Sony’s ‘DarkSeoul’ Data Breach Stretched From Thai Hotel To Hollywood
Jordan Robertson, Dune Lawrence, and Chris Strohm, writing in the December 7, 2014 online edition of Bloomberg News, begin their article: “the computer hackers drilled into the network at the elegant…St. Regis Hotel, Bangkok that night; and, with a keystroke — laid bare the secrets of Sony Pictures Entertainment.” “What had begun with a secret incursion into the Hollywood studio’s computer system — was reaching its climax, in, of all places, a 5-star hotel in the capital of Thailand.”
“It was 12:25 a.m. on December 2,” 2014, Bloomberg reports, “the morning of December 1, in California. Working through a high-speed network at the St. Regis — whether from a guest room; a public area like the lobby; or, a separate location is unknown — the hackers began leaking confidential Sony data to the Internet, according to a person familiar with investigations into the breach.” This person spoke to Bloomberg on the condition of anonymity — because the ongoing cyber forensic investigation is still ongoing, and considered confidential.
“By the time it was over, the world would learn the private details of 47,000 Sony employees, former employees, and freelancers, as well as several Hollywood stars, in a hack that many experts say heralds a dangerous new era in cyber security,” Bloomberg notes. Indeed, “the entertainment division of Sony Corporation — is still struggling to contain the damage from the revelations.”
“Who hacked Sony and why, remains unclear,” the authors write. And. Bloomberg says the hack — “appears to have been designed to embarrass Sony, rather than enrich the perpetrators.”
“As cyber security experts sift through the clues,” Bloomberg adds, “many say the episode bears the hallmarks of DarkSeoul, a hacking group with suspected links to North Korea — that struck South Korean banks and media companies in 2013. North Korea, which has denied any involvement in the Sony episode, released a statement Saturday, saying the hack “might be a righteous deed” of its supporters, or sympathizers.”
“If North Korea is behind the attack, the development would mark an alarming shift in state-sponsored cyber crime, which has generally targeted military and infrastructure,” said Michael Fey, President and Chief Operating Officer of Blue Coat Systems Inc., a network [cyber] security company in Sunnyvale, California.
“It’s a very high-stakes game of poker that’s starting to escalate,” Fey said.
“The Thai connection,” which hasn’t been reported previously Bloomberg notes, “provides a glimpse into how the Sony hack went down.”
“Cyber security investigators have traced the hackers’ digital footprints to the network at the St. Regis, Bangkok, on Rajadmari Road — in an area populated by international corporations and upscale boutiques such as Bulgari and Valentino. Evidence suggests that the person, or persons, who distributed the Sony data…may have been operating inside the hotel; although it’s also possible they were working from a remote location,” according to a person familiar with the investigation.
“An Interpol Protocol address the malware used to communicate with the hackers, was also located at a university in Thailand,” this person who spoke to Bloomberg said. “Hackers often take advantage of open university networks in initiating attacks. Katie Roberts, a spokeswoman for Starwood Hotels and Resorts Worldwide Inc. (HOT), which owns the St. Regis Bangkok, didn’t respond to emails from Bloomberg seeking comment.
“if the hackers were indeed at the St. Regis, they were essentially hiding in plain sight, by using a busy wireless network available to hundreds of guests. The data disclosed included salaries and home addresses of people who left Sony as far back as 2000, as well as Social Security numbers and contracts. Celebrities, whose details were revealed include the actor Sylvester Stallone; and, producer Judd Apatow,” Bloomberg noted.
“One theory is that the attack was North Korea’s revenge,” for a yet to be released, Sony-produced movie/comedy — “The Interview,” — an idea some cyber security experts have called far-fetched. The film stars Seth Rogen and James Franco, and concerns an attempt on the life of North Korean leader, Kim Jong-Un,” whom I have previously dubbed — “Mini-Me.”
“Yet,” Bloomberg notes, “all sides agree that North Korea appears to operate a large network of hackers, with estimates ranging as high as 5,900. Many of these people work outside North Korea…because of that country’s limited Internet infrastructure. One hacking unit is housed within the Korean Computer Center, or KCC, a government research and development agency,” according to a report issued in August by cyber security division of Hewlett-Packard Co, (HPQ). The KCC operates out of almost 20 offices in North Korea and branches in China, Germany, Spain, and the United Arab Emirates,” HP said.
The Reconnaissance General Bureau , the country’s primary intelligence agency, has two hacking units, No. 91 Office, and Unit 121. Some members of Unit 121 have worked out of the Chilbosan Hotel in Shenyang, China, near the North Korean border,” according to a 2009 research paper that cited a North Korean defector who claimed to have served in Unit 121. That’s one reason a connection to a foreign hotel in the Sony hack — in this case, the St. Regis Bangkok — doesn’t surprise investigators linking the attack to North Korea,” Bloomberg noted.
