Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Report Claims Russians Hacked Sony

Russian Network Penetration Overlaps with 'G.O.P.' Hack
Report Claims Russians Hacked Sony

Russian hackers, using spear-phishing attacks, successfully breached the network of Sony Pictures Entertainment in November 2014, and continue to have on-demand access to Sony's network, according to a new report from cybersecurity firm Taia Global. But it's not clear if those hackers unleashed the malware attack and data leaks for which the "Guardians of Peace" hacking group has taken credit, or if the Russian team was operating independently.

See Also: Cyber Insurance Assessment Readiness Checklist

Taia Global says its report is based on Sony Pictures Entertainment documents obtained by a Russian hacker. Those documents date from November and December 2014 and have not been seen in any of the data that has been previously leaked by "G.O.P."

Taia Global, in a related report, says the hackers targeted Sony employees in Russia, India and other parts of Asia with spear-phishing e-mails to which a malicious PDF document was attached, which included a remote-access Trojan, or RAT. After some Sony employees opened the PDF file, their PCs became infected with the RAT, and hackers used that beachhead to eventually gain access to the Sony Pictures Entertainment network itself, the report claims. As evidence, it cites a black-hat hacker who says he has communicated with a member of the Sony hacking team, and shared stolen documents - to substantiate those claims - with Taia Global.

The White House has blamed North Korea for the Sony Pictures hack, and the FBI has released some evidence to back up that assertion. But many information security experts, citing numerous conflicting clues and the scant details released by the bureau, continue to question the FBI's attribution (see FBI's Sony Attribution: Doubts Continue).

The new evidence that a Russian hacking crew apparently was working inside Sony Pictures Entertainment doesn't mean they were responsible for the devastating Nov. 24 wiper malware attack against Sony or subsequent "G.O.P." leaks. "This new evidence suggests two possibilities: that Russian hackers and North Korean hackers ran separate attacks simultaneously against Sony Pictures Entertainment, or that the North Korean government's denial of involvement in the Sony breach is accurate, that other hackers were responsible, and at least one or more of them were Russian," Taia Global says.

Sony Pictures Entertainment did not immediately respond to a request for comment on the Taia Global report.

Hacker Offers Evidence

Jeffrey Carr, president of Taia Global, says evidence of the Russian hacker intrusion into the Sony Pictures Entertainment network comes via the Russian hacker known as Yama Tough, who tells Carr he's been communicating with a member of the team that hacked Sony.

Yama Tough, a black hat hacker who has served jail time in the United States on hacking charges, and who was deported to Russia, has been tied to numerous hacks, involving such organizations as Symantec - including stealing and later leaking pcAnywhere source code - as well as VMware, Innodata Isogen, and SearchInform. Yama Tough has previously claimed to be a member of a hacktivist group calling itself "The Lords of Dharmaraja" - dharmaraja is Sanskrit for "just and righteous king."

Carr has previously analyzed some material leaked by The Lords of Dharmaraja, and found - in the case of documents supposedly stolen from the Indian government, for example - that the leaks mixed both real and fake information. But it has not been clear whether the hackers knew that some of the information they were releasing had been faked.

Sony Document Authenticity

In this case, however, Carr says the evidence obtained by Yama Tough from an unnamed Russian hacker appears to be genuine. Yama Tough says he received about 100 MB of data from the unnamed Russian hacker - who he described as a long-time black-hat hacker who occasionally freelances for Russia's Federal Security Service - who says it was obtained by his gang after it successfully spear-phished Sony employees in Asia and Russia and then used that to access the Sony Pictures network itself.

Yama Tough shared a sampling of the stolen data with Carr, including seven Excel spreadsheets, five of which date from between Nov. 30, 2014 and Dec. 10, 2014. Some of those documents include internal company communications, such as post-wiper-malware attack instructions to Sony employees, including a prohibition on using USB thumb drives, as well as a list and locations of Ricoh printers that employees can use.

Yama Tough also shared six e-mail messages, two of which appear to refer to recently released or forthcoming films. One, dated Jan. 14, is subject-lined "Jupiter Ascending Screening Reactions." The most recent, dated Jan. 23, is subject-lined "McFarland USA Screening Reactions."

"All of the documents appear to be authentic, and one has been proven to be authentic by the film analyst who created it," Taia Global says. "They are not part of any prior release by the Guardians of Peace, the presumably North Korean team who claimed credit for the attack."

This isn't the first time that security experts have suggested that Russian hackers may have been involved. In fact, according to an analysis by Taia Global's Shlomo Engelson Argamon, a linguistics expert, evidence points to G.O.P.'s communications as having been written by native Russian speakers (see Expert: Sony Hackers Sound Russian). Security expert Carl Herberger, meanwhile, has noted that the Sony hack doesn't look like any attack that's previously been ascribed to a nation state, including North Korea.

Attack Timing

It's not clear when the Russian hackers' spear-phishing attack against Sony occurred. But The New York Times on Jan. 18 reported that two unnamed U.S. government officials said hackers had launched successful spear-phishing attacks against Sony beginning in September 2014.

The G.O.P attack campaign appears to have begun by Nov. 21, 2014, when a group calling itself "God'sApstsls" e-mailed Sony Pictures Entertainment, threatening "great damage" unless it paid "monetary compensation." That message apparently went unanswered, and Sony Pictures suffered the damaging wiper malware attack on Nov. 24, followed by attackers releasing batches of stolen documents, some of which were quite embarrassing to the studio's executives.

After those leaks began, G.O.P. said they would continue unless Sony canceled the planned Dec. 25 release of its comedy film "The Interview," about a pair of tabloid TV reports who were recruited by the CIA to assassinate North Korean leader Kim Jong-un. Sony canceled the release, but after being criticized by President Barack Obama, ultimately did release the film, which broke online box office records for the studio. There have been no further leaks of data, despite the attackers claiming they had tens of gigabytes of stolen information still to release.

Breach Cost: $50 Million

In related news, Sony on Feb. 3 released its financial results for the final quarter of 2014, which reports that by Dec. 31, 2014, an estimated $15 million was spent on investigating and remediating the hack attack against Sony Pictures Entertainment. But Sony noted that owing to the "serious disruption of its network and IT infrastructure as a result of a cyberattack," it remains unable to close its movie and television studio's books for 2014, and that the cost spent to date on breach cleanup remains an estimate.

Regardless, security experts say Sony's breach-related costs to continue to rise, as related investigations and remediation continues. Sony also faces multiple lawsuits that were filed over the breach.

Taia Global says the evidence that hackers remained inside Sony's network at least until the end of January - and may still be there - raises questions about whether the breach or breaches of the Sony Pictures Entertainment have yet been fully remediated. Cybersecurity firm Mandiant, which was hired by Sony to investigate and remediate the breach, did not immediately respond to a request for comment.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.