[BreachExchange] You Didn’t Think the Sony Saga Was Over, Did You?

Destry Winant destry at riskbasedsecurity.com
Tue Sep 18 01:39:09 EDT 2018


https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/

On November 24th, 2014 a Reddit post appeared
<http://www.reddit.com/r/hacking/comments/2n9zhv/i_used_to_work_for_sony_pictures_my_friend_still/>
 stating that Sony Pictures had been breached and that their complete
internal network, nationwide, had signs that the breach was carried out by
a group calling themselves GOP, or The Guardians Of Peace. This started a
long twisting road for Sony as details of the hack came out for months
after. The resulting fallout had considerable impact for Sony, their
executives, and many others unaffiliated with Sony.

Risk Based Security covered this incident with an initial blog written on
November 24, 2014, and updated 23 times
<https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/>
 with the last update on February 22, 2015. We followed that up with what
was to be a final piece on February 18, 2016, taking a look a “Year After
the Hack
<https://www.riskbasedsecurity.com/2016/02/sony-a-year-after-the-hack/>”.
While we didn’t count Sony out for further news, large-scale hacks like
this rarely see definitive attribution or any form of closure. We
moved on, cataloging
the thousands of other breaches <https://cyberriskanalytics.com/> that have
happened since.

On September 6, 2018, news broke that the U.S. Department of Justice
(DOJ) announced
charges
<https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and>
 and filed an indictment against a North Korean “spy” for his role in the
hacking of Sony (and others) and the authoring of the Wannacry 2.0
<https://www.darkreading.com/attacks-breaches/get-ready-for-wannacry-20-/d/d-id/1331834>
 malware (PDF of Indictment
<https://int.nyt.com/data/documenthelper/274-park-jin-hyo-complaint/7b40e5ed5b185f141e1a/optimized/full.pdf#page=1>).
The indicted, Park Jin-hyok (박진혁; a/k/a Jin Hyok Park and Pak Jin Hek), was
charged for violating 18 U.S.C. § 371 (Conspiracy) committing the following
offenses: 18 U.S.C. §§ 1030(a)(2)(c), 1030(a)(4), (a)(5)(A)-(C)
(Unauthorized Access to Computer and Obtaining Information, with Intent to
Defraud, and Causing Damage, and Extortion Related to Computer Intrusion);
and (2) a violation of 18 U.S.C. § 1349 (Conspiracy), for conspiring to
commit the following offense: 18 U.S.C. § 1343 (Wire Fraud).

It is believed that Mr. Park works for North Korea’s Reconnaissance General
Bureau <https://en.wikipedia.org/wiki/Reconnaissance_General_Bureau> (their
equivalent of our C.I.A.) according to the DOJ. Specifically, the complaint
alleges that Mr. Park is a member of the DPRK-sponsored hacking team known
in the private sector as “Lazarus Group” (a/k/a Hidden Cobra), and worked
for a front company named Chosun Expo Joint Venture (a/k/a Korea Expo Joint
Venture or “KEJV”) while conducting the activity.

You can read more about this latest development all over the media,
including The New York Times
<https://www.nytimes.com/2018/09/06/us/politics/north-korea-sony-hack-wannacry-indictment.html>
, CNET
<https://www.cnet.com/news/justice-department-charges-north-korean-hacker-linked-to-wannacry-2014-sony-hack/>
, Motherboard
<https://motherboard.vice.com/en_us/article/j5nyyx/doj-charge-north-korea-wannacry-sony-hack>,
the Washington Post
<https://www.washingtonpost.com/world/national-security/justice-department-to-announce-hacking-charges-against-north-korean-operative-the-charge--stemming-from-the-2014-sony-pictures-case--is-the-first-against-a-pyongyang-spy/2018/09/06/f477bfb2-b1d0-11e8-9a6a-565d92a3585d_story.html>
, Reuters
<https://www.reuters.com/article/us-cyber-northkorea-sony-justice/u-s-charges-north-korean-hacker-for-cyber-attacks-against-sony-uk-nhs-idUSKCN1LM2HU>
, Bloomberg
<https://www.bloomberg.com/news/articles/2018-09-06/urgent-justice-dept-set-to-announce-charges-in-sony-pictures-hack>,
and others. If you are a journalist, we sympathize with you!
*Lazarus and the Lead Up*Since the news of the Sony hack slowly faded out
of public attention, one group suspected to be involved in the hack has
been active. Over the last few years, news and research about Lazarus Group
has continued to come out. Looking back at a brief highlight of the history
of these stories makes a North Korea indictment not so surprising.

