Security Research
Showing results for 
Search instead for 
Do you mean 

North Korea and the attack on Sony Pictures Entertainment

SR-FI_Team ‎12-19-2014 11:03 AM - edited ‎12-19-2014 11:35 AM

In late November 2014, Sony Pictures Entertainment (SPE) became aware of a significant breach of its networks. The world was first introduced to the breach via a Reddit post, where a user claiming to be a former SPE employee posted a screenshot of a defacement message on one of SPE’s computers. A threat actor group calling themselves Guardians of Peace (#GOP) claimed responsibility for the attacks.

 

#GOP also commandeered several Sony-related Twitter.com accounts and tweeted messages about the motives for the attack. In an interview with TheVerge.com, alleged members of #GOP stated that the group worked with other hackers, possibly including Sony employees, in the attack.

 

A high-level timeline of the breach runs as follows:

 

November 2014

21st – Attackers allegedly send blackmail email to SPE executives

24th – Information surfaced about a possible breach at SPE

25th – Breach publicly acknowledged

26th – #GOP leaks torrents of five previously unreleased films

29th – #GOP leaks SPE sales data and human resources records

 

December 2014

3rd – #GOP leaks list of hacked servers, plaintext passwords

5th – #GOP leaks financial data, planning, and contracts

5th – Reports of email threats to Sony employees

8th – #GOP leaks another round of SPE internal documents including internal emails and contact information of well-known actors [link later removed]

13th – #GOP leaks internal SPE documents regarding anti-piracy measures

14th – #GOP leaks emails of Steven O’Dell [link later removed]

16th – #GOP leaks emails of Michael Lynton and issues a threat to moviegoers

17th – Unofficial reports identify North Korea as a central figure in the attacks

18th – #GOP emails SPE executives, declaring victory and expressing satisfaction with Sony’s decision to halt release of The Interview

19th – FBI confirms North Korea is responsible for the attacks on SPE

 

Guardians of Peace

At this time, little is known about the threat actor group known as #GOP. However, the FBI has linked North Korea to the attacks. The group also used the name God’sApstls in an email sent to Sony executives. That group’s known tactics, techniques, and procedures (TTPs) are:

  • Wiper malware
  • Data exfiltration
  • Defacement
  • Data leaks via PasteBin and torrents
  • Attempted blackmail and extortion
  • Terroristic threats

Their only disclosed target so far is Sony Pictures Entertainment.

 

Is North Korea responsible?

Despite the fact that the regime denies responsibility for the attacks, several factors support that North Korea played a role in the attacks, including similarities in known TTPs.

 

The TTPs used in the attack on SPE seem to mirror what is known about North Korean actor TTPs. The attacks on SPE used wiper malware, which wipes both the MBR and all host data. This is very similar to the behavior of the malware used in previous attacks attributed to North Korea. While the data exfiltration method used in the attack on SPE is currently unknown, North Korea has also been known to use malware that targets and exfiltrates data in attacks on South Korean military interests.

 

Additionally, the actors who targeted SPE left a defacement with graphics and a message to the victim. This tactic has been seen in attacks attributed to the North Korean threat actor groups WhoIs Team, IsOne, and Hastati. All of these groups were associated with the DarkSeoul malware and Operation Troy. According to statements from the South Korean government, North Korea’s Lab 110, were the actors behind the DarkSeoul malware. Lab 110, suspected to be part of North Korea’s Unit 121, are reported to maintain technical reconnaissance teams responsible for infiltrating computer networks, hacking to obtain intelligence, and planting viruses on enemy networks. Additionally, the malware used to attack SPE was written using a Korean language pack, as were malware samples previously attributed to North Korean origin.

 

In their official statement on the investigation, the FBI provided the following TTP comparisons:

 

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

Motivation

The movie The Interview has been noted as the likely motivation for a North Korean cyber attack on SPE. The movie’s storyline centers on a plot to assassinate North Korean leader Kim Jong Un. In June 2014, North Korean officials called the movie “the most undisguised terrorism and a war action” and said, “if the U.S. administration connives at and patronizes the screening of the film, it will invite a strong and merciless countermeasure.”

 

On December 16, #GOP leaked the emails of Michael Lynton, the CEO of Sony Entertainment. The December 16 leak included threats of a 9/11 style attack on moviegoers who chose to see The Interview. Compared to past threats issued by #GOP, this threat was unique. It was the first to include threat of physical harm. While the credibility of the threat is unknown, in response, SPE decided to cancel the release of The Interview indefinitely.

