Hackers who broke into Sony Corp. (6758)’s Hollywood unit probably spent months collecting passwords and mapping the network before they committed a last act of vandalism, setting off a virus that wiped out data and crashed the system in 10 minutes.
Trend Micro Inc. (4704) arrived at these conclusions after running simulations on a copy of the virus that struck Sony Pictures Entertainment’s computers. The Tokyo-based developer of security software declined to reveal where it got the malware.
I am so far unconvinced that this was the work of a foreign government rather than an insider, and this article does little to make the case for DPRK involvement. The US government is heavily implying that they are to blame, but as yet have not given specifics as to why they think so. This article provides little new information in this regard. In fact, if anything, the following quote indicates an insider is just as likely to be the source:
While it’s unclear how the hackers got access to Sony’s network, the virus they used to destroy it is available on the black market and can be used without a high level of technical sophistication, according to Someya. It was customized for the company, embedding in the program account names and passwords and targeting the security software, he said.
An insider strikes me as extremely unlikely. You would need to have someone that is normal and skilled enough to be hired at Sony (presumably in IT), but malicious or wronged enough to attempt to destroy the entire company, including wronging all of your co-workers and risking serious risk of prosecution from the U.S. government. Also, you would presumably be skilled enough to evade the FBI, but still somehow be stuck in some mid-tier Sony IT gig.
On the other hand, this strikes me as totally within the realm of possibility for North Korea. They have the skills, they don't really give a shit about pissing off Sony or the FBI, and they have motive.
I think that's too narrow. You need one person with access to feel wronged, and you also need strong black-hat skills, but they don't have to be the same person.
Hollywood is famous for screwing people over, so I doubt there is a deficiency in people with grudges. Suppose one of those people were willing to spend $50k on this? Suppose they had a friend or a second cousin with a connection to some people with skills and a taste for large-scale lulz?
These people literally threatened another 9/11, the FBI is involved, and the White House is apparently seriously considering responding in some manner. I think any regular black hat or American would rightly be pissing themselves and disappearing if this were just for the lulz or revenge. The risk is just too disproportionate to the 'gain.' Unless you are a nation state that already has no qualms about hacking others, and is immune from prosecution and knows that the U.S. is not going to go to war over this.
You're assuming basic rationality of people, which unfortunately isn't universally valid (I have the same intuitive tendency, which I've learned to be aware of and compensate for).
Disgruntled (usually ex-) employees have been known to do some pretty insane, destructive things, without appropriate regard for personal consequences. What was the name of that guy who locked his ex-employer out of their infrastructure and caused a big rumpus a few years ago, again? More to the point - we know that there exist people who are capable of walking into their workplace with an assault rifle; the existence of a person inclined to execute the attack on Sony should not be surprising.
Has it been shown that the anonymous 9/11 threat was made by the same group? Could have been anyone jumping in at that point right? Even if NK wasn't involved in the hack, they could have made that threat to take absence m advantage and stop the movie.
> "The hackers have released at least nine batches of data and promised a larger quantity on Christmas."
That's why it doesn't make sense as North Korea. Their accepted motive goes as far as THE INTERVIEW, which was dodgy-enough to begin with, but which has already been shelved. Why would North Korea be threatening to release more information if their goals were already met?
Ignoring the rhetoric, the actions here looks much more like garden-variety data-ransom. If "their demands" were "x-million USD, don't contact the feds", then everything makes sense. Wiping the data. Only mentioning THE INTERVIEW after the press seized on it (misdirection and increased pressure on Sony). Actively promoting the tastiest bits of leaked data to the press. Releasing more as further deadlines pass without some unnamed capitulation (that's larger/different than simply shelving THE INTERVIEW). Having The Big Bad Deadline for a large future release.
That the US Government is publicly on-board with the DPRK theory also doesn't fit an actual "hack by North Korea" situation. The US Government gains nothing by naming perps, which is why they almost never do it, not even after the consensus opinion of third-party researchers makes an inescapable conclusion. If the perpetrators actually were North Korea, the US government would stand to lose more than most times, as we're currently trying to lure the DPRK back to the six-party talks. (A subject much larger than Sony Entertainment.)
