Sony Hack Likely Involved At Least a Dozen Individuals — The Bulk Of Whom Were North Korean — But, Reside In Japan; Retaliatory Cyber Strike By U.S. Could Backfire — Hamper U.S. Intelligence Collection

Sony Hack Likely Involved At Least a Dozen Individuals — The Bulk Of Whom Were North Korean — But, Reside In Japan; Retaliatory Cyber Strike By U.S. Could Backfire — Hamper U.S. Intelligence Collection

Dan Goodin, writing on the December 19, 2014 website, Ars Technica, writes that “the highly destructive malware believed to have hit Sony Entertainment, contained a cocktail of malicious components designed to wreak havoc on infected networks,” according to new technical details released by federal officials who work with private sector [cyber] security professionals.

Mr. Goodin notes that “an advisory published Friday by the U.S. Computer Emergency Readiness Team, said the central malware component was a worm that propagated the Server Message Block protocol running on Microsoft Windows networks. The worm contained brute-force cracking capabilities designed to infect password-protected storage systems. It acted as a “dropper” that then unleashed five components. The advisory, which also provided “indicators of compromise” that can help other companies detect similar attacks, didn’t mention Sony by name. Instead, it only said that the potent malware cocktail had targeted a “major entertainment company.”

“This worm uses a brute-force authentication attack to propagate via Windows SMB shares,” Friday’s advisory stated. “It connects home every five minutes to send log data back to command-and-control (C2) infrastructure, if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2,” Mr. Goodin wrote.

“The additional components spread by the dropper worm included a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. The malware also contains the ability to self-propagate throughout a targeted network — through built-in Window shares,”Mr. Goodin observes. “The advisory included cryptographic hash digests of each malware component, the IP addresses of outside servers infected machines connect to, and other signs of compromise. The release also included recommendations other U.S. companies should follow to prevent sustaining the same catastrophic attack. The recommendations, however, largely consisted of general advice such as running antivirus software, installing security updates in a timely fashion, and enforcing strong password policies, things all organizations should already been doing.”

“Because of the highly destructive functionality of the malware, an organization infected with the malware could experience operational impacts, including loss of intellectual property (IP) and disruption of critical systems,” U.S. CERT said. “Actual impact on organizations may vary depending on the type and number of systems impacted.”

North Korea’s Un Refers To Cyber Warfare Capabilities As A “Magic Weapon” In Conjunction With Nuclear Weapons And Ballistic Missiles

In a December 19, 2014 article on the website, KrebsOnSecurity, notes that Hewlett Packard (HP) in a report released earlier this year, said North Korea’s Kim Jong-Un referred to cyber warfare capabilities as a “magic weapon,” and characterized cyber in the same category with nuclear weapons and ballistic missiles. “Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities, closely mirrors their kinetic warfare tactics,” HP said. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare.

Krebs notes, according to sources close to the FBI investigation, that “there may have been as many as a dozen individuals involved in the [Sony] attack — the bulk of whom hail from North Korea — but, reside in Japan. According to HP, the a group of ethnic North Koreans residing in Japan known as the Chongryon, are critical to North Korea’s cyber and intelligence programs; and, help generate hard currency for the regime. The HP report quotes Japanese intelligence officials stating that, “the Chongryon, are vital to North Korea’s military budget, raising funds via weapons and drug trafficking and other black market activities.

A U.S. Retaliatory Cyber Strike On North Korea Could Damage Washington’s Ability To Spy On North Korea

Devlin Barrett, writing in today’s (Dec. 20, 2014) Wall Street Journal, notes that U.S. officials involved in wargaming a U.S. response to North Korea, are concerned that “engaging in a retaliatory [cyber] strike could prove fruitless; and, even backfire, in-part because such a move could wind up damaging Washington’s ability to spy on Pyongyang…Another former U.S. official said the policymakers remain squeamish about deploying cyber weapons against foreign targets.”

If the North Koreans associated with the Chongryon group are still on the Japanese mainland, then that certainly might be a possible area where the U.S. could impose some financial penalties on North Korea. Japan is still in a delicate negotiating stage with Pyongyang regarding the return of Japanese citizens who have been kidnapped off the streets of Japan and taken back to North Korea against their will — to serve the North Korean leadership. So, any U.S. approach to Tokyo regarding the Chongryon will be delicate; but, it would seem it has the potential to be an area where Pyongyang’s ability to collect wealth through black market activities on the island — could be curtailed. V/R, RCP

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: