Sony Pictures hack 2014 (discussion)

In 2014, Sony agreed to distribute 'The Interview,' a comedy film that talks about assassinating the North Korean leader Kim Jong-un in a sarcastic way. This made North Korea request to cancel the movie; otherwise, releasing the film would be found as an "act of war" (McCurry, 2014). Soon after that, a huge breach happened to Sony Pictures Entertainment, which had made the company cripple for days and entered a panic attack (Robb, 2014). The hack's start duration is still unknown, but the U.S investigators said it was at least two months prior to the attack based on the amount of stolen information (Sanger and Fackler, 2015). However, a purported member of the guardians of peace has claimed that they performed the hack in Sony's system one year prior to the attack (Zetter, 2014).

The malware used in the attack to gain full access to Sony's share network and disable McAfee's software:

The malware was used in the attack was WIPALL malware. The attack has started with installing the main installer BKDR_WIPALL.A, which is disguised as an executable file named "diskpartmg16.exe". Which has encrypted set of usernames and passwords to gain full access to the organisation share network and anyone who inter the system root (Kovacs, 2014). The information was encrypted by XOR 0x67. 

 encrypted usernames and passwords (Trend Micro, 2014)

The next malware is BKDR_WIPALL.B disguised as (igfxtrayex.exe), which was dropped by BKDR_WIPALL.A (Micro, 2014). (BKDR_WIPALL.B) this malware is responsible for causing damage. It sleeps for 10 minutes after that, start to delete files, and stop the Microsoft Exchange Information Store service. After which, it sleeps for two hours; then, it forces the system to reboot (Kovacs, 2014).

Moreover, researchers have found that BKDR_WIPALL.B executes copies of itself with various parameters to delete files on the drive as well as dropping usbdrv32.sys, which give the hackers a writing\reading access to the file in the system (Kovacs, 2014).

(Author's work)

This is how the hackers replaced McAfee's real-time scanner with another file. Using BKDR_WIPALL.C, which has the same code as (BKDR_WIPALL.B). What BKDR_WIPALL.C does is that it checked whether the system is running windows 64-bit or not. If yes, the malware drops KProcessHacker driver file (disguised as kph.sys) and BKDR64_WIPALL.F file, which is the file that has replaced itself with McAfee's real-time scanner file, by moving McAfee's file to another location. Therefore, every time McAfee's service is executed, the replacement file (BKDR64_WIPALL.F) will execute instead of the legitimate file (Micro, 2014).

(Author's work)

Finally, the red skull photo that appears on the employee's computer on the 25 of November. This is when Sony first discovered that they had been hacked, as the message in the photo stating that the Guardian of Peace (GOP) group has taken over the system and obtained full access to their network. That was just Before Sony's network shut down (Zetter, 2014). The message was displayed in the employee computer after the infection chain BKDR_WIPALL.D via its component (BKDR_WIPALL.C) dropped an image file called 'walls.bmp' (Micro, 2014).  

The Red Skull image (Wired, 2014)

The implications :

The hackers succeeded in stealing 46 gigabytes of the company's sensitive information and posted it on the internet. The hackers claimed to have had obtained 100 terabytes of data, including some sensitive data that could have put the employee in jeopardy. As one of the leaked documents included: employees' names, social security numbers, and some personal information as to criminal records, salary records. Moreover, some of the leaks included some of Sony's unreleased films and some celebrities' passports and visas (Zetter, 2014).

Therefore, Sony had to pay up to 8 million dollars, for current and formal employees, legal fees, and for the system security improvements(BBC, 2015). Moreover, the total loss was up to 35 million dollars(Hornyak, 2015). 

This is was not the first attack that hit Sony corporation because of the lack of security measures. The same thing happened a couple of years before this attack, in 2011, PlayStation Network was hacked, and more than 77 million users' data was stolen. Yet, it appears that Sony had not taken the right measures to enhance its security. However, the chief executive Kazuo Hirai did mention that this time they would work to make the security in the company stronger as he said in a technology conference in California, "There was impact for a short time on the morale of the employees, but I think they have come around. We did learn some lessons with becoming more robust in terms of security, and we have done that. We have come out being a stronger and more resilient business." (BBC, 2015).

