The United States government is expected to attribute the damaging and embarrassing hack of Sony Pictures Entertainment to the government of North Korea. Various mainstream media outlets quoting anonymous government sources said North Korea is “centrally involved” in the attack, which NBC News said was carried out by hackers outside the isolated country on the orders of the North Korean government.
It’s unknown what evidence the U.S. government has linking the Sony hack to North Korea, nor how said evidence was obtained. It’s likely the U.S. won’t give much in the way of details in this regard without sharing insight into what are likely classified activities, security experts said. Another big unknown is how the U.S. will respond against a nation already under heavy economic sanctions. The Washington Post reports the White House has not determined a course of action, which will delay a public announcement.
The public narrative in terms of motivation has been the Sony-produced comedy movie The Interview which depicts a plot to assassinate North Korean leader Kim Jong Un. A North Korean spokesman called the movie a “blatant act of terrorism and war,” leading to initial speculation the country was behind the attack on Sony, which yesterday canceled the movie’s scheduled Christmas Day release. Sony’s announcement came after leading theater chains said they would not run the movie after threats from the Guardians of Peace hacker group claiming responsibility for the hacks, which said that it would generate a 9/11-style response against the premiere and theaters showing the movie.
The movie, however, could be a massive red herring. The attackers not only allegedly made off with terabytes of data that included private emails from top executives and celebrities, but also intellectual property ranging from unreleased movies made available for download, to scripts of upcoming potential blockbusters put online, in addition to employees’ personal information. They also covered their tracks by unleashing wiper malware that overwrote hard drives company-wide, malware that was also used in the DarkSeoul attacks in South Korea that were attributed to the North, as well as the Saudi Aramco Shamoon attacks attributed to Iran.
Could this just be a rogue country demonstrating its capabilities and proving that it can operate on a somewhat level playing field with a world power?
“It’s not about a movie or even Sony, at all,” wrote Immunity CEO and former NSA scientist Dave Aitel on the Daily Dave mailing list. “When you build a nuclear program, you have to explode at least one warhead so that other countries see that you can do it. The same is true with Cyber.”
Aitel was one of the first to publicly theorize that North Korea was behind the Sony hack and likened it to Iran’s alleged involvement in the Shamoon attacks that destroyed 30,000 workstations at the Saudi state-run oil manufacture.
“Iran did this exact same near-mortal blow to Saudi Aramco, as a way of demonstrating that they could and would,” Aitel said. “That’s what just happened to Sony, but they didn’t see it in time, and didn’t realize they were going to have to fold. If you recognize the signature of this kind of nation-state attack, it is not hard to see ahead of time what is going to happen.
“Clearly, not all hacking (even very impactful hacking) by random hacker groups is war/terrorism,” Aitel continued. “But when a nation state decides to take out a business in another country, it’s hard for our policy team to find another word for it.”
While attribution is difficult in any hack, analysis of the Destover wiper malware has been conclusive in linking it to the three most public, destructive attacks on record. Kaspersky Lab senior researcher Kurt Baumgartner published a report on Dec. 4 analyzing the similarities in the Shamoon, DarkSeoul and Sony hacks.
Across the three attacks, Baumgartner notes the use of commercially available Eldos RawDisk driver files (Shamoon and Destover), that wiper drivers are maintained in the dropper’s resource section (Shamoon, Destover), and disk data and the master boot record are overwritten with encoded political messages (Shamoon, DarkSeoul).
“In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” Baumgartner wrote in a report published on Securelist. “All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.”
Cisco’s Talos research team published its own report yesterday, warning future victims that backup is an essential protective measure in such attacks. The Talos report dives into the technical aspects of wiper malware and how to detect it.