Sony Pictures Entertainment remains tight-lipped about the recent cyber attack that ransacked corporate data and shut down key systems, fuelling a storm of speculation.
At this point it is more useful to focus on what can be learned from the attack and what is known from data leaked online and from an FBI memo on computer-killing malware that is believed to describe malware used in the attack on Sony.
The FBI's involvement suggests the attack was serious and Sony indicated a large amount of confidential data was stolen in an email update to staff, reported the Guardian.
Sony said the breach was the result of a “brazen attack” on the company, its employees and its business partners, indicating the attack either extends to or involves the company’s supply chain.
So far, data released online shows the attackers accessed a wide variety of data, including a list of employee salaries and bonuses; social security numbers and dates of birth; employee performance reviews; criminal background checks and termination records; correspondence about employee medical conditions; passport and visa information for film actors and crew; internal emails; and unreleased films.
READ MORE ABOUT DATA BREACHES
- Rich Mogull's Data Breach Triangle: Rethinking data breach prevention
- US State Department bolsters email security after suspected breach
- Spotify warns of data breach
- JP Morgan breach affects 7 million small businesses
- Home Depot under fire for data breach notification
- US military logistics arm breached by China-linked hackers
- Breach response plan is a must for enterprise security
- Best practices for security data breach reporting
- Finance and retail applications most vulnerable to breaches
- Courier firm UPS warns of potential data breach
- Staples breach update: Cyber insurance may cover retailer's costs
- US supermarket retail chain Supervalu reports cyber breach
- Most businesses do not understand risks of data breaches, study finds
- Home Depot security breach: Losses include 53 million email addresses
- UK micro businesses unprepared for data breaches, study shows
Malware overwrites hard drives
According to the FBI, the malware overwrites all data on the hard drives of computers, including the master boot record, preventing them from booting up.
"The overwriting of the data files will make it extremely difficult and costly – if not impossible – to recover the data using standard forensic methods," the report said.
That FBI revealed the malware uses Microsoft Windows components to propagate, shut down network services and get instructions from its controllers.
This means that enterprises that use Windows and Microsoft server software are vulnerable to attack, especially those not using the latest versions of the software.
Companies that rely on Windows and Microsoft server products – especially older versions of Windows – are particularly vulnerable to attack.
The FBI memo provides a way to detect the “beacon” message used by the malware to communicate with its controllers, but that is of limited use to victims according to Ars Technica.
By the time the malware begins communicating with its controllers, it has already been launched on the target network and begun overwriting data.
Enterprise information security professionals will have to wait until researchers have analysed the malware for details to learn how to find it before it is executed.
According to the FBI, the malware comes wrapped in an executable “dropper” that installs itself as a Windows service.
This new Windows service then creates a network file share using the “%SystemRoot%” Windows environmental variable which points to the location of Windows system files in the PC’s file directory structure.
The malware then gives unrestricted access to that share, allowing any computer on the local network to access it. It also uses the command line of the Windows Management Interface (WMI) to spread to other computers on the network.
According to community security analysis site Malwr, the dropper communicates with a set of IP addresses at a university in Japan. Then it shuts itself down.
The dropper also installs a file with the same name as Microsoft’s Internet Information Server (IIS), iissrv.exe to monitor port 80, which is used by most web traffic.
When the main executable called “igfxtrayex.exe” is launched, it makes four copies of itself and launches each of with different command-line arguments to trigger different parts of the code.
It then shuts down the Microsoft Exchange Information Store service, dismounting Exchange’s databases and making email inaccessible.
Next, the malware attempts to connect to its command and control network. At the same time it starts deleting data from the hard drive until it is completely wiped.
Doubt over North Korea theory
Despite reports linking the attack to North Korea, there seems little evidence to back this up. Sony has dismissed as “inaccurate” reports saying the company was set to blame North Korea for the attack.
While North Korea has not issued any statement on the attack, a group calling itself #GOP or "Guardians of Peace" claimed responsibility.
Security industry commentators say the attack does not bear the hallmarks of cyber attacks backed by a nation state, but is more likely the work of hacktivists or disgruntled company insiders.
This is consistent with the fact that the attackers posted notices on Sony computers, saying the company had failed to meet their demands, which were not specified.
Sony has not indicated if it has received any demands from #GOP, but someone claiming to be a member of the group hinted in a media interview that sympathetic insiders helped them in their operation, and that they sought “equality,” according to Wired.
Nation state attackers generally do not criticise their victims for having poor security or post stolen data to Pastebin, said Wired.
Lessons from the Sony hack
While many questions remain unanswered, several security lessons can be drawn from the attack:
- Encrypt all sensitive data. Many of the documents containing personal and corporate information were not encrypted in any way;
- Do not store passwords in the same place as password-protected documents. Although some files were password-protected, most were accompanied by a folder containing the passwords, reports Mashable;
- Use two-factor authentication. Although it is not known how the attackers accessed the Sony data, it is likely they used stolen or credentials provided by insiders, which would have been useless, had the company used two-factor authentication;
- Keep sensitive personal data separate from other data. According to leaked data, folders for salary, heath and other personal data were stored in the same directories as other data;
- Carry out regular external security checks, to ensure obvious security risks are eliminated; and to check that, if attackers are able to get into the network, it is difficult for them to move around without restriction.