An organization identifying itself as Guardians of Peace brought operations to a standstill at Sony Pictures Entertainment (SPE) on November 24, 2014, as systems throughout the organization were left inoperable. As IT worked to correct the issue over the Thanksgiving holiday in the US, employees were left to using personal email, or even pen and paper to communicate throughout the company.
A litany of internal information was stolen and leaked to the internet in a 27.78 GB archive on BitTorrent, though Guardians of Peace indicates they have "tens of TB" of files. The presently leaked data includes:
- Spreadsheets containing the credentials of social media accounts controlled by SPE;
- Spreadsheets listing the names, home addresses, birth dates, and social security numbers of all SPE employees, including executives;
- Spreadsheets detailing the payroll for individual departments, comparison to the payroll of other studios, and the cost of termination for people dismissed amid a corporate restructuring earlier this year;
- Internal recruiting materials and employee performance reviews; and
- Contracts and information regarding television program syndication for Sony Pictures Television and film bundle syndications for SPE.
Confusingly, this archive was being seeded by EC2 instances on sequential IP addresses also utilized to serve (legitimate) content for Sony Computer Entertainment (SCE), the division responsible for PlayStation. The infrastructure between the two systems is generally thought to be completely separate, making the possibility of a security breach at SCE an open question.
Method of attack
The trojan used in this attack, called "Wiper" by the FBI and identified as Destover-C by Sophos, uses the Windows network file sharing system to propagate itself, modify network variables, and shut down and reboot individual systems on the network. The dropper installs the trojan and related files — many with names identical to critical Windows components — and opens a network share for %SystemRoot%.
It also has the capability of shutting down the Microsoft Exchange services, rendering email inaccessible and deleting the contents of a hard drive at the sector level, not at the file system level.
The method by which data was taken from Sony is still not immediately clear, though the malware apparently has user credentials hardcoded in the package.
Sony's history of security problems
Any organization as large as Sony is a high-profile target for hackers, and various divisions of Sony have a long history of major critical exploits that have disabled internal or public-facing services for extended periods of time.
In April 2011, the PlayStation Network operated by SCE was shut down for 23 days after user credentials, home addresses, and credit card information for 77 million users were obtained by hackers. This left users unable to use online multiplayer functions, external streaming video services such as Hulu or Netflix, and unable to play certain downloaded games with no online component. Notably, passwords for the PlayStation network were not encrypted but simply hashed, a fact for which Sony received criticism.
In May 2011, a similar exploit led to a compromise of 24.6 million accounts for Sony Online Entertainment (SOE) accounts, again with hashed passwords. SOE publishes and operates massively multiplayer online games playable on Windows and PlayStation. This hack is considered retaliation by Anonymous against Sony following its lawsuit against researcher George Hotz after he identified and released the root signing and encryption keys of the PlayStation 3, allowing users to run any arbitrary application — commercial or homebrewed — on the PlayStation 3 hardware.
Also in 2011, various units of Sony Music Entertainment were hacked with websites defaced and some account information stolen using primarily SQL injection techniques. Affected websites include country-specific presence websites for Sony Music in Brazil, Ireland, France, Portugal, and Spain, among others.
In June 2011, the websites of Sony Pictures Russia and Sony Pictures France were compromised in similar hacks.
A long time coming
As reported by Fusion, former employees are criticizing the security practices at Sony Pictures, with one employee claiming, "The real problem lies in the fact that there was no real investment in or real understanding of what information security is." Quite apparently, there aren't any internal protections to sensitive data on the network — adding encryption or password protection to sensitive files now being disseminated across the internet could have prevented some damage.
Jason Spaltro, the senior vice president of information security at Sony Pictures, gave an interview with CIO in 2007 (when he was the executive director of information security), stating that "it's a valid business decision to accept the risk" of security breaches, and "I will not invest $10 million to avoid a possible $1 million loss."
How would you handle this?
If you're working in IT in an organization that is unwilling to spend the money on basic security measures, at what point would you decide to seek greener pastures elsewhere for the sake of career management? For IT workers at Sony Pictures looking for future employment, do you think their association with one of the largest corporate breaches be a black mark on their employment history? Let us know your thoughts on the matter.
- Sony hacked again, this time the PlayStation Network (CNET News)
- Sony employees got threatening emails after hack, FBI confirms (CNET News)
- Sony hack exposed social security numbers of Hollywood celebrities (ZDNet)
Disclosure: TechRepublic, CNET, and ZDNet are CBS Interactive properties.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.