 

Sophistication

In HPSR Security Briefing Episode 16, we profiled North Korea’s cyber threat landscape, highlighting the regime’s known capabilities and deficiencies in cyberspace. In that report, we noted North Korea’s initial response to The Interview. Based on our previous research of North Korean cyber capabilities, it is difficult to discern whether the regime acted alone. It is plausible that the actors responsible for this attack relied on the assistance of an insider.

 

While the malware used in the attack appears to have been crafted specifically for a targeted attack against SPE, the code itself is not very sophisticated. Some of the code appears to be generic, and no zero day attacks have been noted. The attackers somehow obtained knowledge of Sony’s infrastructure and IT administrators prior to the attack, as evidenced by the hardcoded the credentials of several SPE IT administrators and specific hardcoded DNS queries found in the malware. The attackers appear to have used TOR exit nodes and VPNs to help cover their tracks, which indicates some awareness of operational security (OPSEC).

 

Unanswered questions

While press statements naming North Korea as a central figure in the Sony incident cite unnamed U.S. officials as their source, some questions about the attack remain unanswered.

 

First, it is unclear how the initial compromise occurred. While some researchers may speculate the attackers were assisted by an insider or that the initial compromise took place via a phishing email, the actual method used is unknown.

 

Second, it is unclear how the attackers exfiltrated large quantities of data without being detected. Since movie studios move large files, such as 4K quality films, on a daily basis, it is likely that SPE had a robust infrastructure to support these transfers and that the exfiltration behavior was not detected as anomalous. It is also possible that data was physically “walked out” of the environment.

 

Third, how did the attackers obtain knowledge of SPE’s administrator credentials and infrastructure in order to hardcode this information into the malware? Possibilities include but are not limited to information provided by an insider and a period of reconnaissance prior to preparing the malware for the attack.

 

Finally, what is the cost of the attack for the victim versus the cost to the attacker? At this point, Sony’s total losses can only be estimated in the hundreds of millions. However, it likely cost very little for the threat actor to plan and execute the attack against this multi-billion dollar company.

 

Inconsistencies

There are also some inconsistencies in the threat actor’s behavior that are worth noting. Most of the SPE data dumps used the password “diespe123”, which seems to read as “Die SPE 123”. However, the December 14 leak used the password “diespe135”. While this password variation is interesting, its significance is currently unknown. #GOP’s shift from threatening to leak information to threatening a terrorist-style attack on moviegoers is also a sudden and notable shift in the threat actor’s tactics.

 

While Destover, the malware used to hack SPE, closely mimics DarkSeoul and other wiper malware attributed to North Korean origin, some security researchers have also compared it to Shamoon. The Shamoon malware was used by Iranian threat actors to target Saudi Aramco in 2012. It is also interesting to note that some of the linguistic nuances in the #GOP PasteBin posts are eerily similar to those posted by the Iranian threat actor group Qassam Cyber Fighters during Operation Ababil. During Operation Ababil, Qassam Cyber Fighters targeted Western financial institutions, citing the “offensive” nature of the film Innocence of Muslims as motivation for the attacks.

 

Analysis

While the FBI has named North Korea as a culprit in the attacks, it is still possible that the regime did not act alone. North Korea has forged cooperative cyber ties with several other countries including China, Russia, Syria, and Iran.

The Sony Pictures Entertainment breach highlights two critical issues in threat intelligence: the difficulty of attribution and criticality of threat intelligence sharing. It is often difficult to attribute an attack to a particular threat actor group or to discern the origin of that group. While some groups consistently use the same TTPs or take explicit credit for their exploits, others are known to evolve capabilities over time. Additionally, it is possible for a threat actor to closely mimic another actor’s TTPs in order to evade suspicion. These factors can complicate definitive attribution.

 

This difficulty highlights the more critical and overarching issue impacting the threat intelligence realm. In the past, various threat intelligence researchers have been reluctant to share information with those from other organizations. Sharing threat intelligence is essential because it allows small fragments of information, such as artifacts and indicators of compromise (IOCs) to be combined to form the big picture. The SPE incident illustrates, more than ever, why this type of information sharing is crucial.

About the Author

SR-FI_Team

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all