Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

SONY HACK: THE REVENGE OF THE UN! (No Not Really)

with one comment

kim-jong-un

SONY PWN3D!

On November 25th 2014 Sony acknowledged that they had been hacked. Since then a group calling itself the GOP has been leaking Sony data online a gig at a time to start and now at a rate of 27 gig in one dump. According to the hackers they have about 111 tb (Terabytes) of Sony data that they plan on dumping if Sony did not capitulate to demands that they had transmitted to the company. It seems that since the dump of the 27 gig of very proprietary data, the case can be made that GOP did not get their way and Sony did not capitulate to whatever their demands may have been. The scope of the data being released though shows just how well owned Sony was but the whole incident just creates many more questions around how this happened, who did it, why, and where Sony can go next.

GOP (Guardians of Peace)

The GOP or Guardians of Peace alleges that it is a group somewhat like Anonymous that has been working toward human rights and other equality issues, which is kind of vague but then again their email responses (which seem to have been copy and pasted to numerous media outlets) have been pretty stilted and come off as maybe just a façade for other motives. To date, there is no evidence online of there ever being a GOP other than various groups of online Star Wars gamers who play a group of Jedi Knights with the same Nome de Guerre. So this looks to be either a “new” group or perhaps more so, just a smoke screen for other actor(s) who performed this attack against Sony. An attack that given the amount of data and some confirmation from the alleged group, took a year to perform.

SONY1

SONY7

Note the stylometry that implies a non English as a first language speaker/writer

It does seem to be the goal though of this attacker set to really destroy Sony as much as they possibly can. If you look at the data being dumped and the complete compromise to their collected networking infrastructure, it will become apparent that this attack not only will take a lot of time to fix on the network side, but also to repair Sony’s financial and reputation  as well. After all, who is going to trust Sony with loans or want to do Hollywood deals when the data of those paying in or making those deals with could also be at risk from another attack like this in the future should Sony not learn from their mistakes?

It remains to be seen just what the alleged GOP is really all about but at this time I am going to say that from what I have seen in emails and actions, their goals never were to get a deal out of Sony. Instead I surmise that they just wanted to hit them and hit them hard for whatever reasons they have personally. As stated in the email above, they have an axe to grind and they claim that they helped disgruntled individual(s) to carry off this hack. Could this be the case? Sure. However, I am not going to say anything is irrefutable in this debacle.

Physical Security & Insider Attacks

GOP claims from the start that they had someone on the inside who got them in and that Sony’s physical security was non existent. I personally have talked to people who have intimated the same thing about the lack of physical security at the Sony offices in recent past. It seems to some, that post the other attacks on Sony the corporation doubled down on tools but not so much on people with talent to protect the network. While doing this Sony also just did not think one bit about the physical security needed to protect their computer networks and thus it was easy for the attackers to carry off this hack.

While malware was inserted into the networks at Sony, I have yet to see a real bit of intelligence on how it got there and when. Was it inserted physically from a USB into an email? Was it a phish from outside? No one will know until Mandiant releases anything IF that ever happens. Given the nature of all of this and Sony I suspect we will all be asking questions for a good long time. However, once the systems were compromised just how was the 111 tb of data ex-filtrated from Sony? That is a lot of data to be pushing through a pipe and if they in fact did this over a year I can see maybe a slower approach but jeez! Where do you store it all after you get it anyway? Is it distributed at a gig a piece somewhere in the cloud? On personal tb USB drives? Was it in fact carried out that way over a period of time as well so as to not be seen in netflow? I guess we may never know. In the end though it seems that Sony got caught with it’s pants around it’s ankles where insider threats are concerned and this has been what others have been saying of late post this attack.

Malware

Interestingly the malware though seems to have started a fire-storm of theories and accusations (more of which I cover below) but the gist of the tinfoil theories begins with the wiper malware found at Sony. The malware seems to be a variant of the type that a group called DarkSeoul used on South Korean banks last year. This fact though does not make it a lock on it being the same actor though and this will bear much on the section below as well. However, let’s look at the details we have now. The malware once inserted into the systems looses a trojan dropper and downloads more fun for the exploitation to move on.