Limitation of the study:

In this cyber-attack, this case study has covered the security aspects and analysed the malware used. However, this attack had many elements. The limitation of this study is the fact that it did not cover the cyberwar elements of the political elements. Another limitation is that the malware used in the attack WIPALL could not be examined and analysed because of computer labs' limitations. 

suggestions :

• Large companies and organisations should take extra security procedures. Therefore, instead of applying one security layer, for example (antivirus), it might be a better idea to harden the system by applying more than one security layer.
• It might be beneficial to hire a team of security professionals to test the system regularly. Thus, exploiting the vulnerability of the system.

References:

 BBC, 2015. Sony pays up to $8m over employees' hacked data. [online] Available at: <https://www.bbc.co.uk/news/business-34589710> [Accessed 24 November 2020].

 

Hornyak, T., 2015. 2014 Cyberattack To Cost Sony $35M In IT Repairs. [online] Computerworld. Available at: <https://www.computerworld.com/article/2879480/2014-cyberattack-to-cost-sony-35m-in-it-repairs.html> [Accessed 24 November 2020].

 

Kovacs, E., 2014. Researchers Analyze Data-Wiping Malware Used In Sony Attack |  Securityweek.Com. [online] Securityweek.com. Available at:<https://www.securityweek.com/researchers-analyze-data-wiping-malware-used-sony-attack> [Accessed 25 November 2020].

 

Wired, 2014. A Photo Of A Screen Showing What Is Apparently The Skull Splash Page That Appeared On Sony Company Computers When The Attack Started, Posted By Someone Who Said He Was A Former Sony Employee Who Was Sent The Image By Current Sony Employees. The Image Was First Posted On Reddit.A PHOTO OF A SCREEN SHOWING WHAT IS APPARENTLY THE SKULL SPLASH PAGE THAT APPEARED ON SONY COMPANY COMPUTERS WHEN THE ATTACK STARTED, POSTED BY SOMEONE WHO SAID HE WAS A FORMER SONY EMPLOYEE WHO WAS SENT THE IMAGE BY CURRENT SONY EMPLOYEES. THE IMAGE WAS FIRST POSTED ON REDDIT.. [image] Available at: <https://www.wired.com/2014/12/sony-hack-what-we-know/> [Accessed 25 November 2020]. 

 

McCurry, J., 2014. North Korea threatens 'merciless' response over Seth Rogen film. The Guardian, [online] Available at: <https://www.theguardian.com/world/2014/jun/25/north-korea-merciless-response-us-kim-jong-un-film> [Accessed 21 November 2020].

 

Micro, T., 2014. Analysis of the Malware Behind FBI Warnings. [Blog] Trend Micro, Available at: <https://www.trendmicro.com/en_us/research/14/l/an-analysis-of-the-destructive-malware-behind-fbi-warnings.html> [Accessed 25 November 2020].

 

Micro, T., 2014. Trend Micro. [Blog] WIPALL Malware Leads to #GOP Warning in Sony Hack, Available at: <https://blog.trendmicro.com/trendlabs-security-intelligence/wipall-malware-leads-to-gop-warning-in-sony-hack/?_ga=2.85987864.1634924748.1606245189-607475687.1606245189> [Accessed 25 November 2020]. 

 

Robb, D., 2014. Sony Hack: A Timeline – Deadline. [online] Deadline.com. Available at: <https://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-

korea-1201325501/> [Accessed 25 November 2020].

 

Sanger, D., and Fackler, M., 2015. N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say. The New York times, [online] Available at: <https://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html> [Accessed 22 November 2020]·     

 

Trend Micro, 2014. Figure 1. BKDR_WIPALL.A's Overlay Contains Encrypted User Names And Passwords. [image] Available at: <https://www.trendmicro.com/en_us/research/14/l/an-analysis-of-the-destructive-malware-behind-fbi-warnings.html> [Accessed 25 November 2020].

 

Zetter, K., 2014. Sony Got Hacked Hard: What We Know And Don't Know So Far. [online] Wired. Available at: <https://www.wired.com/2014/12/sony-hack-what-we-know/> [Accessed 25 November 2020].