Sony's new hacking history

Computer attacks, movie leaks and North Korea

Two weeks ago, a new hacking of Sony corporate networks took place, but there are a number of misconceptions about it. It's worth noting that Sony itself was not hacked, but Sony Pictures, a subsidiary of a transnational corporation.

As a result of the attacks, the personal information of employees and that the average person is interested in much more, several unreleased films leaked to the Web. Some web comics have already managed to beat this gift for Christmas.

It is unclear when access to computer systems was gained. One member of the hacker group said that the first hack was made a year ago. A number of facts suggest that the DPRK was behind the attack, and the reason was the new American comedy about Kim Jong-un.

On November 24, while trying to login to their work computers, Sony Pictures saw a strange picture. It depicted a reddish evil skeleton, a text message with threats and several links. A group of hackers identified themselves as #GOP. From this moment begins the story of this hacking.
')

Several dozens of media company’s Twitter accounts were hacked, and similar messages appeared in them.

As a result of the attack Guardians of Peace received many important private documents. The files themselves were not immediately uploaded, but simply provided their list in zip archives. The GOP threatened to publish files if the group’s requirements were not met, which, in general, were not.

The zip archive consisted of LIST1, LIST2, and Readme files. The lists included podcasts, potentially dangerous documents (financial reports, data on health insurance, correspondence), cryptographic keys, files with passwords. The latter explains the simplicity with which access to Twitter accounts was obtained.

Hacking temporarily paralyzed the company's work: employees were unable to answer phone calls, use computers, and at the same time read and respond to emails — all data was deleted. Had to work with fax and wired telephone lines. More or less, the work of computer systems was adjusted only by December 1.

The burglars promised to publish the expropriated the next morning, but this happened much later. It was stated that only a fraction of the 100 terabytes of stolen data was uploaded.

Among the documents - a lot of data about 3803 employees Sony Pictures: their names, dates of birth, social security numbers and characteristics of labor productivity. There are detailed salaries for the entire company, a list of dismissed in 2014, including reasons and various related costs, data on sick-leave, pension payments and film profitability.

Files created in copies of Microsoft Office with a license for Sony Pictures. The names of network nodes (routers, servers) and passwords were published, including password and simple s0ny123. There are even domain certificates.

The network got the script Vince Gilligan (creator of Breaking Bad) and several films . Their quality is low — they were promotional copies of Annie, Rage, William Turner, Still Alice, and Leave Love on Her Hands. Some films by the time of the leak have not yet been released.

In the small archive of Bonus.rar from hackers was the very flesh: Passwords folder. In the folder there were actually 140 files with login-password pairs. Some were personal ( karrie's Passwords.xls ), others were related to work ( YouTube login passwords.xls ). There were passwords for financial accounts, voicemail, and other servers. Sometimes names, emails, phone numbers and even addresses were indicated.

Hacking 2011 , when the PlayStation Network "lay" for several months, and the company suffered huge losses, taught Sony absolutely nothing: just as three and a half years ago, the passwords were in ordinary office documents and spreadsheets, and not in some manager passwords with encryption.

Not only the company suffers, but also its employees. Their personal data became known, including a rather important component of the life of an American - a social security number. This applies not only to unknown employees, but also to celebrities, for example , Sylvester Stallone. Total "flowed" 47 thousand SSN .

In addition, it was reported that some of the victims of the leaks received letters in which unknown English demanded that they not subscribe to the statement that they did not trust Sony to threaten the lives of their employees and their families.

Judging by the figures of speech, hackers put forward the demands of Sony, but the company ignored them, which provoked the attack. At the same time, the rest of the GOP wishes remain unknown. All that was was a vague requirement of “equality”, and the group called head of Sony Pictures Entertainment Michael Linton “criminal”. A few hours ago, finally there was a public demand to stop the movie "Interview".

Suspect North Korea began on November 28th. The fact is that on December 25, the rental of the film “ Interview ” begins, in which the DPRK leader was portrayed not only in a better light, they are going to kill him in the story. A couple of not very pleasant scenes of violence were removed from the film, but still in Pyongyang it causes an extremely negative reaction , even the word “retribution” was heard.