Malware Analysis Sources:

https://malwr.com/analysis/M2VjNDE4NzQ3NzgwNDVmNjk4YTY5ODBjZDA3NDMxNDk/

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Destover-C/detailed-analysis.aspx

The last link there shows the malware with the same MD5 listed by the FBI as being the malware found at Sony. It attempts to connect to shares on numerous IP addresses in Japan (see below) at what seems to be a Sony facility.

SONY2

FBI FLASH for SONY Malware/Wiper

SONY6

The Japanese hosts as well as the C&C’s listed by FBI

SONY5

One more C&C not mentioned usually

SONY4

 

Two more C&C’s in strings from malwr.com 12/3/2014

SONY3Japanese IP’s from sample 12/3/2014

 

SONY8

“Berlin” user offering proxies in 2012 with one of the C&C’s listed

SONY9Bolivian C&C default page for cargo company on IP

SONY10

Latest iteration of the malware sig is beaconing to the following IP in NY

SONY11Destover-A named by Sophos

SONY12

Sony Music Div is in location of the IP’s in Japan seen in Malware hosts

SONY13

Destover-C variant of the malware wiper (SOPHOS)

Destover-C connections

  • 172.21.40.161:139
  • 172.21.40.161:445
  • 43.130.141.100:139
  • 43.130.141.100:445
  • 43.130.141.101:139
  • 43.130.141.101:445
  • 43.130.141.102:139
  • 43.130.141.102:445
  • 43.130.141.103:139
  • 43.130.141.103:445
  • 43.130.141.105:139
  • 43.130.141.105:445
  • 43.130.141.107:139
  • 43.130.141.107:445
  • 43.130.141.108:139
  • 43.130.141.108:445
  • 43.130.141.109:139
  • 43.130.141.109:445
  • 43.130.141.115:139
  • 43.130.141.115:445
  • 43.130.141.11:139
  • 43.130.141.11:445
  • 43.130.141.124:139
  • 43.130.141.124:445
  • 43.130.141.125:139
  • 43.130.141.125:445
  • 43.130.141.13:139
  • 43.130.141.13:445
  • 43.130.141.14:445
  • 43.130.141.20:139
  • 43.130.141.20:445
  • 43.130.141.21:139
  • 43.130.141.21:445
  • 43.130.141.22:139
  • 43.130.141.22:445
  • 43.130.141.23:139
  • 43.130.141.23:445
  • 43.130.141.24:139
  • 43.130.141.24:445
  • 43.130.141.28:139
  • 43.130.141.28:445
  • 43.130.141.30:445
  • 43.130.141.42:139
  • 43.130.141.42:445
  • 43.130.141.71:139
  • 43.130.141.71:445
  • 43.130.141.72:139
  • 43.130.141.72:445
  • 43.130.141.74:139
  • 43.130.141.74:445
  • 43.130.141.75:139
  • 43.130.141.75:445
  • 43.130.141.76:139
  • 43.130.141.76:445
  • 43.130.141.77:139
  • 43.130.141.77:445
  • 43.130.141.78:139
  • 43.130.141.78:445
  • 43.130.141.79:139
  • 43.130.141.79:445
  • 43.130.141.80:139
  • 43.130.141.80:445
  • 43.130.141.83:139
  • 43.130.141.83:445
  • 43.130.141.84:139
  • 43.130.141.84:445
  • 43.130.141.85:139
  • 43.130.141.85:445
  • 43.130.141.86:139
  • 43.130.141.86:445
  • 43.130.141.87:139
  • 43.130.141.87:445
  • 43.130.141.88:139
  • 43.130.141.88:445
  • 43.130.141.90:139
  • 43.130.141.90:445
  • 43.130.141.92:139
  • 43.130.141.92:445
  • 43.130.141.93:139
  • 43.130.141.93:445
  • 43.130.141.94:139
  • 43.130.141.94:445
  • 43.130.141.98:139
  • 43.130.141.98:445
  • 43.130.141.99:445