   - Feb 24, 2016 – Several security companies created “Operation
   Blockbuster
   <https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/>”
   and published a report detailing activity by Lazarus Group as well as
   signatures for many security products to detect and disrupt their activity.
   - Feb 24, 2016 – According to a new investigation
   <https://www.darkreading.com/threat-intelligence/sony-hackers-behind-previous-cyberattacks-tied-to-north-korea-/d/d-id/1324422>,
   Lazarus Group has been conducting attack campaigns since at least 2009, and
   factored into the FBI’s conclusion that North Korea was behind the Sony
   breach.
   - Feb 13, 2017 – A “worldwide bank attack blitz
   <https://www.theregister.co.uk/2017/02/13/sony_pictures_hackers_lazarus_returns/>”
   is linked to the same hackers who compromised Sony.
   - Mar 22, 2017 – A North Korean group is suspected of theft of federal
   funds
   <https://www.bloomberg.com/news/articles/2017-03-22/north-korea-link-said-to-be-probed-in-n-y-fed-account-theft>
    in Bangladesh. Lazarus Group was eventually linked to the February 2016
   attack
   <https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/>
    on the Bangladesh Central bank resulting in more than $850 million
   fraudulent SWIFT transactions, $80 million of which had not been recovered.
   - May 15, 2017 – The WannaCry ransomware is said to have links to North
   Korea
   <https://www.theguardian.com/technology/2017/may/15/wannacry-ransomware-north-korea-lazarus-group>
   .
   - May 16, 2017 – Lazarus Group suspected of infecting
   <http://www.euronews.com/2017/05/16/lazarus-group-suspected-of-hack-attack>
    as many as 300,000 computers across 150 countries using the WannaCry
   ransomware.
   - May 18, 2017 – Article titles are definitively linking
   <http://www.latimes.com/nation/la-fg-lazarus-group-20170518-story.html>
Lazarus
   Group to Sony at this point.
   - May 23, 2017 – Multiple
   <https://www.cyberscoop.com/wannacry-symantec-lazarus-group/> articles
   <https://www.cnbc.com/2017/05/23/symantec-says-highly-likely-north-korea-group-behind-ransomware-attacks.html>
    cite researchers saying that North Korea “highly likely” to be behind
   ransomware attacks.
   - Jun 13, 2017 – US-CERT issues an advisory
   <https://www.us-cert.gov/ncas/alerts/TA17-164A> about HIDDEN COBRA, the
   code name for North Korea’s DDoS Botnet infrastructure.
   - Jun 14, 2017 – Engadget publishes a summary article
   <https://www.engadget.com/2017/06/14/us-issues-alert-north-korea-cyber-attack-hidden-cobra/>
    saying that North Korea has been “*hacking everyone since 2009*”.
   - Nov 20, 2017 – McAfee Mobile Research publishes findings
   <https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/>
    linking Lazarus Group to new Android malware, installed more than 1,300
   times.
   - Dec 17, 2017 – It is reported
   <http://fortune.com/2017/12/17/bitcoin-north-korea/> that Lazarus Group
   is targeting Cryptocurrency Executives in phishing campaigns.
   - Feb 12, 2018 – Lazarus Group pops back on radar
   <https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/>,
   targeting both global banks and Bitcoin users in a campaign dubbed HaoBao.
   - Apr 30, 2018 – Servers are seized in Thailand
   <https://www.independent.co.uk/life-style/gadgets-and-tech/news/north-korea-hackers-server-thailand-sony-pictures-cyber-attack-a8329586.html>
    due to their use in computer crime and have links to Lazarus Group.
   - Aug 23, 2018 – Continuing their targeted attacks on Cryptocurrency
   exchanges, Lazarus Group uses macOS malware for the first time
   <https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/>
   .

