Sony hack: Lousy security, customized malware linked to previous attacks

The security picture painted by the stolen and leaked documents from Sony Pictures Entertainment becomes uglier by the day, as several companies and news outlets continue to show the results of their rummaging through the leaked data.

Thousands of plain-text passwords to Sony Pictures’ internal computers, social media accounts, and web services accounts kept in a number of documents labeled “passwords.” Unencrypted US Social Security numbers of over 47,000 celebrities, freelancers, current and former Sony employees, copied on so many locations (occasionally even hundreds) within the network, “giving hackers multiple opportunities to steal sensitive information when they get through,” as pointed out by Identity Finder CEO Todd Feinman. Passport numbers, immigration documentation, CVs and more belonging to individuals who applied for jobs with the company.

The company is yet to publicly comment on this mess.

Putting all this aside, malware researchers have shared more details about the wiper malware used in the attack, and additional indicators that the hack might be the work of North Korean attackers are popping up.

While an anonymous North Korean diplomat has denied that the country had anything to do with it, Kaspersky Lab and Symantec researchers point to the many similarities the malware – which they dubbed Destover – and its C&C infrastructure have with the malware and infrastructure used in several attacks against South Korean targets (DarkSeoul, Jokra) and Saudi Aramco (Shamoon).

Kaspersky Lab researchers have also noticed another similarity in the Shamoon, DarkSeoul and Destover attacks.

“The groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own. All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter,” pointed out security researchers Kurt Baumgartner.

“Images from the DarkSeoul ‘Whois’ and Destover ‘GOP’ groups included a ‘Hacked by’ claim, accompanied by a warning and threats regarding stolen data. Both threatened that this was only the beginning and that the group will be back. It appears that original skeletal artwork was also included in both,” he added.

BlueCoat and AlienVault researchers also found evidence that the attackers had prior knowledge of the company’s internal network. This suggests that they did reconnaissance before the attack and that the malware was designed specifically for it.