Ex-Sony Employees, Russia, NK, Anonymous, and Sanctions (January 5th) - Sony Hack Update

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/#employeesrussiankanonymoussanctions


Ex-Sony Employees, Russia, NK, Anonymous, and Sanctions (January 5th)

Rather than focusing on learning from the Sony hack and how companies can
avoid these sorts of data breaches in the future, for most news agencies
the main topic continues to be attribution.  Over the past couple days,
more and more articles have been published that are now pointing out issues
with blaming North Korea as others keep blaming North Korea.

The strongest argument that counters the official FBI report has continued
to come from researchers at Norse that allege that their investigation of
the hack of Sony has uncovered evidence that leads, decisively, away from
North Korea as the source of the attack. They have come out with more
information that alleges that a group of six individuals are behind the
hack, including at least one former Sony Pictures Entertainment employee
who worked in a technical role and had extensive knowledge of the company’s
network and operations. It is important to note that Norse does not appear
to have been consulted by Sony in the clean-up efforts, so their level of
access and insight is not clear.

The FBI granted a three-hour briefing with Norse to provide their
information on the Sony Pictures hack. When asked about the meeting, the
FBI declined to comment beyond a prepared statement which said, again, that
they are confident that North Korea is behind the attack and there is “no
credible information” to suggest otherwise. Further, a “U.S. official
familiar with the matter” said after the meeting with Norse that the
company’s analysis “did not improve the knowledge of the investigation.”
Given the number of unnamed officials that are being quoted by every news
outlet, as well as security companies that are pushing their own
investigation without privileged access, all of this must be taken with a
grain of salt.

A post from Gotnews claims they have conducted an independent investigation
and identified two female persons of interest. The post is quite detailed
and focuses on identifying a few individuals including ex-Sony employees
that lines up pretty well with the claims form Norse. Ultimately, they say
that they are continuing to investigate the theory of disgruntled former
Sony  employees may have joined forces with pro-piracy hacktivists, who
have long resented the Sony’s anti-piracy stance, to infiltrate the
company’s networks. If true, it goes against all of the claims of the FBI.

According to computational linguists at Taia Global who performed a
linguistic analysis of online messages from the Guardians of Peace, they
concluded based on translation errors and phrasing, that the group is more
likely Russian than Korean. Shlomo Argamon, Taia’s Global’s chief
scientist, said he and a team of linguists had been mining hackers’
messages for phrases that are not normally used in English and found 20 in
total.

- Korean, Mandarin, Russian, and German linguists then conducted literal
word-for-word translations of those phrases in each language. Of the 20, 15
appeared to be literal Russian translations; only nine were Korean, and
none matched Mandarin or German phrases, reports The Boston Globe.
- The team also performed a second test on language used by hackers. They
reportedly asked the same linguists if five of those phrases were valid in
their own language. One was said to be a valid Korean construction, while
three of them were consistent with Russian.

While CrowdStrike named North Korea being the culprit early on, they
continue to believe and be vocal that the hackers are indeed located in
North Korea. This still does not speak to the issue if the hackers are just
located there, or state-sponsored.

While many still debate who is behind the attack, North Korea issued a
statement on its official state news agency denouncing Sony Pictures
Entertainment’s release of The Interview. They called President Barack
Obama the “chief culprit” who forced the production company to
“indiscriminately distribute” the picture.  Further, North Korea has
officially accused the United States of being responsible for Internet
outages they have experienced. Allegedly, in the statement carried by the
country’s official KCNA news agency, a spokesman is also reported to have
used a racial slur to describe Obama when criticising the release of The
Interview, saying: “Obama always goes reckless in words and deeds like a
monkey in a tropical forest.” In the mean time, remember that anyone can
post “crackpot theories” about the Sony breach, and they may have as much
validity as any others.

The hacking group Anonymous posted a new Op (operation) against Sony:

"Reason for attacks: Sony Pictures lied to the public about being ‘hacked’
by North Korea- However; This was a publicity stunt for their latest movie,
‘The Interview’. We don’t like to be lied to and we want them to tell the
truth. Anonymous never fights against you, Anonymous will always fight for
the truth- and in this case- uncover it. Until they speak, Anonymous will
continue to attack."

Shortly after the operation was announced against Sony, it was mostly
hijacked by spammers who were posting a porn image from different spam
accounts. This appeared to be some sort of counter operation by someone who
dislikes Anonymous or those who wanted to give them a challenge.  Once the
attacks for #OpSony started, they did not appear to successfully impact the
main sonypictures.com website as it was responding as expected. The
Anonymous members taking part in this operation posted a picture of what
appeared to be LOIC screen.

Regardless of the continued attribution debates, the US announced on
January 2nd that they are holding North Korea responsible for the
cyber-attack on Sony Pictures Entertainment and President Barack Obama
imposed sanctions on 10 individuals and three entities associated with the
North Korean government.

- On Jan. 2, the president ordered the seizing of property held by these
individuals and organizations in the United States, a mostly symbolic
action because few, if any, assets of those named in the order are likely
located in the U.S.

In other news, another round-up of recent events:

- The recent developments on the war against The Pirate Bay created an
interesting perspective, as Sony’s advertising campaign may have had their
ads appear on the very sites they so detest.
- Despite repeated threats of lawsuits against journalists publishing email
content from the leaked email spools, we still have a Twitter feed that
continues to post content from them. Even worse, despite repeated tries
from Sony to put a muzzle on Twitter, the social media site apparently
isn’t budging.
- If you ever wonder how convoluted the entertainment business is, read
about celebrity Amy Adams and her scheduled interview on The Today Show and
consider the politics involved in that industry.
-As expected, the email leaks are causing more fallout as the disclosures
expose salaries and other sensitive information. Both Sony employees and
celebrities are “raging over” the disclosures, which are likely to affect
future salary negotiation rates.

RBS will update this timeline with more information as it becomes available.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!