Sony hack fits pattern of recent destructive attacks

The ferocity of the Sony Pictures attack took the technology world by surprise. But it has similarities to other destructive hacks. Among other things, the Sony malware relied on the same commercial software to access and erase Sony hard drives as was used in a destructive attack on oil giant Saudi Aramco in 2012.

The hacker strike on Sony Pictures Entertainment, which is headquartered in Culver City, Calif., shares similarities with at least two other recent, major cyberattacks.

Nick Ut/AP

December 4, 2014

Sony Pictures Entertainment struggled to regain its footing Thursday, more than a week after unknown attackers unleashed a furious assault on the company’s computer network.

In the days since the attack became public, the hackers have released thousands of sensitive files: from pre-release feature films to detailed account information needed to run Sony’s day to day operations.

At a time when companies are warned to be on the lookout for “low and slow” attackers who studiously avoid notice, the Sony breach will be remembered for its unusual ferocity. On Nov. 24, the assailants declared their presence by decorating employee desktops with a belligerent message before erasing the hard drives of computers and servers they compromised as a parting shot.

While destructive hacks such as the one on Sony are atypical, they are not unknown. In fact, the attack on Sony shares many similarities with at least two other recent, destructive cyberattacks: from the methods used to carry out the strike to the software used to compromise Sony’s computer systems. Those earlier hacks also suggest that attackers had access to Sony’s network long before they played their hand.

Two incidents in the last two years are worth particular notice: the August 2012 attack on oil giant Saudi Aramco that resulted in the destruction of an estimated 30,000 computer systems and a March 2013 attack on South Korean media outlets and financial institutions. That attack also destroyed around 30,000 computer systems. Both attacks used so-called “wiper” malware similar to the attack on Sony.

If you are interested in stories like this, sign up for Passcode, the Monitor's forthcoming site covering security and privacy in the digital age.

Similar the Sony hack, the attacks on Saudi Aramco in 2012 came at the hands of a shadowy hacking group, the “Cutting Sword of Justice” an “anti-oppression hacker group” that cited ideological reasons for the attack – in that case the “crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt.”

Both hacks also involved multistage attacks consisting of an initial infection by a malware “dropper” that downloaded and installed the actual “wiper” malware. And both the Saudi Aramco hack and the Sony hack featured malware that "beaconed" to external IP addresses to inform the attackers of the progress of the hack.

Can Syria heal? For many, Step 1 is learning the difficult truth.

Commercial tool used in attacks

In fact, the Sony malware and “Disstrack” (the malware used in the “Shamoon” attack on Saudi Aramco) relied on the same commercial tool to access and erase the hard drive, a program called RawDisk by the company Eldos, according to a source with knowledge of the attack.

RawDisk is a Windows library that is sold to software developers, providing tools for accessing the hard disk on a local system. The version used by the malware authors in the attack on Sony was an older version of RawDisk and was installed using a stolen license key, Eldos’s chief executive officer Eugene Mayevski tells Passcode.

“The idea behind our product is that the legitimate software is willingly installed by the limited user,” says Mayevski.

There are even more similarities between the Sony attack and what has been dubbed “Dark Seoul,” the March 2013 attack on media outlets and financial services firms in South Korea. That attack, like the Sony hack, has been linked – tentatively – to the government of North Korea.

In that attack, as in the attack on Sony, a previously unknown “hacktivist” group claimed responsibility. In the case of the South Korean attacks, it was the NewRomantic Cyber Army Team. Like the Sony attacks, the hack of the South Korean firms involved a long-term infection and substantial theft of data from the target organizations before the “wiper” component was deployed, destroying thousands of infected systems.

Subsequent analysis by the firm McAfee suggests that the wiper attack known as “Dark Seoul” was just the dénouement of a much longer-lasting and sophisticated cyber-espionage campaign that they dubbed “Operation Troy” and that involved hallmarks of so-called “Advanced Persistent Threat” (or APT) attacks, such as customized software — developed incrementally over years — targeted attacks and data exfiltration. That malware was used to gain access to software management tools that were then hijacked and used to distribute malicious code across the target networks, McAfee revealed.

Waiting to strike 

That may be the case with Sony, as well. Evidence suggests that the group behind the attack was at work honing their tools long before November. In fact, the wiper software with the same name and cryptographic signature as the malware used against Sony was observed in the wild as early as July 2014. The domains it communicated with were also noted at the time, according to the security firm PacketNinjas.

"That may be evidence that the attackers were already in Sony’s network and testing their final payload to make sure it would escape notice by Sony’s security software,” says Dave Thompson, a Senior Director of Product Management at the cybersecurity firm LightCyber. “They had plenty of time to test against what Sony had in place,” he says.

A detailed analysis of the Sony hack hasn’t yet been published, but cybersecurity experts say it is almost certain to reveal that the attackers had access to Sony Pictures Entertainment’s networks long before they revealed their presence last week, Thompson says.

“Typically breaches aren’t detected until almost a year after initial penetration,” says Thompson. “I think we can imagine that these hackers didn’t come in on Saturday and have their attack go off on Monday.”

The attack on Sony will be cold water in the face of many firms who have become accustomed to the idea of “low and slow-moving” attacks. Thompson says that, while threat intelligence such as lists of malicious files and IP addresses are common, it can be hard for companies to grasp which information demands immediate action in the absence of any overt signs of trouble.

“You have all these artifacts, but they don’t give you a good picture of the urgency of what’s happening,” he says.