Among the evidence used to link Mr. Park to Lazarus Group and criminal
activity are Bitcoin payments made as a result of WannaCry infections,
tracking banking transactions related to the fraudulent Bangladesh SWIFT
activity, and multiple links to North Korean based IP addresses. It is
clear from the affidavit that the FBI had been investigating throughout all
of the news above.
*What Happened with Sony Since Last Update*

If you look back at our prior coverage, one consistent bit that Sony dealt
with during the breach is a steady level of drama. Since the last update,
more information has come out pertaining to Sony, the breach, and the
aftermath.

   - Feb 18, 2016 – Sony Entertainment CEO Michael Lynton resorts to
   sending faxes
   <https://variety.com/2016/digital/news/michael-lynton-sony-hack-fax-machine-1201709910/>,
   still worried about emails being compromised.
   - Feb 24, 2016 – Ongoing analysis of the breach suggests the hackers
   were causing mayhem “years before
   <https://www.wired.com/2016/02/sony-hackers-causing-mayhem-years-hit-company/>”
   they hit Sony.
   - Apr 6, 2016 – A class action settlement related to the Sony hack gets
   final approval
   <https://deadline.com/2016/04/sony-hack-lawsuit-settlement-approved-class-action-1201732882/>
   .
   - Jun 2, 2016 – A “strained relationship” and “infighting” between
   Lynton and Steve Mosko, chief of Sony’s television division, led to
   Mosko leaving
   <https://www.hollywoodreporter.com/news/sony-infighting-led-tv-chief-898917>
   .
   - Jul 28, 2016- A lawsuit in Florida filed by Possibility Pictures
   <https://www.hollywoodreporter.com/thr-esq/sony-hack-results-lawsuit-failure-915251>
    complains that the Sony hack resulted in one of their movies being
   illegally distributed online.
   - Aug 11, 2016 – Seth Rogen defends Amy Pascal
   <http://time.com/4448238/seth-rogen-has-an-interesting-take-on-amy-pascal/>,
   despite her racist remarks, saying her termination was not warranted.
   - Dec 6, 2016 – Representative Adam Schiff, on the House of
   Representatives Intelligence Committee, says the U.S. failure
   <https://www.reuters.com/article/us-usa-cyber-russia-congress/u-s-lawmaker-sony-hack-may-have-inspired-russian-election-hacking-idUSKBN13V2N3>
    to “*retaliate strongly for the 2014 cyber attack against Sony Pictures
   may have helped inspire Russian hackers who sought to interfere in the 2016
   U.S. election*”.
   - May 11, 2017 – A story published on Gawker in 2015 was removed from
   their archive after pressure from Sony’s Michael Lynton
   <https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/05/11/how-a-former-sony-chairman-de-indexed-an-article-based-on-his-sony-hack-e-mails/>
    due to the heavy quoting of emails stolen during the breach.
   - May 16, 2017 – Michael Lynton confesses
   <https://variety.com/2017/digital/news/michael-lynton-sony-hack-snapchat-1202428861/>
    that he wasn’t sure the studio would survive the hacking crisis.
   - Jul 8, 2017 – Amy Pascal, who was terminated by Sony due to racist
   emails, talks about living through the hack
   <https://www.hollywoodreporter.com/news/amy-pascal-speaks-living-sony-hack-1019544>
   .
   - Aug 21, 2017 – A hacker group called “OurMine” claims it breached
   <https://www.businessinsider.com/playstation-network-allegedly-hacked-ourmine-2017-8>
    Sony’s PlayStation Network and stole information.
   - Aug 19, 2018 – Seth Rogen tells the media
   <https://uproxx.com/movies/seth-rogen-sony-hack-no-guilt/> why he never
   felt guilt in his role in the Sony breach.

