Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Attack on Sony


Published on

RSA 2015 booth talk

Published in: Technology
  • Be the first to comment

Attack on Sony

  1. 1. Attack on Sony Pictures Destover Trojan Nick Bilogorskiy @belogor
  2. 2. Sony Pictures Attack by Destover Trojan o Attack on Sony Pictures…Nov 24, 2014 by GOP - “Guardians of Peace” o 111 Terabytes of Data Stolen o Suspected Origin: North Korea o 7 lawsuits filed against Sony, so far o Controversy over “The Interview” which made $46 million to date o Trojan designed for Sony’s network.
  3. 3. Attack Timeline for Sony Pictures, Nov – Dec 2014 Destover malware discovered Guardians of Peace claims credit, starts releasing stolen movies Sony decides to release “The Interview” on Dec 25 Wiper activates Nov 21 Nov 24 Nov 27 Dec 1 Dec 3 Dec 11 Dec 15 Dec 17 Dec 19 Dec 23 Sony receives email from ‘God’s Apstls” FBI sends “flash alert” GOP leaks Sony Exec emails Sony hit with 1st class-action lawsuit for failure to protect employee info Sony cancels movie “The Interview” FBI says hack done by North Korea
  4. 4. What was stolen and leaked? In a word, everything!  Personal data on 600 employees  Movies and Scripts  Performance reports and salary information  Source code, Private keys, passwords, certificates  Production schedules, Box office projections  Executives email correspondence  Brad Pitt phone number! and more..  Wiped 3,000 computers and 800 servers
  5. 5. Destover Workflow Diagram 7 ATTACKER Spreads via SMB port 445Destover Command and Control Servers Drops WIPER DROPPER -w Webserver -d Disk Driver Drops Disk Wiper
  6. 6. Wiper Command and Control o This Trojan uses encrypted config file net_ver.dat embedded in the resource section that has several IP addresses later used for C&C communication o Once connectivity is established with C2 servers, it initiates a two hour countdown at which time the infected machine will reboot Net_ver.dat (Config File)
  7. 7. Wiper switches The module can be executed with many parameters: switch description -i Install itself as a service -k Remove the service -d Start file wipe module -s Mount and remote shares with hardcoded passwords and delete files from them -m Drop Eldos Software RawDisk kernel driver to wipe MBR -a Start anti-AV module -w Drop and execute webserver to show the ransom message
  8. 8. -d switch o usbdrv3.sys - Eldos Software RawDisk (a commercial product to enable raw access to the hard disk from Windows). o After ten attempts to connect to one of the local systems, the process of wiping the hard drive began.
  9. 9. -d Delete o sends string of “AAAAA”s in a loop to the Eldos driver requesting it to write directly to the hard disk. o It deletes all files in the system except the files with extension exe and dll o The malware is also known to wipe out network drives
  10. 10. -w Warning • This switch drops a decrypted from resource section webserver. • It runs on the infected machine with the only purpose of showing the user this ransom message.
  11. 11. Similarity to other APT attacks o August 2012 o Shamoon rendered up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia. o Credit claimed by Cutting Sword of Justice o 2013 o DarkSeoul, a hacking group with suspected links to North Korea, performed a delayed wipe on 40,000 systems at South Korean banks and caused $700 million in damage. o Credit claimed by Whois
  12. 12. Insiders? o This Trojan uses stored user name and password combination to get access to the other machines. How did attackers get them? They must have known the internal network, either from insiders or previous attacks.
  13. 13. North Koreans? o The resource section of the main file shows that the language pack used was Korean.
  14. 14. North Korea? Argument #1 FBI Bulletin, Dec 19 o Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks. o The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack. o Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea. o Hackers used their true IP address o Similar tools o Malware analysis
  15. 15. North Korea? Argument #2 o Snowden docs show NSA first hacked North Korea in 2010 with help from SK o “early warning radar” was implanted to monitor North Korea o Fourth party collection
  16. 16. North Korea Bureau 121. o Reconnaissance General Bureau, North Korea’s main intelligence service with 6,000 hackers o Bureau 121, its secretive hacking unit, with a large outpost in China o Hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.
  17. 17. North Korea Bureau 121.
  18. 18. Conclusions 1. Sony attack was sophisticated , targeted and politically motivated 2. In Sony’s case - early compromise harvesting the user account credentials lead to the later stage using malware designed with the credentials embedded 3. The best defense is an approach that continuously monitors network activities and file movements, detects threat activities across threat kill chain, and correlates observations across the enterprise network
  19. 19. Thank you. Twitter: @belogor Slides on: