Hackers who broke into Sony Corp.’s Hollywood unit probably spent months collecting passwords and mapping the network before they committed a last act of vandalism, setting off a virus that wiped out data and crashed the system in 10 minutes.
Trend Micro Inc. arrived at these conclusions after running simulations on a copy of the virus that struck Sony Pictures Entertainment’s computers. The Tokyo-based developer of security software declined to reveal where it got the malware.
The research details methods used by hackers in what’s become one of the highest-profile cyber-attacks in history. Since November, a group calling itself Guardians of Peace has released private e-mails, salaries and health records of Sony employees to stop the release of “The Interview,” a comedy about a plot to assassinate North Korea’s leader, Kim Jong Un.
“They were probably in the system for months,” Masayoshi Someya, whose title is security evangelist at Trend Micro, said in an interview in Tokyo this month. “One thing that’s very unique about the malware is that it had a payload with a particular time bomb-type capability.”
While it’s unclear how the hackers got access to Sony’s network, the virus they used to destroy it is available on the black market and can be used without a high level of technical sophistication, according to Someya. It was customized for the company, embedding in the program account names and passwords and targeting the security software, he said.
The malware functions as a backdoor to an affected network, allowing intruders remote access while remaining undetected. Once activated by the hackers, the program starts a 10-minute countdown, Someya said.
Cloned minions disable security software, gain access to hard drives and networked storage on all the infected computers, while also trying to log into any connected networks, Someya said. When time is up, all the data is erased and users are greeted by a static screenshot: a picture of a red skeleton scowling under the heading “Hacked by #GOP.”
“We’ve already warned you, and this is just a beginning. We continue till our request be met,” the text reads, according to the screenshot on Trend Micro’s blog. “We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.”
The message also says that to avoid disclosure, users must post their e-mail addresses on Facebook and Twitter, followed by this sentence: “Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.”
The virus is named WIPALL by Trend Micro and Destover by Symantec Corp. and was the subject of the Federal Bureau of Investigation’s Dec. 2 flash warning. Trend Micro didn’t comment on whether Sony used its security software.
McAfee Inc. has also analyzed the malware and determined that its security products would prevent the malware from executing, according to spokesman Chris Palm. He declined to comment on whether the company’s software was used by Sony because there is a federal investigation under way. A Tokyo-based spokeswoman at Sony Pictures declined to comment, asking not to be named because of company policy.
Sony’s internal probe linked the attackers to an organization known as DarkSeoul and U.S. officials plan to announce this week that the communist state is behind the hack, people familiar with matter have said, asking not to be identified as the inquiries aren’t public.
The virus is similar to the one that struck South Korean banks and media companies in 2013, according to reports from Trend Micro and Symantec. While WIPALL was coded in a Korean language environment, that’s not enough to link it to North Korea, as has been previously reported, Someya said.
The hackers have released at least nine batches of data and promised a larger quantity on Christmas. The information revealed has included the salaries of more than 6,700 employees and e-mails taking shots at President Barack Obama and Hollywood stars including Angelina Jolie.
Sony’s hack is part of a wider trend of increasing frequency of targeted attacks. In the quarter to September, the percentage of intrusions aimed at specific companies climbed sevenfold from a year earlier, according to reports compiled by Trend Micro.
“The targeted attack is not a threat to just governments and large corporations and big brands,” Someya said. “Small businesses are also in danger.”