The strange case of the Sony hack


The last few weeks we have seen reports of a massive hack into the Sony Pictures Entertainment system where the hackers seems to have seized an immense amount of confidential internal documents about everyone who was even remotely connected to the company.

On November 24 the world found out that Sony Pictures Entertainment was hacked and had disabled its entire corporate network, including locations that spanned Culver City, New York, and overseas.

This breach has very few analogues in history, outside of the Snowden documents, to any other type of breach on record. The combined corporate intellectual property, financial and legal information, contact databases and health records, passwords and encryption keys for Sony Pictures Entertainment can’t be compared to a breach of a retailer’s email or credit card database.

But in the case of Sony’s compromise, individual files can be spreadsheets with multiple records each. Some of the 38 million (known) files exfiltrated in this carefully planned attack are entire databases.

This is comparative to source code being leaked. Unpublished scripts for movies, contract negotiations, NDA’s (thousands are listed), secret terms for payment schemes, the very information Sony uses to keep its entire company relevant, are in the stolen files.

The benefits to Sony Pictures Entertainment competitors — Universal, Warner, Disney — in terms of competitive intel, is priceless.

The group claiming responsibility for this calls itself #GOP (Guardians of Peace). What is strange is that the initial notice that the company had been hacked came from an ominous message that appeared on the screen when on November 24, 2014 any employee logged on to the company servers, threatening to reveal everything unless their demands were met. But the demands were not specified, at least publicly, though it is possible that they were communicated to the top levels of Sony.

Later, massive amounts of data were released, including films that had been recently released or were about to be released, and again it was not clear why that was done since doing so eliminated the leverage that original threat had. Of course, it is possible that there is even more sensitive information that has yet to be released. From what I have read, Sony’s internal controls to protect its data seem to have been woefully inadequate, making this hack easier than it should have been.

The first people to be suspected in such hacks are disgruntled insiders since they are the ones who, if somewhat savvy, can do it most easily (think Edward Snowden) and usually have motive. But there have been more exotic theories such as that it was the work of anonymous hacking collectives that have either a political anti-corporate agenda or are simply trying to get money by blackmail or to the most bizarre theory that it was done by the North Korean government in retaliation for Sony releasing the comedy film The Interview about US journalists working with US intelligence agencies to kill Kim Jong Un.

The breaches can be classified in four categories. The worst is the revelation of people’s private information that harms them and benefits no one.

The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins. It’s literally thousands of Social Security numbers laid bare. It’s even the harmless, mundane, trivial stuff that makes up any day’s email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.

These are people who did nothing wrong. They didn’t click on phishing links, or use dumb passwords (or even if they did, they didn’t cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn’t have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we’ve become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.

At another level are those things that are fodder for film gossip and trivia such as the aliases film stars use when checking into hotels and the like.

Yet another level is the information that Sony’s rivals obtain about the company strategic plans.

And yet another level of information s what the documents reveal about the state of the the film industry and how it operates. Reader kyoseki works in the VFX industry that has been in a great deal of turmoil because of the way that the major studios treat the special effects companies, sending them around the world in pursuit of tax subsidies and firing their top talent in order to cut costs, and he tells me that these emails confirms their worst fears, that this practice has resulted in the loss of the major talent and a reluctance of those people to work with Sony.

But this still brings us back to the central question that still, as far as I know, remains unanswered: Who did the Sony hack and why?

Comments

  1. kyoseki says

    If this actually turns out to be North Korea I’ll be VERY surprised.

    SOMEONE inside Sony was VERY quick to finger North Korea (they started rumors that it was NK within 24 hours of the hack, long before the FBI or their IT crisis management company Mandiant got involved) so either they have slam dunk information that it’s NK (which seems unlikely, since there’s been no real attribution since) or someone inside Sony Picture put 2 and 2 together and got 5.

    It’s really in Sony’s best interests to make people think that North Korea is behind the hack, because it lets Sony off the hook for having farcically inept network security. If they were hacked by a disgruntled employee and his script kiddie friends, they’re going to get sued into oblivion for failing to secure their data, but if they were sued by a secretive rogue nation state? Well, nobody could possibly have been expected to defend against that, even if they did have network security so pathetic they could have been hacked by the girl scouts.

    Of course, let’s not also forget the fact that blaming NK has exponentially increased public interest in “The Interview” (which is by all accounts a pretty terrible movie), I’ve lost count of the number of “I wasn’t interested in it before, but now I feel I HAVE to see it!” comments. