Friday03 February 2023

Sony hack was probably not from Korea… Go figure

Reading time is around minutes.

So the big Sony Hack that everyone was talking about and that the US government blamed on Korea might not have been state sponsored after all. Despite the FBI’s initial (and way too fast) conclusion that the source of the attacks were from North Korea there was ample evidence that this was not the case from the start. Anyone familiar with the way an attack happens knows that the majority are going to be pushed through multiple proxies and will have some sort of obfuscation to hide who is doing what including using code that might have been used before.

Despite all of this the FBI plowed on with their claims that the tactics and techniques (the source servers and malware code) were enough to lay the blame at the feet of North Korea. This tied in nicely with what was happening in the news when the group Guardians of Peace suddenly asked for the movie “The Interview” to be pulled. Of course the fact that the initial demands were not so lofty escaped the quick minds in the FBI’s PR team. Other facts that were missed were: the malware used, although written in a “Korean Language environment” it was available on the black market and easy to use. TrendMicro released this information and also noted that this malware was highly targeted with user account information, certificates and server addresses. It indicates that the attackers had a lot of knowledge about Sony’s network.

A second fact that the FBI missed in their rush to blame someone was that the links to North Korea were all dead ends. These ties were never run down to their source which would have reduced the likelihood that the attack originated from North Korea. It was an oversight that, although not a shocker, was unexpected in hindsight. Sony was also determined to put the blame on North Korea and their own internal “investigation” pointed toward a group called DarkSouel. The fact that the FBI and Sony seemed to be in lock step led some conspiracy guys to claim that the MPAA might have pushed for the announcement and reaction from the US.

Now the focus has shifted and there are two primary candidates. The first is that the attack was an inside job with an employee or employees helping the attackers. These were possibly let go during a recent restructure at Sony. This would mesh with some of the evidence including the user accounts and the very targeted malware that TrenMicro saw and also the information that Norse has pulled up. The other option is that the attackers were given information collected by another attack, the DDoS campaign run by the Lizard Squad. There is also some evidence for this as some members of the group are claiming this is true.

Either way, a lot of information was gathered and the attackers had the pieces in place long before the attack ever started. This information allowed the attackers to setup extremely targeted malware which let them mine Sony’s systems for large amounts of information. Some of this information has been released to the public and some might have been leaked to news sites to hurt Sony. Sony is already looking at a pretty large lawsuit over their security policies and issues so things are looking pretty ugly for them right now on that side and there are still more documents to be released by the Guardians of Peace… The FBI is staying very quiet about their quick reaction while the security industry continues to poke holes in their claims.

Tell us what you think

Last modified on Tuesday, 30 December 2014 11:22

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.