Sony Pictures hacked, blackmailed

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Apparently, Sony Pictures was hacked.

The breach has still not been confirmed by the company, whose only comment so far is that they are “investigating an IT matter.”

But according to a Reddit user who claims to have worked for Sony and still has friends there, every computer in the Sony Pictures network has been effectively made unusable, and is sporting the following image:

According to an internal source that talked to The Next Web, all Sony employees have been instructed to go home for the day and work from there, but not to connect the company’s corporate network or check their work email.

They have also been instructed to turn off their computers and disable Wi-Fi on their mobile devices while the IT department investigates the breach.

The message identifies a hacker group named #GOP as the perpetrators of the breach. It seems that they managed to compromise one server and then access the rest of the network. The URLs included in the image all point to a ZIP file containing supposedly stolen files containing financial information, private keys for servers, and more.

The group threatens that additional files will be leaked if their requests aren’t met, but we don’t know what these requests are. The noted deadline came and went, but there is still no additional information or leaks.

“A very public ransom attack is fairly unusual,” Eric Cowperthwaite, VP of advanced security and strategy at Core Security commented. “Sony has had more time and incentive than your average company to improve its security. I would assume that after past security events at Sony, all Sony divisions have greatly improved security. If that is the case, then whoever is responsible for this attack is fairly capable themselves. As always, I would view this as a warning that everyone else needs to pay attention. If they don’t have better security than Sony Pictures (which I would wager is likely), then they need to invest time and effort in improving their security capability and maturity.”

“The facts as we currently know them suggest that a single point of failure – a lone system that was breached, according to the statements to date – led to a catastrophic breach,” says Kevin O’Brien, a Mmember of the founding team of Conjur. “Taken broadly, this replicates the same pattern of breach that we’ve seen across 2013 and 2014: weak access control results in systemic failure.”

“We only have conjecture so far, but it would not be overly surprising to learn that there was an internal threat vector in the mix here, as well. Consider what happened at Code Spaces as a potential example of the same structure of breach: a disgruntled (former) employee led to a credential loss, escalation of privilege attack, and eventual catastrophic data access,” he added.

“Organizations like Sony will (hopefully) have a robust audit trail at their disposal that sits external to the systems that are compromised here; what tends to happen here is that the attackers will work to erase their tracks. From this perspective, the other question is whether these forensic components are exposed as part of the same threat surface that led to the original breach. Legacy systems tend to mix these two streams (the data and systems under attack and the defensive systems that protect them); the amount of time and effort required on Sony’s behalf will rely (in part) on whether or not they have a modern infrastructure that is resilient to this kind of attack.”