December 5, 2014 5:23 pm
Sony Cyber Attack Reveals Hackers Changing Their Stripes
Matthew Garrahan in New York, Hannah Kuchler in San Francisco and Kana Inagaki in Tokyo
A security guards walks past the entrance to Sony Pictures Plaza in Los Angeles, California on December 4, 2014, a day after Sony Pictures denounced a “brazen” cyber attack it said netted a “large amount” of confidential information, including movies as well as personnel and business files, But downplaying a report that North Korea was behind the attack, saying it did not yet know the full extent of the “malicious” security breach. AFP
PHOTO/Frederic J. BROWN (Photo credit should read FREDERIC J. BROWN/AFP/Getty Images)©AFP
For marketing executives at Sony Pictures Entertainment, the hacking of the movie studio’s computer network two weeks ago may initially have seemed like a promotional dream come true.
Rumors swirled that North Korea was behind the hack, apparently in revenge for Sony’s upcoming film The Interview — a Seth Rogen comedy about a farcical assassination attempt on Kim Jong Un. Due for release in the US on Christmas day, the film duly benefited from the kind of publicity money cannot buy, with all corners of the media weighing in on the role it may have played in provoking the cyber attack.
But any positive feelings Sony executives may have had about the free publicity for The Interview will have dissipated in recent days as the full extent of the hack began to be revealed. Not only was the studio embarrassed by the leaking of new films and documents, but large quantities of its data were systematically destroyed.
Shortly after the hacking took place, some Sony movies — including unreleased titles, such as its remake of Annie, another Christmas film — were uploaded to file-sharing sites.
Then, anonymous individuals alerted members of the media to caches of highly confidential Sony documents that had been posted online — containing everything from employees’ healthcare files, passwords and social security numbers to Mr Rogen’s and James Franco’s salaries for their performances in The Interview. More embarrassing for Sony, however, was the release of pay details for the studio’s top executives.
Although Sony Pictures Entertainment is the only major movie business to have been hacked, Roy Salter, senior managing director of business advisory group FTI Consulting, warns the impact would be felt far beyond the walls of its studio headquarters in Culver City, California.
“Nobody wins here,” he says. “Everyone in the entertainment and media industry is negatively affected, including audiences who need it [the industry] to be incentivized to make high-quality programming.”
However, the nature of the hack also indicates a growing challenge to large companies around the world: the need to back up their computers securely and defend against data destruction.
Sony has hired Mandiant, a forensic cyber crime group owned by FireEye, to investigate the incident. This week, the Federal Bureau of Investigation also began probing the attack. So far, though, the studio has kept quiet about any findings, apart from dismissing as “inaccurate” reports that it was about to name North Korea as the culprit.
But cyber security experts have been intrigued by the hack, which differs from the usual attacks on corporations, mainly because the hackers appear to have destroyed the data on Sony’s computers after accessing it.
Cyber crime has generally taken one of three forms, even as incidents have increased: hacktivist groups such as Anonymous aiming to shame companies for their behavior; criminal gangs stealing information that can be used to make money; and nation state actors engaging in corporate espionage.
Trey Ford, global security strategist at Rapid 7, a US security company, argues that the Sony attack cannot be put into any of these categories, as it appears to be motivated by “retribution” in an “idealistic sort of strike back scenario”.
He says: “The very unusual thing is how do you monetize something that has been destroyed? It doesn’t sound like a typical professional criminal type business, it seems like a revenge type of activity. This destruction aspect is very, very rare”.
So far, the majority of high-profile cyber attacks have been about pure financial gain: for example, the theft of millions of credit card details from US retailers such as Target and Home Depot, or personal data that can be sold on underground markets, such as the email addresses leaked from JPMorgan. Hackers rarely want to destroy this data as it proves they have gained access to it.
But the attack on Sony was more complicated — first, because much of the data were deleted and, second, because of the huge range of documents and data, from movies to pay documents, that appear to have been leaked, posted on websites or emailed to reporters.
Ron Gula, chief executive of Tenable Security, a US-based cyber security company, claims that this shows how hackers are moving from stealing data to destroying it.
“It is really a view of what’s to come next year,” he warns. “I really believe the people doing these attacks will move from exfiltration to pure destruction of data. The vulnerabilities in these organizations are so bad, people who want to do this kind of harm can do this kind of harm and will do this kind of harm.”
The movie The Interview is set to hit theaters in October and stars James Franco and Seth Rogen as a talk-show host and his producer who, after landing an interview with Kim Jong Un, are drafted by the CIA to kill him.
‘The Interview’ stars James Franco and Seth Rogen
Sony Pictures Entertainment has not commented on whether its data were securely backed up off-site, or whether it has all been lost.
For its parent company, however, it is the second damaging cyber attack in three years. In 2011, Sony’s PlayStation Network was hacked, with the perpetrators gaining access to the personal information of more than 100m users.
In the aftermath of that attack, Sony beefed up its cyber security, creating a new role — chief information security officer — and implementing various measures to reinforce its computer networks. Nevertheless, while some security analysts said the attack was so sophisticated that it would have been difficult for any company to withstand, others were critical of Sony’s response. Last year, Sony’s European subsidiary was fined £250,000 by a UK watchdog and criticized for failing to properly secure customer data before the PlayStation hack. The company said it planned to appeal.
This latest hack is the first time Sony Pictures has been targeted. The studio — and its rivals across Hollywood — will be keen to avoid a sequel.
‘Monumental’ Task Looms In Rebuilding The Network
Step one in most cyber security investigations is to work out whether hackers have succeeded in getting inside a computer system, writes Hannah Kuchler in San Francisco.
But in the case of Sony Pictures Entertainment, that was already abundantly clear: they are reported to have replaced screensavers across the computer network with an image of a red skeleton and the phrase “hacked by the #GOP” — apparently standing for a group calling itself Guardians of Peace.
Step two is to discover whether the cyber criminals are still inside the systems, and, if so, to boot them out and start repairing the damage. Victims then need to investigate the motives of the attackers, to work out which data they may have compromised and how sophisticated the tools they were using may be.
Most companies do not have sufficiently sophisticated IT security departments to do this, so they will make two phone calls: one to law enforcement, and another to a cyber security company such as Mandiant — the division of FireEye currently working for Sony.
Trey Ford, global security strategist at cyber security company Rapid 7, says the Sony screensavers prove the hackers had compromised “the most powerful account in the network”, as they had been able to make changes to the Windows software on every computer.
“When that is compromised you can’t just remove a piece of malware and think you have control back,” he notes. “The level of rebuilding [of the network] required is monumental.” He claims most companies do not have a disaster recovery plan that can start a system again from scratch.
Once a computer network appears safe again, companies must then think about improving cyber security for the future — often by buying new technologies, making executives more directly responsible for security, and finding out how cyber security insurance can help limit their liability.