Russian Hackers Broke Into Sony’s Network — And, Are Reportedly Still Lurking In Their IT Ecosystem
According to an article on the website Dark Reading, “Sony Pictures Entertainment might have been compromised this fall, by Russian hackers, who are still lurking within the Sony network now. These Russian criminals,” the website claims, “were probably not working with the North Korean government. The bad news,” Ms. Sara Peters writes” “the intelligence about the existing of said Russian cyber criminals may not be reliable — in the opinion of a retired U.S. naval intelligence officer.”
“A report by Taia Global, “The Sony Breach: From Russia, No Love,” reveals some new information about the threats to Sony. While it doesn’t provide a wealth of damning evidence pointing to any particular perpetrator,” Ms. Peters notes, “it does serve as a reminder why [cyber forensic] attribution continues to be such a [difficult, complex, and] persistent problem in fighting cyber crime. Just because your organization was compromised in several ways — at the same time, doesn’t necessarily mean the attacks were related. Just because two malicious parties have compromised you at the same time — doesn’t mean they’re working together,” she argues.
The reason why it’s so confusing [in the Sony case]…is because the evidence is so conflicting,” said Taia Global founder and CEO, Jeffrey Carr. In the report, Carr “describes what he learned through conversations with a Black Hat hacker — who goes by the name, “Yama Tough.” Mr. Carr explains that he and Yama Tough “have established a trusting relationship — they’ve known each other a long time; and, Carr knows Yama Tough’s true identity,” said Mr. Carr.
Mr. Carr says he asked Yama Tough directly, “if he was personally involved with the attack. Yama Tough said no; and, Mr. Carr believes him,” Ms. Peters wrote “However, at Carr’s request, Tough used his own contacts to find information about the people behind the Sony hacks. Tough then related to Carr what he’d told by an unnamed Russian hacker (referred to as “URH” in the report), who Tough described “as a long time black hat hacker — who does occasional contract work for Russia’s Federal Security,” Service (old KGB).
From the report: “URH told Yama Tough he sent spear phishing emails to Sony employees in Asia and Russia; and then used an advanced plotting technique to move inside the SPE network. The email, sent by URH and his 12 team members contained a .pdf attachment, which was loaded with a Remote Access Trojan (RAT) that isn’t in any AV signature database.”
“To back up his words,” Ms. Peters writes, “URH shared Sony documents that were not found in the big data dumps that other attackers had published on Pastebin. Among those documents, were Sony emails dated as recently as January 23, 2015.”
“The participation of Russian-speaking cyber actors, fits with earlier research conducted by Carr and Taia Global,” Dark Reading notes. “They [Taia Global] conducted a linguistic analysis of all the messages [about 2,000 words in all], written by “The Guardians of Peace,” — the hacking group that took responsibility for at least some of the hacks on Sony — and, exposed all manner of sensitive Sony documents. That analysis indicated that the authors were native Russian speakers,” according to the research.
“This all leads Carr to the conclusion that either a group of Russian hackers; and, a group of North Korean attackers were, running separate, simultaneous attacks against Sony, or perhaps North Korea was never involved at all — and, it was simply another group that included at least one Russian individual. He does not think that a party of Russians; and, a party of North Koreans — were working collectively.”
“They said they had nothing to do with North Korea,” says Carr, of the unnamed Russian hacker. Mr. Carr further remarks “that he can’t see why North Korea would hire a group of Russian hackers to do their dirty work — because the country already has its own state-sponsored cyber army; and, it had already damaged any attempt at plausible deniability — when it made threats against Sony months before the attacks,” Ms. Peters wrote. “What I think is that there were multiple parties in there [Sony].”
“The next question then is, which party did what? Ms. Peters asks.
“Carr doesn’t think that URH was necessarily involved in the wiper attack that turned so much of Sony hardware into bricks. The only malware URH discussed was a remote access tool, not a wiper,” Dark Reading says “Then again,” they observe, “Guardians of Peace (GOP) took responsibility for the wiper — their name was pasted on every locked computer screen — so, if the linguistic analysis of the GOP’s messages is accurate, then the wiper was also used by Russian-speaking attackers, possibly, but not necessarily, including the individual URH referenced in Carr’s report.”
Mr Carr says that “one of the troubles with cyber crime attribution — may be that the security industry has become too reliant on just analyzing signal data and machine communications, while forgetting the value of analyzing human communications.” “On that point,” Ms. Peters wrote, ” a retired Naval intelligence officer, Tom Chapman, now the Director of Cyber Operations Group at EdgeWave, agrees. “Yet,” Ms. Peters adds, “Chapman is still skeptical about Carr’s report, saying “there’s nowhere near enough” information to draw confident conclusions from it. “It’s possible, but it’s weak,” added Mr. Chapman. “Human sources are always the least credible.”
“Chapman is particularly suspicious about the motivations of Yama Tough, and his source. Yama Tough is not taking credit for the attack himself, so he doesn’t get hacker bragging rights. He could also be hurting his reputation in the black hat community, since he’s sharing details given to him by another black hat,” Dark Reading noted. As for tough’s stance, Chapman acknowledges that criminal hackers may trumpet their exploits more than other kinds of criminals; but, says that professional, financially motivated hackers “stay quiet,” (especially if they’re going after Russian targets).
“When the Sony attack came out,” Mr. Chapman says, “I was skeptical it was North Korea alone. I’m still a bit skeptical. He says that he believes the FBI’s official word that the North Korean government was behind the attacks, but that they haven’t publicly released enough information [and probably won’t/can’t], to draw that conclusion himself.”
Mr. Chapman added that he “puts more credence in some “official” statements than others,depending on whose mouth the words are coming out of. For example, when FBI Director James Comey said, “I have very high confidence in this attribution, as does the entire Intelligence Community,” Chapman believes it, because military intelligence officials, by law, cannot lie to the American public.”
Very interesting article. It also brings to mind one of the bigger issues that plague the IT and cyber security. How do you really know when your networks are…..really, really clean? How do you really know that there are no stay-behinds, and the ‘gifts, that keep on giving?” And, once breached, how do you restore trust in the system? Restoring trust is not a trivial issue. And, one should remember the ever present insider threat. Remember, every major castle/fort in medieval Europe was compromised and breached — more often than not — by spies/traitors from within. Indeed, that is ultimately what turned the tide in Xeres’s favor against the 300 Spartans at Thermopylae, when someone betrayed a way up and around the back of Leonidas and his 300 Spartans.. V/R, RCP