Experts: Sony Hackers Were Inside the Company Network for a Long Time

Brad Pitt in Fury Photograph by Giles Keyte/Columbia Pictures via Everett Collection

Security experts are poring over the malware used in the recent attack against Sony, as well as the massive amount of data released as a result of the attack, in an attempt to recreate what happened.

An early examination of the malware makes it clear the hackers had become familiar with the Sony network beforehand, according to Jaime Blasco, the director of AlienVault Labs. Blasco said his analysis of the code found the names of Sony’s internal servers as well as credentials and passwords needed to connect to the network. The malware was used to communicate with IP addresses in Europe and Asia, he said, which is common for hackers trying to obscure their location.

Blasco also noted that some of the code was written in Korean, which seems to point to the most common working theory about the perpetrators—that they work for the North Korean government.

Sony still isn’t talking, and without details from the company, it remains unclear exactly how the breach happened or whether the company might have been able to prevent the attack. There’s no shortage of suspects, in part because Sony is a frequent target for hackers. The company’s Playstation video game network suffered a major breach in 2011, and more than 900 domains that appear to be related to the company have been compromised in the past 12 years, according to an analysis by security firm Packet Ninjas. The North Koreans’ motive, apparently, is the forthcoming Seth Rogen and James Franco comedy about an attempt to kill the country’s leader. A report in Re/code indicated that Sony would soon publicly blame North Korea for the breach, but speculation has also focused on the possibility someone inside the company cooperated with the attackers.

No definitive evidence about the perpetrators has been found in the malware, but researchers think they’re getting a better idea about the nature of the attack. Several firms have focused on the fact that data released by the attackers include a number of Sony’s private cryptographic keys. It’s not clear whether the attackers used these keys to gain access to specific parts of Sony’s network or just saw them as another piece of damaging information to hurt the company. But losing control of these keys is a big deal. An attacker with access to them can get onto encrypted servers. The keys can also be used to move around information in ways that might evade intrusion detection systems, which watch for suspicious movements of data around or out of the company’s networks.

This software regularly ignores encrypted data because they are assumed to be safe, says Kevin Bocek, vice president at Venafi. ”We have systems to look for malware,” he adds, “but one of the things we’re not very good at is when the bad guys have these types of keys to the kingdom.” An attack using those keys would mark a sophisticated intruder who likely spent a significant amount of time within the system.

Anyone with access to the keys would have access to Sony’s computers until the company managed to change them—a process that often becomes difficult when companies lose track of all the ways the keys are used. Failure to protect private keys is an area of growing concern to security professionals. Just as people don’t change their passwords regularly, companies are often slow to change their keys, even when they know they’re vulnerable.

An analysis by researchers at the University of Maryland and Northwestern University found that 87 percent of companies left vulnerable by this year’s Heartbleed vulnerability hadn’t revoked their keys within three weeks. The researchers also found a distinct inclination not to change keys over weekends. Sony lost control of cryptographic keys in the 2011 attack, says Bocek, which raises the question why it hadn’t protected them more closely three years later.

In addition to the technical aspects of the attack, Sony’s plight is notable in one nontechnical way: The hackers don’t seem to have engineered the breach for financial gain. The main goal appears to have been to damage Sony’s computer systems and to humiliate the company by releasing internal information.

When Target was hacked, by contrast, the perpetrators were after credit card data. Humiliation was a side effect.  In Sony’s case, public disgrace seems to be the entire point. “This seems to be about 90 percent assault, 10 percent theft,” says Mike Lloyd, chief technical officer of security firm RedSeal. “And even the theft was just assault by other means.”

    Before it's here, it's on the Bloomberg Terminal.
    LEARN MORE