That attribution would make perfect sense if the government is coordinating with Sony, but has to try to convince the hackers they aren't involved/competent/two-hops-away, etc. Given how cozy the US press is with the US government, I wouldn't be surprised if they were knowingly pushing the "it's totally North Korea" angle in the service of the investigation.
(As an aside, if anyone wants to make a friendly wager, I'd bet up 3 BTC on the fact that this is indeed a NK attack, so long as we can agree on some sort of reasonable time period and way to confirm, such as an arrest or confession. Either payment to the winner, or payment to the winner's designated charity. Is there a site that allows for committing to BTC bets with some sort of escrow or multi-sig release feature? If not, there should be.)
Sociopaths exist. If this was an insider, possibly an administrator, all they would need to do would be to execute the equivalent of "select * from \\windows_domain", put the results in a torrent, and call it a day. From all reports the internal information security procedures at Sony Pictures were not rigorous, which implies such a thing could happen without detection.
I'm not saying that the DPRK couldn't do it, only that no proof has been offered that they did. Given the lack of proof, assigning blame to anyone is premature.
Parenthetically, it is amusing to me that the accepted narrative has so quickly become that NK definitely did it.
Or they could have stolen a few backup tapes, then infected the network with malicious software and left bits of logs pointing wherever they want. It's unlikely Sony has full network captures. So a line in a log file with an IP is likely to be taken as absolutely true.
And it's more precise to say someone is 'skilled at something' than 'skilled'. You can be exceptionally clever at covering your criminal tracks, but merely adequate at fixing broken printers. You can be fantastic at writing lock-free multithreaded code, and utterly incapable of cracking the IRS d-base.
> [..]and skilled enough to be hired at Sony (presumably in IT)[..]
As I see it, after the three (if Im not mistaken) last successful attacks at Sony, I wouldn't say they're skilled _enough_. Not even skilled basically.
Again, as I see it, it's Sony's fault: after the first attack at playstation network, the least they could do is stop using plaintext files to store passwords.
But no. Second attack with the same results and now a third.
So no. They're not even close to be characterized as skilled (and that goes especially for the managers/whoever did not decide to leave the I-store-passwords-as-plaintext practice).
Your argument applies equally well to just about ANY high-profile inside job, and those are incredibly common. Obviously that segment exists. Why couldn't it exist for Sony?
The majority of data theft, cybercrime, etc is done by insiders these days - a lot of companies just don't talk about it unless forced to by regulations...
In fact, if anything, the following quote indicates an insider is just as likely to be the source
The common narrative in discounting any involvement of North Korea is that they're too famished and uneducated to perform such an operation. Your angle is that the attack isn't sophisticated enough?
The evolving story is that a single IT worker with significant right grants was targeted by the group, and once that single user was exploited, their privileges were used to compromise the network. If you have the privileges of a superuser, your attack doesn't need to be sophisticated.
And ultimately this is exactly how I would expect these sort of attacks to go, especially when hitting targets in free and open nations. Why go through the trouble and effort of trying to winnow in from the outside when you can just exploit the kink or vulnerabilities of individual people -- who you can now discover via LinkedIn -- and then work your magic from the "inside". Sending out a group policy to disable all security software is a couple of lines. This "virus" seemed to be a simple efficiency measure, as with those rights they could do pretty much everything, though mass malice would probably be too labor intensive minus some helpful tools.
The defense against this is of course that even admins should have limits on their access and flags on their activities. Of course, the admins are the ones who normally implement this, so...
Most people I've seen question the North Korea angle absolutely acknowledge that they have the capability to do things like this. They usually argue that this does not fit the style and MO of a state sponsored attack, that The Interview was never mentioned by the hackers until after the media starting running with the story, and that there simply isn't enough public evidence to justifiably attribute it yet, among other things.
More importantly, who else could the USG blame? China are somewhat too important a "partner". Venezuela, well Chavez "happened to die". Cuba, friends again. Iran, bringing them slowly in from the cold. Russia, well...
It would have been more convenient for the USG to blame ISIS but nobody would believe that.
I still don't buy the N.Korea angle. They would just love the propaganda. They are quite happy to provoke the US with missile tests publicly, you don't think a hack like this they are going to want to keep quiet?
There is no MO regarding an attack from a country like North Korea. That country says bombastic things with regularity, and has seemingly little concern for blowback. How a country like Israel or the United States might do an attack like this has no relevance to what North Korea might do, whether directly or through a hired proxy.