“More clues lie in the computer code itself,” Bloomberg observed. “Details released by the U.S. Federal Bureau of Investigation (FBI) have enabled [cyber] security companies to find and analyze the malware used against Sony. The first piece of code outlined by the FBI was customized for Sony,” according to Daniel Clemens, a security researcher and founder of Packet Ninjas LLC, a cyber security firm in Hoover, Alabama. “When the malware runs, it tries to connect to hosts within Sony’s network, indicating it was tailored to the company,” Bloomberg argued.
“Other elements are similar to the DarkSeoul campaigns in South Korea. The group generally uses destructive “wiper” programs that erase hard drives, or conducts distributed denial-of-service attacks that clog websites with fake traffic,” according to the cyber security firm, Symantec Corp (SYMC).
“The Sony code shares techniques and component names with the code used in the earlier DarkSeoul attacks,” according to an analysis by Mountain View, California-based Symantec Corporation.
“At least one command-and-control server in Bolivia was used in both the South Korean campaigns and the Sony pictures hack, suggesting that the same group was behind both,” said Liam O Murchu, a security researcher for Symantec. Command-and-Control servers, which are used to communicate with malware once it’s on the target systems, are typically hacked themselves, making the attackers’ true origins,” Bloomberg wrote.
“This is the same group that was working in Korea a year ago,” O Murchu said. “There are so many similarities — this must be the same people.”
Kurt Baumgartner, Principal Security [cyber] Researcher at Kaspersky Lab in Denver, Colorado, also found similarities,” Bloomberg added. “As in South Korea, the destructive programs were compiled less than 48 hours before the attack,” Mr. Baumgartner said. “In both instances, the hackers also defaced websites with skeleton images; and, vaguely political messages.”
“The malware used against Sony also has overlaps with Shamoon, perhaps the most high-profile deployment of wiper software to date, which destroyed information on thousands of computers in Saudi Arabia in 2012,” Bloomberg wrote. “Both used the same kind of commercially available drivers from the RawDisk library made by EldoS Corp.,” Baumgartner said. “Shamoon was also compiled shortly before it detonated.”
“After the attacks in 2013, researchers at Intel Corporation (INTC) McAfee Unit, traced the code back to a family of malware used against South Korean and U.S. targets, starting in 2009 with the denial-of-service attacks against South Korean and U.S. military targets. McAfee called the attack, ‘Operation Troy.’
CrowdStrike Inc., another security technology company, has another name for the DarkSeoul group — Silent Chollima, a reference to the mythical winged horse that is an important symbol in North Korea. CrowdStrike has been tracking the group since 2006, and has linked it to the North Korean government,” Bloomberg noted.
“Destructive attacks are actually very, very, rare — North Korea is one of the few that has launched them repeatedly,” said Dmitri Alperovitch, Co-Founder and Chief Technology Officer of CrowdStrike, which is based in Irvine, California. “They always seem to be pushing the boundaries of what they can do.”
‘Guardians Of Peace’
“In the Sony case, a previously unknown group calling itself GOP, or “Guardians of Peace,” claimed responsibility. In earlier attacks attributed to North Korea, the hackers also posed as hacktivists groups,” according to John Hulquist, Senior Manager of Cyber Espionage Threat Intelligence at iSight Partners Inc., a cyber security company based in Dallas, Texas. Hulquist told Bloomberg, “the hackers may be hired contractors; or, are creating a hacktivist profile to hide their identity, especially since the group doesn’t have a history of similar acts. It’s an increasingly common tactic of nation states trying to cover their trails,” he said.
“By definition, a hacktivist group has history, they’ve been out defacing websites, doing stuff,” Hulquist added, “Given the lack of background behind the hacktivist organization claiming responsibility, I think we’re looking at North Korea sponsoring it; or, someone sympathetic to North Korea sponsoring it,” he concluded.
What Strikes Me Is How Fast Cyber Sleuth’s Have Been Able To Develop The Digital Trail
If the Sony hack was state-sponsored; and, it seems very likely it was — and, if North Korea increasingly appears the most likely culprit — which it probably is — either one of three things, or a mixture of three things are at play here. Either North Korea did not cover its digital trail very well, got sloppy, or, wanted to leave enough clues — short of outright “indisputable evidence” — but, ensure that Sony got the message. It is probably a mixture of all three. But, it is probably also true that our cyber forensic/detective skills are also getting better; and, to carry out a targeted cyber attack of this scale and magnitude — without leaving a trace — is also getting more difficult. At least that is something we can hang our hat on from a defensive standpoint; but, it also means that a state-sponsored covert or clandestine cyber hack done offensively — may also be discovered more rapidly than we might hope. Lots to think about. V/R, RCP