Sony's new hack history

    Computer attacks, movie leaks and North Korea


    Two weeks ago, Sony hacked a new corporate network, but there are a number of misconceptions about it. It is worth mentioning that it was not Sony that was hacked, but Sony Pictures, a subsidiary of a multinational corporation.

    As a result of the attacks, the personal information of employees and, that the layman is interested in much more, several unreleased films leaked to the Network. Some web comics have already managed to beat this gift for Christmas.

    It is unclear when access to computer systems was obtained. One of the members of the hacker group said that the first hack was made a year ago. A number of facts make it possible to assume that the DPRK was behind the attack, and the reason was the new American comedy about Kim Jong-un.

    On November 24, when trying to login to their work computers, Sony Pictures employees saw a strange picture. It depicted a reddish evil skeleton, a text message with threats and several links. A group of hackers identified themselves as #GOP. From this moment the story of this hack begins.


    Several dozen Twitter accounts of the media company were hacked, similar messages appeared in them .

    As a result of the attack, the Guardians of Peace received many important private documents. The files themselves were not immediately uploaded, but simply provided a list of them in zip archives. GOP threatened to publish files if the group’s requirements were not met, which, in general, were not there.

    The zip archive consisted of LIST1, LIST2, and Readme files. The lists included podcasts, potentially dangerous documents (financial reports, health insurance data, correspondence), cryptographic keys, files with passwords. The latter explains the simplicity with which Twitter accounts were accessed.

    Hacking temporarily paralyzed the company: employees were not able to answer phone calls, use computers, and at the same time read and answer emails - all data was deleted. I had to work with fax and wire telephone lines. More or less, the work of computer systems was established only by December 1.

    The crackers promised to publish the expropriated one the next morning, but this happened much later. It was stated that only part of 100 terabytes of stolen data was posted.

    Among the documents- a lot of data about 3803 employees of Sony Pictures: their names, dates of birth, social security numbers and characteristics of labor productivity. There are detailed salaries for the entire company, a list of those laid off in 2014, including reasons and various costs associated with this, data on sick leave, pension payments and the profitability of films.

    Files created in copies of Microsoft Office licensed to Sony Pictures. The names of network nodes (routers, servers) and passwords were published, including password and a simple s0ny123. There are even domain certificates.

    Vince Gilligan’s script (creator of Breaking Bad) and several films. Their quality is low - these were promo copies of "Annie", "Rage", "William Turner", "Still Alice" and "Write love on her hands." Some films by the time of the leak have not yet been released.

    In the small archive Bonus.rarfrom the hackers was the very pulp: a folder Passwords. The folder really contained 140 files with login-password pairs. Some were of a personal nature ( karrie's Passwords.xls), others related to work ( YouTube login passwords.xls). There were passwords from financial accounts, voicemail, and other servers. Sometimes names, emails, phone numbers and even addresses were indicated.

    Hack 2011when the PlayStation Network “lay” for several months, and the company suffered huge losses, Sony taught absolutely nothing: like three and a half years ago, the passwords were in ordinary office documents and spreadsheets, and not in some password manager with encryption .

    Not only the company is suffering, but also its employees. Their personal data became known, including a rather important component of the American life - social security number. This applies not only to unknown employees, but also to celebrities, for example , Sylvester Stallone. In total, 47 thousand SSNs "leaked" .

    It was also reportedthat some victims of leaks received letters in which, in not very literate English, unknown persons threatened to endanger the lives of employees and their families to sign a statement about Sony’s distrust of lies.

    Judging by the figures of speech, the hackers put forward the demands of Sony, but the company ignored them, which provoked an attack. At the same time, everyone else's desires of the GOP remain unknown. All that was a vague demand for “equality”, and the group called the head of Sony Pictures Entertainment Michael Linton “a criminal”. A few hours ago, finally, there was a public demand to stop the rental of the film "Interviews".

    They began to suspect North Korea on November 28th. The fact is that on December 25 the rental of the film “ Interview ” begins", In which the leader of the DPRK was portrayed not only in a bad light, in the story they are going to kill him. A couple of not very pleasant scenes of violence were removed from the film , but still in Pyongyang it provokes an extremely negative reaction , the word “reckoning” was even sounded.