One of the clear evidence of North Korean involvement was reported by the Wall Street Journal . It was a high degree of similarity of programs for hacking Sony c code used in a series of attacks on banks and televisions in South Korea. It is believed that the 2013 attack was made by the DPRK.

In general, most of the group’s communication with the press takes place through open mail accounts that anyone can access, so it’s impossible to confirm the accuracy of the statements. Some of the expressions (strange references to human rights, the demand of the world), somewhat coinciding with what is written in the North Korean media, are diluted with strange features in the use of English.

“Interview” is not our goal, as Sony Pictures suggests. But it is often reported that our activity is associated with the "Interview". This shows how dangerous the Interview is. "Interview" is dangerous enough to trigger a massive hacker attack. Sony Pictures made a film that harms regional peace and security and violated human rights for money. News from the "Interview" fully acquaint us with the crimes of Sony Pictures. So their activity is completely contrary to our philosophy. We fight with the similar greed of Sony Pictures.

By the way, the film “Interview” was not among the leaks.

Later studies only confirm this conjecture. The FBI warned of the possibility of such attacks on other US companies. Were studied files usbdrv3_32bit.sys and usbdrv3_64bit.sys, used for hacking.

However, the FBI report mentioned that samples of malicious programs were created on computers with Korean language packs.

In addition, it was stated that applications were written specifically to attack Sony Pictures: IP addresses and host names are strictly defined directly in executable files. The file hitting the corporate network was compiled on November 22 and contained links to the Sony network nodes, others were created on November 24 and July of this year, but with the first common IP addresses of the botnet command servers were only common.

I studied the files and Jamie Blasco, head of computer security firm AlenVault . A program with Sony's “wired” host names was periodically connected to other machines from the internal network. It has a list of system elements into which disks were entered and cleaned up with the master boot record removed.

To delete the files , the driver of the commercial product RawDisk , created to help the work of the system administrators, was used. The driver allows you to get low-level access to the file system, bypassing the security restrictions of Windows.

The same product was used to attack Saudi Arabia and South Korea. In 2012, Aramco lost data on 30 thousand computers, and the Cutting Sword of Justice group took responsibility. The purpose of the hacking was “warning the tyrants of this country and other countries that support economic hardships through injustice and oppression”.

All four of the studied files were compiled on a computer with a Korean encoding of the system language. Of course, this is not proof of something; some data can be manipulated to cover traces.

Symbols used with skulls and putting data on Pastebin is difficult to link with the image of the state structure. Some sources have questioned this connection: it is argued that the GOP had a monetary compensation for the victims of the recent reorganization of Sony Pictures. It is likely that insiders played a certain role.

Blasco believes that most likely the attack was not made by the same group. According to his statement, it could be another team that used similar methods. He does not see the data of the country of origin of the attack. So far, does not confirm the version of North Korea and Sony itself.

There are technical differences : Seoul packages for the attack included scripts for working in the Linux environment, and there were no scripts in the Sony hack. Perhaps they simply did not need.

According to recent reports , hackers have worked from a hotel in Bangkok, the capital of Thailand.



Is hacking from such a seemingly weak but aggressive country real? Of course it is possible, hackers in North Korea are the spoiled elite. The details of the Bureau 121 have become known from some of those who fled from the DPRK.

This is an elite spy agency with a military population of 1,800 hackers. Their training often begins at the age of 17 years. Among the hundreds of the best graduates of the University of Automation there are quite a few members of the Bureau 121.

To fall into the framework of the piece selection is a great honor and a subject of ordinary people’s fantasies: hackers are well paid and provide many privileges for a country in which even to send emails you need to get permission .

One of the friends told about the bureau works abroad as an employee of a North Korean trading company. To extinguish the temptation to escape, his family was settled in a large expensive apartment in a good area of ​​Pyongyang - a good career in the civil service for the boy from the village.

Representatives of North Korea sluggishly fought off charges. A later message said that they did not hack, but they fully approve of it: the attack was called "fair." The DPRK National Defense Commission says that they do not know the location of Sony Pictures, nor what caused the attack. Time will tell how honest this statement was.