI1NjNmYjk0Nzc/) the "Command and Control" modules of the code. Initially the virus just exposes the computers files and configures it to run a webserver. It also attempts to spread throughout the network targeting access to specific machines and ip addresses. Because these are hardcoded it means the attacker either had inside help or had previously penetrated Sony's network and gathered information. The malware only begins to broadcast back to the C&C servers once it's been launched—and deletion of data on the targeted network has already begun. This likely triggered by a hard coded time in the code. This type of malware is consistent with a watering hole or spear phishing attack. The C&C servers the malware connects to were used previous by a piece of malware known as DarkSeoul which North Korea used to attack South Korea previously.

**December 7^th**

Third data leak. This one contains all of Sony Pictures' financial information. Bloomberg [reports](http://www.bloomberg.com/news/2014-12-07/sony-s-darkseoul-breach-stretched-from-thai-hotel-to-hollywood.html) that the initial data breach occurred at a hotel in Thailand where a Sony executive was staying. This is likely the source of the inside information about Sony's network.

**December 8^th**

Another leak, this one was just posted to pastebin before quickly being taken down. This one contains the email archives of two executives: Steve Mosko, President of Sony Pictures Television and Amy Pascal, Co-Chairman, Sony Pictures Entertainment and Chairman, Sony Pictures Entertainment Motion Picture Group. There's some confusion about the authenticity of this post. The data leaked is authentic but it looks like it came from a different group than the first 3 leaks. It also specifically mentions The Interview, which previous leaks did not. Consensus of the security community seems to be that this was a copycat or disgruntled employee taking advantage of the situation.

Security company Kaspersky releases its [report](http://www.theregister.co.uk/2014/12/08/kaspersky_deets_on_sony_malware/) which shows the initial computer virus used in the attack is the same at that used in the Shamoon attack where North Korea went after Saudi Arabia. We are also told that three security certificates used a password of "password".

**December 10^th**

The next leak occurs. This one bears the signature of the first three leaks, meaning it is likely genuine. It includes information about Sony's anti-piracy efforts, entertainment deals in the works, internal procedures related to tracking torrents and other illegal downloading. It also contains a document that outlines Sony's cooperation with 5 major Internet Service Providers (ISPs) to collect full data for monitoring illegal downloads.

On the same day the attacker behind the December 8th leaks releases another set of emails, these belonging to Leah Weil, Senior Executive Vice President and General Counsel for Sony Pictures Entertainment. They seem to be trying to piggyback onto the real leak. This is completely off topic but I wanted to mention the through these emails we learned that George Clooney is apparently the only person working with or for Sony that understand information security.

News stories proliferate.

**December 13^th**

The next authentic leak. This one contains internal documents for tracking deals, expenditures, and revenue. It also contains information about the state of all deals Sony is currently working on. While previous leaks were initially seeded in China, this one was initially seeded in [Taipei, Taiwan](https://twitter.com/Mario_Greenly/status/544967851795562496).

At this point IT workers at Sony begin anonymously [talking to the press](http://uk.businessinsider.com/sony-insider-the-security-team-has-no-fing-clue-2014-12?r=US). They paint a picture of a company with an outdated network, lax security standards, and an unwillingness to hire quality professionals in IT and software development (believing top talent in these areas to be "too expensive"). They also describe a very traditional big corporate office environment in which things like "ass in chair" time spent at work is valued over results. Most promotions seem to be driven by office politics not talent.

**December 16^th**

There's been many media articles, speculation, theories, and controversy. For weeks Sony has been fighting the leaks via takedown notices, hacking of their own, and pleas in the media. They activate their "cybercrime" insurance which provides them with [$65 million in coverage](http://www.csoonline.com/article/2859535/business-continuity/breach-insurance-might-not-cover-losses-at-sony-pictures.html). They cancel most media appearances in promotion of the film.

**December 17^th**

A group of individuals makes threats of violence at US movie theaters which show The Interview. These are different in style, content, and tone than all communications from the actual hacker. They seem obviously fake, created by pranksters to take advantage of the tense situation. Regardless almost every theater chains pulls the movie from their schedule.

In an show of incredibly lazy journalism many media outlets (lead by Wired) publish stories stating that North Korea was not behind any of the hacking. These mix together the details of several attacks and treat all leaks (both credible and not) as coming from the same actor. At the same time more respectable media outlets like the NY Times, The Wall St. Journal, and The Washington Post publish stories stating that North Korea is "almost certainly" behind the attack and cite a litany of security professionals and confidential government sources.

While all the circumstantial evidence points to North Korea we do lack documented forensic trail that truly establishes some level of attribution with certainty.

**December 18^th**

Sony cancels The Interview.

They also quietly cancel "Pyongyang" another comedy starring Steve Carell. Produced by company New Regency and directed by Gore Verbinski, the story is based on a graphic novel and follows a Westerner that is accused of espionage in North Korea.

**December 19^th**

[The FBI firmly places the blame on North Korea](http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation).

Everyone rushes to put this in a political frame."

This is why no one trusts the media anymore. This is the best rundown of the Sony Hack that I've seen. Kudos to Reddit. Again.

Sent from my iPhone

No comments: