alphaspirit - Fotolia
Sony Pictures Entertainment's ongoing data breach incident already forced the company to shut down its entire computer network Nov. 25, as an 11 TB trove of data including digital copies of five unreleased films was stolen.
Now, new details have revealed that Sony executives were subjected to extortion attempts just days before the company's data was dumped online.
On Monday, the attackers behind the massive Sony data breach released data from two email accounts said to be those of Sony Pictures Entertainment CEO Michael Lynton and Co-Chairman Amy Pascal. Released through BitTorrent and file-sharing sites, the several gigabytes of email data included apparent extortion attempts made by the hackers three days before Sony's data was leaked online.
One of the emails addressed to Lynton, Pascal and other executives stated:
We've got great damage by Sony Pictures.
The compensation for it, monetary compensation we want.
Pay the damage, or Sony Pictures will be bombarded as a whole.
You know us very well. We never wait long.
You'd better behave wisely.
A Symantec Corp. blog post also uncovered similar language in a message displayed on systems compromised as part of the attack, including a deadline of Nov. 24 to meet the attackers' request as well as the same reference to God'sApstls. A group referring to themselves as "Guardians of Peace" has previously claimed responsibility for the attack.
Further details on the Sony data breach were also reported by Bloomberg News over the weekend, including evidence obtained from the investigation that Sony's data was leaked via a hacked network at the St. Regis Bangkok, a five-star hotel in Thailand's capitol.
Speculation within the security industry has largely linked the Sony attack to a hacking group backed by the North Korean government, which had previously expressed concern one of the Sony films leaked in the hack, The Interview. The film is said to negatively portray Kim Jong Un, supreme leader of the Democratic People's Republic of Korea. The latest details of the incident raise questions over those links though, especially as extortion is not typically involved in nation-state hacks.
Joseph M. Demarest, assistant director of the FBI's cyber division, also cast doubt on whether North Korean hackers were responsible for the Sony breach.
"There is no attribution to North Korea at this point," Demarest told Reuters Tuesday.
Sony certificates leaked as well
The Kaspersky Labs' Global Research and Analysis Team penned a blog post Tuesday detailing the discovery of the stolen certificates, which were supposedly used to sign a new sample of the Destover wiper malware family just days ago on Dec. 5.
Security researcher Colin Keigher has since claimed on Twitter that an unnamed researcher had discovered a Sony certificate as part of the data dumped online and used it as a practical joke. The researcher supposedly signed the Destover sample and uploaded it to VirusTotal, an online malware scanner, where it was then detected by Kaspersky.
Though the details provided by Keigher may mean attackers have yet to utilize Sony's digital certificates, they have been leaked online and are likely to show up in other attacks shortly.
Kaspersky's post noted that the use of legitimate certificates by attackers is far from new, but the strategy does make attacks more difficult for security technologies to spot.
"We've already reported the digital certificate to Comodo and Digicert and we hope it will be blacklisted soon," wrote Kaspersky's researchers. The certificate authorities that issued the certs reportedly revoked them over the weekend.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi Inc. in Salt Lake City, told SearchSecurity via email that an increasing number of attackers are targeting legitimate certificates as part of data breaches precisely because they are so effective in launching other attacks. Such certificates can be used in combination with encrypted communication channels to make an attack, Bocek said, "nearly invisible."
"Global companies typically have tens of thousands of keys and certificates and the majority do not take an accurate inventory of them, do not know where they are deployed, who is using them and do not have the right systems in place to secure them," said Bocek. "Enterprises must start to get a better handle on all of their certificates and keys deployed, determine anomalies in the environment based on established policies, and then quickly revoke and replace anything suspect or out of policy."
Sony hack linked to previous attacks
The latest evidence suggests that North Korean hackers may not have been responsible for the Sony data breach, but other details do suggest connections to previous high-profile cases where wiper malware was also used.
In particular, a Destover variant known as DarkSeoul was utilized by the Whois hacker group to target several businesses and media outlets in South Korea last year. Kaspersky has also found links between Destover and the 2012 Shamoon malware attacks against Saudi Arabia-based oil giant Saudi Aramco.
A previous blog post by Kaspersky's Kurt Baumgartner provided further details on Destover's functionality. Like Shamoon, Destover uses commercially available EldoS RawDisk driver files both to evade NTFS security permissions and to override the master boot record. The executables for both Destover and DarkSeoul were compiled between 24 and 48 hours before the attacks, Baumgartner said, making it likely that attackers had already gained access to their targets' networks.
The groups behind Shamoon, Destover and DarkSeoul all also included vague political messages as part their attacks, Baumgartner noted, and subsequently disappeared from the radar. The messages delivered in both the Sony data breach and Whois attacks even contained visual similarities, including fonts and color schemes.
"The above list of commonalities does not, of course, prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover. But it should be noted that the reactionary events and the groups' operational and tool set characteristics all carry marked similarities," wrote Baumgartner. "And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities."
It looks like Sony's stock price is still slightly higher than it was 30-days ago.
— Mike Saurbaugh (@MikeSaurbaugh) December 10, 2014
— Пётр тоноли (@peter_tonoli) December 10, 2014
— newsoft (@newsoft) December 8, 2014
Destover was not the first malware to make use of seemingly legitimate certificates. Learn how the attackers behind the Flame malware were able to create their own certificates via MD5 collisions, and how enterprises should react to such attacks.