The Interview was never mentioned by the hackers until after the media starting running with the story
Now again, North Korea's words are kind of cheap, but they were talking about as big as you can get before this hack, and then specifically warned Sony to "obey" them. We have absolutely no idea what communications happened between the group and Sony and then law enforcement, so the whole what the media reported angle seems rather spurious. Sony/Law Enforcement, people who know more than us, seem to believe it was related to the movie.
There is no MO regarding an attack from a country like North Korea.
Actually, there is. They tend to huff and puff about American military exercises that occur in cooperation with the Japanese or the South Koreans, or to complain to the UN about various things (e.g.: the CIA torturing people). But their MO, such as it is, is to complain and threaten, almost exclusively. Occasionally they will perform a missile test that causes concern, but those missiles land in the Sea of Japan or some other body of water, not anywhere that causes actual harm.
No, this goes against the DPRK's MO up until now. If they are responsible then it is a shift in their tactics from "loud and threatening, but basically harmless to other nations", to "actively and publicly committing acts of economic espionage." That would be quite a departure for them.
North Korea is suspected in a number of similar attacks. Because really, what is anyone going to do? Attack them? They have nukes. Isolate them? They can't possible be more isolated. Sanction them?
As an aside, the regular threat of using nuclear weapons is an act of extreme violence, and I doubt North Korea's neighbors treat it so flippantly. The threat is unlikely, but extremely real.
I think the truth could run in one of two directions. Todays news implied that Iran, China and North Korea were in cahoots and aggressively attacked Sony for months and finally penetrated their bastion. Sony was helpless to defend. That is what the press and FBI seem to be saying.
The facts seem to say that Sony was incredibly incompetent and had all sorts of sensitive files sitting on servers with no access protection. Sr. staff never deleted emails and made newsworthy statements in their emails, especially ones that attacked celebrities and even the President. With this juicy material, including unreleased movies, all free for the taking, the hackers used well known standard techniques to penetrate. Then they leisurely sucked down a lot of information and no one noticed the traffic.
While there is no excuse for theft, if I have shoddy locks, no lights, no alarms, on my home I may be at more risk than if I had solid locks, security systems, lights, etc. Whether it was North Korea or the next door neighbor, it was not a particularly difficult crime to pull off.
I think the truth could run in one of two directions. Todays news implied that Iran, China and North Korea were in cahoots and aggressively attacked Sony for months and finally penetrated their bastion. Sony was helpless to defend. That is what the press and FBI seem to be saying.
this narrative just seems way to neat and prepackaged and allows under-informed US citizens to consume it and still feel safe and make sense of the connected world we all swim in every day.
i agree it's being spoonfed via media and politicians, but to me, that's all the more reason to be highly suspect of it.
this event is becoming the ultimate nail to everyone's hammer.
It's grammatically incorrect. English pluperfect tense should be used like so:
Sony Hackers Seen Snooping for Months, Planting Bomb
The actions of snooping and planting the bomb are in the past but before the implied event of discovery which is also in the past so it must be pluperfect. The form "Having Snooped" can only be used in a pluperfect inversion such as:
Having snooped around for months, the hackers planted a bomb.
To me it makes sense but doesn't parse nicely at all (also British here) - i.e. doesn't confuse me, but I absolutely would re-write it if I was the editor.
I don't think anybody actually saw anyone doing anything did they?! I can see what they were trying to say, but certainly wouldn't have written it like that.
Trend Micro Inc. (4704) arrived at these conclusions after running simulations on a copy of the virus that struck Sony Pictures Entertainment’s computers. The Tokyo-based developer of security software declined to reveal where it got the malware.
I am so far unconvinced that this was the work of a foreign government rather than an insider, and this article does little to make the case for DPRK involvement. The US government is heavily implying that they are to blame, but as yet have not given specifics as to why they think so. This article provides little new information in this regard. In fact, if anything, the following quote indicates an insider is just as likely to be the source:
While it’s unclear how the hackers got access to Sony’s network, the virus they used to destroy it is available on the black market and can be used without a high level of technical sophistication, according to Someya. It was customized for the company, embedding in the program account names and passwords and targeting the security software, he said.