New Delhi, India,December 24, 2014: Blackmail, secretive master-plan, sabotage, drama, politics, thriller, hostage, the list goes on – this is not the plot-line of an immersive Hollywood motion picture, but rather the highlights of the recent hack on Sony Pictures Entertainment (SPE). Although it is one of the most serious breaches that we have seen so far, we will see breaches of this magnitude in the days and months ahead as IT departments continue to grapple with the challenges of targeted attacks like these. While Sony deals with the hack by trying to sabotage downloads of its stolen data through putting out a large number of torrent file-sharing nodes with fake seeds, we at Websense Labs have been busy trying to protect our customers from such attacks. We initially released coverage on 2nd of December to protect customers from the malware used in the attack on SPE, and we will continue to monitor the situation and enhance our protection as required.
Websense customers are protected against known Indicators Of Compromise with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:
- Stage 5 (Dropper) – ACE has detection for the malicious files delivered by this threat.
- Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with this threat.
- The initial malware used in this attack was an Server Message Block (SMB) worm that spread laterally throughout the network. The secondary malware included a backdoor as well as Master Boot Record (MBR) and hard-drive erasing tools.
- The malware actors held data for ransom, before proceeding to release it publicly. Their motives, however, remain unclear.
- Attribution for this attack is difficult, if not impossible, despite heavy links to North Korean actors.
From a technical perspective, the attack kill chain was typical of an infection scenario. The attack possibly started with a phishing email or a machine that got infected via other means, with some reports hinting that an insider was responsible. The infection was an SMB worm that brute-forced credentials in order to spread from one system to another, while constantly sending updates back to the hard-coded command and control servers. From there on, various tools including back doors, a proxy, a hard drive eraser tool, an MBR eraser, etc. went about doing their job of data exfiltration, wiping out hard drives, and erasing master boot records (MBRs). US-CERT has done a great job of putting together details of the specific files being dropped and executed at https://www.us-cert.gov/ncas/alerts/TA14-353A.
Aims of the Malicious Actors
It is clear that data is at the heart of the attack against Sony. Data was held ransom by the ‘Guardians of Peace’, the group that claimed responsibility for the hack. They blackmailed Sony, and a massive 200 GB of sensitive data has been made public by the group so far, with threats to release more data in the days to come. Exfiltration of such a large amount of sensitive data from the perimeter of any organization ought to have raised some kind of alarm. Therefore, it is essential to understand the data that exists in the organization in an automated way and protect it according to its risk classification. Data discovery, data identification, data classification, and explicit action as a result of the data policy is at the heart of the analytics in the Websense Advanced Classification Engine (ACE) and ThreatSeeker Intelligence Cloud.
The hack itself is well orchestrated, but is atypical in many ways from the state-sponsored cyber war that this attack is believed to be.
- The real intent of the group in question is unclear and thus leaves many questions unanswered. Initially it appeared to be mercenary, but why would Sony’s pulling of the movie in question, “The Interview”, appease them in any way? Now that Sony’s data is in ransom, what else does the attacker want? Sony’s data has already left the building and unlike in the physical world, there is no way to “return” all the copies of the data. On the topic of attribution, is this really the group that carried out the attack and are there any other victims?
- As to the sophistication of the malware itself; it is no Stuxnet. It definitely did not take millions of dollars to piece together the whole attack and the malware did little to cover its tracks. Attribution of cyber-attacks is one of the most difficult things and the term “cyber-war”, though thrown around a lot in the news, is not as simplistic as it appears. For starters, the clues could be red herrings. Plausible deniability also has a big role to play in the virtual world.
- The code was simple, not highly obfuscated, and the command and control communication was also not unusual in any way.
- Some of the malware was written specifically for SPE. The attackers had hard coded hostnames, passwords, etc. thereby indicating that there had been a phase of reconnaissance where substantial pertinent insider information was leaked. Judging by the amount of sensitive data stolen, it seems like the attackers were playing in SPE’s network for a while.
- The aim of the malware was to exfiltrate and destroy the data in Sony’s environment. In a way, this implies instant detection of itself even though wiping out the data makes forensic analysis harder.