    One of the clear evidence of North Korean involvement was reported by the Wall Street Journal . It was a high degree of similarity of Sony hacking programs with a code used in a series of attacks on banks and television in South Korea. It is believed that the 2013 attack was carried out by the DPRK.

    In general, most of the group’s communication with the press occurs through open mail accounts, access to which anyone can get, therefore it is impossible to confirm the accuracy of the statements.Some of the expressions (strange references to human rights, a demand for peace), somewhat coinciding with what they write in the North Korean media, are diluted with oddities in using English.

    Interviewing is not our goal, as Sony Pictures suggests. But it is often reported that our activity is related to the Interview. This shows how dangerous the Interview is. An “interview” is dangerous enough to trigger a massive hacker attack. Sony Pictures made a film detrimental to regional peace and security and violated human rights for money. The news from the Interview completely introduces us to the crimes of Sony Pictures. So their activity is completely contrary to our philosophy. We are struggling with the similar greed of Sony Pictures.

    By the way, the movie "Interview" was not among the leaks.

    Later studies only confirm this conjecture. The FBI warned of the possibility of such attacks on other American companies. The usbdrv3_32bit.sys and usbdrv3_64bit.sys files used for hacking were examined.

    However, the FBI report mentioned that samples of malicious programs were created on computers with Korean language packs.

    In addition, it was indicatedthat applications were written specifically to attack Sony Pictures: IP addresses and host names are hard-coded directly in executable files. The file that struck the corporate network was compiled on November 22 and contained links to Sony network nodes, others were created on November 24 and July of this year, but with the first shared were only the IP addresses of the botnet's command servers.

    Jamie Blasco, head of computer security firm AlenVault, also studied the files . A program with “wired” Sony host names was periodically connected to other machines from the internal network. It has a list of system elements that were used to enter and clean disks with the removal of the master boot record.

    To delete files , the driver of the commercial RawDisk product was usedcreated to help the work of system administrators. The driver allows you to obtain low-level access to the file system, bypassing Windows security restrictions.

    The same product was used to attack Saudi Arabia and South Korea. In 2012, Aramco lost data on 30 thousand computers, Cutting Sword of Justice took responsibility. The purpose of the hack was to "prevent the tyrants of this country and other countries who support economic adversity through injustice and oppression."

    All four studied files were compiled on a computer with Korean system language encoding. Of course, this is not a proof of anything; some data can be manipulated to cover the tracks.

    The used symbolism with skulls and the posting of data on Pastebin is difficult to reconcile with the image of the state structure. Some sources question this link: the GOP allegedly had monetary compensation for the victims of the recent Sony Pictures reorganization. It is likely that insiders played a role.

    Blasco believes that most likely the attack was not made by the same group. According to his statement, it could be another team that used similar methods. He sees no data from the country of origin of the attack. So far , Sony itself does not confirm the version of North Korea.

    There are technical differences.: Seoul attack packages included scripts for working in a Linux environment, but there were none in Sony hack. Perhaps they simply were not necessary.

    According to recent reports , hackers worked from a hotel in Bangkok, the capital of Thailand. Is hacking from such an outwardly weak but aggressive country real? Of course, hackers in North Korea are a spoiled elite. Details of Bureau 121 became known from some of those fleeing the DPRK. This is an elite spy agency with a military strength of 1800 hackers. Their training often begins at the age of 17 years. Among the hundreds of best graduates of the University of Automation there are many members of Bureau 121.







    To fall into the scope of piece selection is a great honor and the subject of fantasies of ordinary people: hackers are well paid and provide many privileges for a country in which even for sending emails you need to get permission .

    One of the friends who spoke about the bureau works abroad in North Korea as an employee of a trading company. To quench the temptation to escape, his family was settled in a large expensive apartment in a good area of ​​Pyongyang - a good public service career for a boy from the village.

    Representatives of North Korea sluggishly fought back from the accusations. A later message readthat they did not hack, but entirely approve of it: the attack was called "fair." The DPRK National Defense Commission says they don’t know either the location of Sony Pictures or what caused the attack. Time will tell how honest this statement was.

    Also popular now: