So, without further ado, lets talk about the Sony attack. The controversy centers on the Sony Pictures comedy "The Interview," which stars Seth Rogen and James Franco as a producer and TV personality, respectively, who get the chance to interview Kim Jong-un, the leader of North Korea, and are drawn into an assassination attempt by the CIA…. Lets go over the timeline of events as they unfolded. The attack against Sony Pictures Entertainment was carried out by another previously unknown group called the Guardian of Peace (GOP), which claimed to have targeted the company because “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years.”
Nov 21 - Sony receives an email threatening great damage signed "God's Apstls", a phrase found in the code of the hack three days later Nov 24 - Wiper activates and bricks Sony's PCs Nov 27 - Guardians of Peace claims credit and starts releasing stolen movies Dec 1 - FBI sends "flash alert", Sony hires forensics firm Dec 3 - Destover malware discovered Dec 11 - GOP leaks Sony's executives emails Dec 15 - Sony is hit with first class-action lawsuit for failing to protect employees private info Dec 17 - Sony cancels the Interview movie Dec 19 - FBI confirms the hack was done by North Korea Dec 23 - Sony decides to release "The Interview" after all on Christmas Day
What was the impact of this attack on Sony. What data was stolen and leaked online? Password databases, security certificates, MAC addresses for workstations and servers and the usernames of every person with SUDO access A spreadsheet including the names, birth dates, home address and social security numbers of 3,803 employees of Sony Pictures Payroll breakdowns for the entire company in a spreadsheet A spreadsheet detailing all the Sony Pictures employees terminated in 2014, including cause for termination Employee performance reviews The social security numbers of more than 47,000 current and former employees, including celebrities like Sylvester Stallone Salaries for top executives Number of pilot scripts for the 2014 TV seasons Personal information of individuals who worked at Sony Pictures from as far back as 2000As far as possible damage, this one was the worst I have ever seen.
The attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said.
We managed to find and analyze the Wiper component. It sleeps for 10 minutes (or 600,000 milliseconds as seen below) before it carries out its actual malware routines. (igfxtrayex.exe) sleeps for 10 minutes. After it does this, the malware sleeps for another two hours. It then forces the system to reboot.
-d : This parameter will start the file wipe module immediately. All files in the local disk that are not in Program Files or Windows folder will be deleted, as well as any file in locally mounted remote shares. -s : this parameter will cause the malware to attempt to mount specific remote shares using a hardcoded username and password. The files in the remote shares will then be enumerated and deleted. -m : Drops a file named usbdrv3.sys in %TEMP% folder and created a service named “usbdrv3” with description “USB 3.0 Host Controller” pointing to it. This module is part of Eldos Software RawDisk kernel driver. See below for description. It will wipe the MBR of the disk rendering it unusable. -a : When executed on Windows 7, this parameter will start the Anti-AV module in some variants of the malware. It will drop both anti-AV modules AMS.EXE and KPH.SYS in %TEMP% folder and start the process. -w : In some variants of the malware, this parameter will drop and execute the Web Server used to display the malware ransom message.
This signed driver is a part of Eldos RawDisk library that offers user mode applications direct access to files, disks and partitions of the disks bypassing security limitations of Windows OS. The driver has been also used with previous versions of wiper to directly write to hard disk.
Shamoon that is believed to have been used in August 2012 to render up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia. Shamoon also used the commercial driver to wipe files. DarkSeoul, a hacking group with suspected links to North Korea struck South Korean banks and media companies in 2013, and also performaed a delayed wipe. That attack knocked out almost 50,000 computers and servers in South Korea for several days at five banks and television broadcasters. The hackers were patient, spending nine months probing the South Korean systems. But they also made the mistake seen in the Sony hack, at one point revealing what South Korean analysts believe to have been their true I.P. addresses. Lim Jong-in, dean of the Graduate School of Information Security at Korea University, said those addresses were traced back to Shenyang, and fell within a spectrum of I.P. addresses linked to North Korean companies.
Note that the SPE stands for the Sony Pictures Entertainment domain Working on the premise that it would take an insider with detailed knowledge of the Sony systems in order to gain access and navigate the breadth of the network to selectively exfiltrate the most sensitive of data, researchers from Norse Corporation are focusing on this group based in part on leaked human resources documents that included data on a series of layoffs at Sony that took place in the Spring of 2014. The researchers tracked the activities of the ex-employee on underground forums where individuals in the U.S., Europe and Asia may have communicated prior to the attack. Norse investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony’s anti-piracy stance, to infiltrate the company’s networks..
skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackersare identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.
"Fourth party collection" is the practice of spying on spy agencies to gather all the data they're taking in. “ "Fifth-party collection" is the practice of spying on spies who are spying on other spies. Really.
According to David Sanger (reporter that first uncovered US role in Stuxnet) The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified N.S.A. operation. Mr. Obama’s decision to accuse North Korea of ordering the largest destructive attack against an American target — and to promise retaliation, which has begun in the form of new economic sanctions — was highly unusual: The United States had never explicitly charged another government with mounting a cyberattack on American targets.
The trail that led American officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the National Security Agency broke into North Korea [David Sanger]. American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.
According to a Korean defector Mr. Kim, the military began training computer “warriors” in earnest in 1996 and two years later opened Bureau 121, now the primary cyberattack unit. Members were dispatched for two years of training in China and Russia. These guys were envied, in part because of their freedom to travel. When they returned, they formed the core of the External Information Intelligence Office, which hacked into websites, penetrated fire walls and stole information abroad. Because the North had so few connections to the outside world, the hackers did much of their work in China and Japan. He said the hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.
North Koreans had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems. Hackers spent more than two months, mapping Sony’s computer systems, according to David Sanger’s article in NYT. So let’s now turn towards the biggest threats of 2014.
Attack on Sony
Attack on Sony Pictures
Sony Pictures Attack by Destover Trojan
o Attack on Sony Pictures…Nov 24, 2014 by GOP - “Guardians of Peace”
o 111 Terabytes of Data Stolen
o Suspected Origin: North Korea
o 7 lawsuits filed against Sony, so far
o Controversy over “The Interview”
which made $46 million to date
o Trojan designed for Sony’s network.
Attack Timeline for Sony Pictures, Nov – Dec 2014
Sony decides to release
“The Interview” on Dec
Nov 21 Nov 24 Nov 27 Dec 1 Dec 3 Dec 11 Dec 15 Dec 17 Dec 19 Dec 23
Sony hit with 1st
lawsuit for failure
Sony cancels movie
FBI says hack
done by North
What was stolen and leaked?
In a word, everything!
Personal data on 600 employees
Movies and Scripts
Performance reports and salary information
Source code, Private keys, passwords, certificates
Production schedules, Box office projections
Executives email correspondence
Brad Pitt phone number! and more..
Wiped 3,000 computers and 800 servers
Destover Workflow Diagram
Spreads via SMB port 445Destover
-w Webserver -d Disk Driver
Wiper Command and Control
o This Trojan uses encrypted config file
net_ver.dat embedded in the resource
section that has several IP addresses later
used for C&C communication
o Once connectivity is established with C2
servers, it initiates a two hour countdown at
which time the infected machine will reboot
Net_ver.dat (Config File)
The module can be executed with many parameters:
-i Install itself as a service
-k Remove the service
-d Start file wipe module
-s Mount and remote shares with hardcoded passwords and delete
files from them
-m Drop Eldos Software RawDisk kernel driver to wipe MBR
-a Start anti-AV module
-w Drop and execute webserver to show the ransom message
o usbdrv3.sys - Eldos Software RawDisk (a commercial product to
enable raw access to the hard disk from Windows).
o After ten attempts to connect to one of the local systems, the
process of wiping the hard drive began.
o sends string of “AAAAA”s
in a loop to the Eldos
driver requesting it to
write directly to the hard
o It deletes all files in the
system except the files
with extension exe and dll
o The malware is also
known to wipe out
• This switch drops a decrypted
from resource section
• It runs on the infected
machine with the only
purpose of showing the user
this ransom message.
Similarity to other APT attacks
o August 2012
o Shamoon rendered up to 30,000 computers inoperable at
Saudi Aramco, the national oil company of Saudi Arabia.
o Credit claimed by Cutting Sword of Justice
o DarkSeoul, a hacking group with suspected links to North
Korea, performed a delayed wipe on 40,000 systems at South
Korean banks and caused $700 million in damage.
o Credit claimed by Whois
o This Trojan uses stored user name and password
combination to get access to the other machines.
How did attackers get them? They must have known the
internal network, either from insiders or previous attacks.
o The resource section of the main file shows that the
language pack used was Korean.
North Korea? Argument #1
FBI Bulletin, Dec 19
o Technical analysis of the data deletion malware used in this attack revealed
links to other malware that the FBI knows North Korean actors previously
developed. For example, there were similarities in specific lines of code,
encryption algorithms, data deletion methods, and compromised networks.
o The FBI also observed significant overlap between the infrastructure used in
this attack and other malicious cyber activity the U.S. government has
previously linked directly to North Korea. For example, the FBI discovered
that several Internet protocol (IP) addresses associated with known North
Korean infrastructure communicated with IP addresses that were hardcoded
into the data deletion malware used in this attack.
o Separately, the tools used in the SPE attack have similarities to a cyber attack
in March of last year against South Korean banks and media outlets, which
was carried out by North Korea.
o Hackers used their true IP address
o Similar tools
o Malware analysis
North Korea? Argument #2
o Snowden docs show NSA first hacked North Korea in 2010 with help from SK
o “early warning radar” was implanted to monitor North Korea
o Fourth party collection
North Korea Bureau 121.
o Reconnaissance General Bureau,
North Korea’s main intelligence service
with 6,000 hackers
o Bureau 121, its secretive hacking unit, with a large outpost in
o Hackers in Bureau 121 were among the 100 students who
graduate from the University of Automation each year after
five years of study. Over 2,500 apply for places at the
university, which has a campus in Pyongyang, behind barbed
1. Sony attack was sophisticated , targeted and politically
2. In Sony’s case - early compromise harvesting the user
account credentials lead to the later stage using malware
designed with the credentials embedded
3. The best defense is an approach that continuously monitors
network activities and file movements, detects threat
activities across threat kill chain, and correlates
observations across the enterprise network