What hackers have done to Sony Pictures is astounding. How did they do it?
There have been just enough details leaked to the press and analysed by security experts to put it together:
This was something called a “targeted attack.” That means the hackers set out to specifically break into Sony. A targeted attack is the hardest to stop.
“Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable,” wrote renowned security expert Bruce Schneier about the Sony attack.
The hackers said they gained access to Sony’s networks from inside Sony. In November, after the attack was made public, several journalists said they contacted the group that claimed responsibility, called “Guardians of Peace.” GOP told them: “Sony left their doors unlocked, and it bit them. They don’t do physical security anymore.” That’s what a GOP member known as “Lena” told CSO Magazine.
“Physical security” is hacker-speak for things like the doors and windows, keycards and video cameras.
The hackers said sympathetic employees let them into the building. “Lena” told The Verge, “Sony doesn’t lock their doors, physically, so we worked with other staff with similar interests to get in.” Whether these employees were knowingly helping hackers or were tricked into helping isn’t known.
The hackers reportedly stole a key password from someone in IT. U.S. investigators told CNN that the hackers stole the computer credentials of a system administrator, which gave them broad access to Sony’s computer systems.
One on the network, they planted malware. Some security experts as well as documents obtained by Ars Technica say that that this was a form of “wiper” malware. Generally that refers to malware designed to destroy the data, although in this case they used malware to collect data, too. The malware used Microsoft Windows management and network file sharing features to spread, shut down the network, and reboot computers, reports Ars Technica.
This “wiper” was apparently a variant of the type that a group called DarkSeoul used on South Korean banks last year. The FBI confirmed that the Sony malware found resembled that used in the bank hack.
The malware found and stole other passwords. The GOP told Sony it had grabbed private files, computer source code files for software, and files that held passwords for Oracle and SQL databases, among other documents. With access to that, the GOP grabbed data on movie production schedules, emails, financial documents and much more and published much of it.
Security experts say this is where Sony was particularly weak. It could have used layers of security which would have prevented them from grabbing so much information even after breaking in. Many companies don’t want to spend money on extra security that would specially protect email servers, password files, databases. That’s a big lesson any company can learn. Use layers of security protection that can stop hackers after they break in.
The malware transmitted information back to other computers. The malware was communicating to computers elsewhere, including in Japan — possibly other computers on Sony’s own network. Some of the malware was written in Korean, Ars Technica and others report.
On the day of the hack, employees turned on computers and found this message on their screens, according to emails of the message sent to various journalists.
Ultimately the hackers threatened Sony with a terrorist attack if they didn’t pull the movie “The Interview” from theatres. It was a comedy about trying to assassinate North Korean dictator Kim Jong-un.
Sony bowed to the pressure and pulled the picture, and on Friday, the FBI reported that “the North Korean government is responsible” for the hack.
Not everyone believes that North Korea was responsible, though.
Sony hasn’t issued technical details about the attack, but it is busy trying to spin the situation, especially after President Obama himself said on Friday that the company should not have caved and yanked the movie from theatres.