The computer hackers drilled into the network at the elegant St. Regis Bangkok that night and, with a keystroke, laid bare the secrets of Sony Pictures Entertainment.
What had begun with a secret incursion into the Hollywood studio’s computer system was reaching its climax in, of all places, a five-star hotel in the capital of Thailand.
It was 12:25 a.m. on Dec. 2 in Bangkok, the morning of Dec. 1 in California. Working through the high-speed network at the St. Regis -- whether from a guest room, a public area like the lobby or a separate location is unknown -- the hackers began leaking confidential Sony data to the Internet, according to a person familiar with investigations into the breach. This person spoke on the condition he not be named because the inquiries are confidential.
By the time it was over, the world would learn private details of 47,000 Sony employees, former employees and freelancers, as well as several Hollywood stars, in a hack that many experts say heralds a dangerous new era in cybersecurity. The entertainment division of Sony Corp. is still struggling to contain the damage from the revelations.
Who hacked Sony, and why, remains unclear. The attack appears to have been designed to embarrass Sony, rather than to enrich the perpetrators.
As cybersecurity experts sift through clues, many say the episode bears the hallmarks of DarkSeoul, a hacking group with suspected links to North Korea that struck South Korean banks and media companies in 2013. North Korea, which has denied any involvement in the Sony episode, released a statement yesterday saying the hack “might be a righteous deed” of its supporters or sympathizers.
If North Korea is behind the attack, the development would mark an alarming shift in state-sponsored cybercrime, which has generally targeted military and infrastructure, said Michael Fey, president and chief operating officer of Blue Coat Systems Inc., a network security company in Sunnyvale, California.
“It’s a very high stakes game of poker that’s starting to escalate,” Fey said.
The Thai connection, which hasn’t been reported previously, provides a glimpse into how the Sony hack went down.
Cybersecurity investigators have traced the hackers’ digital footprints to the network at the St. Regis Bangkok, on Rajadmari Road in an area populated by international corporations and upscale boutiques such as Bulgari and Valentino.
Evidence suggests the person or persons who distributed the Sony data may have been operating inside the hotel, although it’s also possible they were working from a remote location, according to the person familiar with the investigation.
An Internet Protocol address the malware used to communicate with the hackers was also located at a university in Thailand, this person said. Hackers often take advantage of open university networks in initiating attacks. Katie Roberts, a spokeswoman for Starwood Hotels & Resorts Worldwide Inc., which owns the St. Regis Bangkok, didn’t respond to emails seeking comment.
If the hackers were indeed at the St. Regis, they were essentially hiding in plain sight by using a busy wireless network available to hundreds of guests. The data disclosed included salaries and home addresses of people who left Sony as far back as 2000, as well as Social Security numbers and contracts. Celebrities whose details were revealed include actor Sylvester Stallone and producer Judd Apatow.
One theory is that the attack was North Korea’s revenge for a new Sony comedy, “The Interview” -- an idea some cybersecurity experts have called far-fetched. The film stars Seth Rogen and James Franco and concerns an attempt on the life of North Korean leader Kim Jong Un.
Yet all sides agree that North Korea appears to operate a large network of hackers, with estimates ranging as high as 5,900. Many of these people work outside North Korea because of that country’s limited Internet infrastructure.
One hacking unit is housed within the Korea Computer Center, or KCC, a government research and development agency, according to a report issued in August by the cybersecurity division of Hewlett-Packard Co. The KCC operates out of almost 20 offices in North Korea and branches in China, Germany, Syria and the United Arab Emirates, HP said.
The Reconnaissance General Bureau, the country’s primary intelligence agency, has two hacking units, No. 91 Office and Unit 121. Some members of Unit 121 have worked out of the Chilbosan Hotel in Shenyang, China, near the North Korean border, according to a 2009 research paper that cited a North Korean defector who claimed to have served in Unit 121.
That’s one reason a connection to a foreign hotel in the Sony hack -- in this case, the St. Regis Bangkok -- doesn’t surprise investigators linking the attack to North Korea.
More clues lie in the computer code itself. Details released by the U.S. Federal Bureau of Investigation have enabled security companies to find and analyze the malware used against Sony. The first piece of code outlined by the FBI was customized for Sony, according to Daniel Clemens, a security researcher and founder of Packet Ninjas LLC, a cybersecurity firm in Hoover, Alabama. When the malware runs, it tries to connect to hosts within Sony’s network, indicating it was tailored to the company.
Other elements are similar to the DarkSeoul campaigns in South Korea. The group generally uses destructive “wiper” programs that erase hard drives or conducts distributed denial of service attacks that clog websites with fake traffic, according to Symantec Corp.
The Sony code shares techniques and component names with the code used in the earlier DarkSeoul attacks, according to an analysis by Mountain View, California-based Symantec.
At least one command and control server in Bolivia was used in both the South Korean campaigns and the Sony Pictures hack, suggesting that the same group was behind both, said Liam O Murchu, a security researcher for Symantec. Command and control servers, which are used to communicate with malware once it’s on a target’s systems, are typically hacked themselves, masking the attackers’ true origins.
“This is the same group that was working in Korea a year ago,” O Murchu says. “There are so many similarities -- this must be the same people.”
Kurt Baumgartner, principal security researcher at Kaspersky Lab in Denver, Colorado, also found similarities. As in South Korea, the destructive programs were compiled less than 48 hours before the attack, he said. In both instances, the hackers also defaced websites with skeleton images and vaguely political messages.
The malware used against Sony also has overlaps with Shamoon, perhaps the most high-profile deployment of wiper software to date, which destroyed information on thousands of computers in Saudi Arabia in 2012. Both used the same kind of commercially available drivers from the RawDisk library made by EldoS Corp., Baumgartner said. Shamoon was also compiled very shortly before it detonated.
After the attacks in 2013, researchers at Intel Corp.’s McAfee unit traced the code back to a family of malware used against South Korean and U.S. targets, starting in 2009 with denial of service attacks against South Korean and U.S. military targets. McAfee called the attack “Operation Troy.”
CrowdStrike Inc., another security technology company, has another name for the DarkSeoul group -- Silent Chollima, a reference to the mythical winged horse that is an important symbol in North Korea. CrowdStrike has been tracking the group since 2006 and has linked it to the North Korean government.
“Destructive attacks are actually very, very rare -- North Korea is one of the few that has launched them repeatedly,” says Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, which is based in Irvine, California. “They always seem to be pushing the boundaries of what they can do.”
‘Guardians of Peace’
In the Sony case, a previously unknown group calling itself GOP, or “Guardians of Peace,” claimed responsibility. In earlier attacks attributed to North Korea, the hackers have also posed as hacktivist groups, according to John Hultquist, senior manager of cyber-espionage threat intelligence at iSight Partners Inc., a cybersecurity company based in Dallas.
Hultquist said the hackers may be hired contractors or are creating a hacktivist profile to hide their identity, especially since the group doesn’t have a history of similar acts. It’s an increasingly common tactic of nation states trying to cover their trails, he said.
“By definition, a hacktivist group has a history, they’ve been out defacing websites, doing stuff,” Hultquist said. “Given the lack of a background behind the hacktivist organization claiming responsibility, I think we’re looking at North Korea sponsoring it or someone sympathetic to North Korea sponsoring it.”