*Attribution*

We said in the original Sony blog series
<https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/#attributionguessinggameperspective>,
and many times since, that attribution of a hack is difficult at best,
impossible many times. Being able to track the attack to a single person,
if a skilled attacker, presents many challenges that make law enforcement
ineffective. In many cases, it is third-party security firms with research
divisions that do a lot of the heavy lifting. They share this information
with law enforcement and many times can greatly improve the odds of
attribution.

With Sony, it was curious to see who blamed who in 2014 and 2015. Note that
it was a fluid situation during the breach and subsequent fallout, as
different people and firms investigated, selectively sharing their findings
(sometimes with media, sometimes with law enforcement). It caused a bit of
flip-flopping in some cases for the Obama administration while others took
a stance early on and doubled-down at every opportunity. Reading back
through the articles, we have created a list of who attributed to who back
then:
Attributor Attribution Date Source
North Korea *maybe* North Korea 2014-12-02 BBC Article
<https://www.bbc.com/news/world-asia-30283573>
North Korea *not* North Korea 2014-12-07 New York Times
<https://www.nytimes.com/2014/12/08/business/north-korea-denies-hacking-sony-but-calls-attack-a-righteous-deed.html>
Joe Demarest, FBI *not* North Korea 2014-12-09 Reuters Article
<https://www.reuters.com/article/us-sony-cybersecurity-fbi/fbi-official-says-no-attribution-to-north-korea-in-sony-hack-probe-idUSKBN0JN1MF20141209>
Unnamed Source Investigating China 2014-12-15 Deadline Article
<https://deadline.com/2014/12/is-the-chinese-armys-cyber-squad-behind-the-sony-attack-1201325918/>
Marc Rogers, CloudFlare *not* North Korea 2014-12-18 Blog Post
<https://marcrogers.org/2014/12/18/why-the-sony-hack-is-unlikely-to-be-the-work-of-north-korea/>
Marc Rogers, CloudFlare Sony Insider 2014-12-18 Blog Post
<https://marcrogers.org/2014/12/18/why-the-sony-hack-is-unlikely-to-be-the-work-of-north-korea/>
Obama Administrator / FBI North Korea 2014-12-19 FBI Press Release
<http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation>
CrowdStrike North Korea 2014-12-19 CrowdStrike Blog
<https://www.crowdstrike.com/blog/unprecedented-announcement-fbi-implicates-north-korea-destructive-attacks/>
Taia Global Russia 2014-12-26 NPR Article
<https://www.npr.org/sections/alltechconsidered/2014/12/26/373303733/doubts-persist-on-u-s-claims-on-north-korean-role-in-sony-hack>
Norse Corporation Sony Insiders 2014-12-28 Security Ledger
<https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/>
James Clapper, DNI North Korea 2015-01-07 Business Insider
<https://www.businessinsider.com/this-is-north-korean-general-behind-sony-hack-2015-1>
Seth Rogen *not* North Korea 2018-04-15 IGN Article
<http://www.ign.com/articles/2018/04/16/seth-rogen-doesnt-believe-north-korea-behind-sony-hack>

As you can see, attribution was all over the place back then, and what
appear to be some mistakes as recent as April of this year (Rogen), and
some relatively safe bets (Clapper after seeing the evidence the FBI had).
Perhaps the most fascinating is the Norse claims that a Sony insider was
involved. That is actually part of a larger, more specific attribution
<https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/>
 they made then:

Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President
at Norse, said that his company identified six individuals with direct
involvement in the hack, including two based in the U.S., one in Canada,
one in Singapore and one in Thailand.  The six include one former Sony
employee, a ten-year veteran of the company who was laid off in May as part
of a company-wide restructuring.

That is a very specific list of people, supposedly with evidence enough to
make them go public, and doesn’t include a North Korean as far as they
knew. Hopefully in the future everyone will get a chance to look at the
evidence they collected, in light of the latest indictment, and see what
happened.
*Conclusion?*

In these ongoing blog series, we frequently have this notion that we will
wrap it up someday. With a criminal indictment and what appears to be
definitive proof pointing to North Korea, it seems like this may be the
time. But, we’ve learned our lessons on these epic data breaches! If more
develops on this story, we’ll be here to cover it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180918/dba537cf/attachment.html>


More information about the BreachExchange mailing list