Addresses in SOPHOS sample that the malware was looking for shares on in Japan

SNORT SIG: alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:”ET TROJAN Sony Breach Wiper Callout”; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:2;)

Summary of Data:

Overall the malware attempts to map shares as well as connect to C&C’s in a host of different countries for updates and exfil. Could the Japanese IP’s mean that this was a source of this malware in their networks to start? If so, the idea of a Korean language set on the malware might make more sense as there is a HUGE Korean dissident population in Japan. This too would also make sense if a Korean actor was acting out on what they considered “equal rights” and other beef’s with a Japanese conglomerate. Why? Well one has to know Japanese politics and their issues with Koreans. It is well known that Koreans are considered second class citizens in Japan so maybe this is a motivation? Has anyone taken the time to think this one out? Mandiant? Anyone? Helllooooo? Say, you guys do know that Japan is close to South Korea right? Map anyone?

Ok so anyway, the malware does it’s thing and the rape and pillage of Sony goes on… Maybe for a year undetected.

DPRK WTF?

Speaking of Koreans… Enter the theories about DPRK and Kim Jun Un. So about a day or two after the Sony breach was in the news I saw the first mention of DPRK as the attacker. Where might you ask? Well, in VARIETY of all places. This struck me as really really odd that it would be in Variety you see this but hey, it’s Hollywood right? Since then the news media, spurred on by the likes of RE/Code have been perpetuating the idea that the DPRK tasked it’s CYBER Army (128) to attack Sony and deal it a death blow! *snerk* This of course came without any real backup data from the hack, no evidence, nothing but suppositions and innuendo. Why would DPRK hack Sony? Well, OBVIOUSLY KJU doesn’t want anyone to see “The Interview”, a movie about two reporters asked to kill KJU. Did I mention that this was a comedy?

Well anyway, now the media has gone FULL GAGA over this and Re/Code has made it even worse with their false reporting from alleged “inside sources” that it was MOST DEFINITELY DPRK!

Derp.

Nothing so far other than a language setting on the malware, a malware that likely has been online in places for download since 2013, has been the main attribution point thus far.

HELL SON! THAT’S A SLAM DUNK IN THREAT INTELLIGENCE!

Not.

One just has to hang their head here.. Or maybe more to the point just hit it against the desk until the pain dies down. While one can see KJU doing such a thing because he is “the cray cray” I doubt that the time frame here for the exfil of 111tb of data fits. That’s my take on this anyway. I would also like to say that this all lacks some finesse and that DPRK has been learning from China about the cyber wars so really… Meh.

Lemon-Aide from Cyber Lemons

At the end of the day though the whole “DPRK DID IT!” thing seems more to me like people just jumping to conclusions over keyboard and language settings that is pretty ill thought out and full of cognitive bias. I had one creeping thought though since the Variety piece and that was how well a PR person might think the scenario could be used to pimp a new film. Just go with this for a bit and let it marinate in your brain. If you were a Sony PR guy/girl and you had a horrible hack after DPRK complained about your new movie where you kill the premiere wouldn’t you say “Gee, maybe we could at least use this to get people interested in the film!”

Ponder that. I mean.. It’s Hollywood! We have seen some spectacularly bad ideas come out of there more and more over the years! So why not? Make cyber lemon-aide from the hack. Some of you are rolling your eyes I am sure but hey, it’s just as much a valid theory as the whole DPRK hacked Sony dialogue ain’t it? Let’s see the returns on the film when it gets released after all this hoo ha eh?

Time will tell if we ever find out who did this… In the meantime get your popcorn kids!

K.

Written by Krypt3ia

2014/12/04 at 18:15

Posted in Uncategorized

One Response

Subscribe to comments with RSS.

  1. […] this one) that I wanted to drop on you all. See, I mentioned this in one of my first posts on the Sony Hack but it has gone little noticed. In the malware samples of Destover-C on Virus Total you can see in […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: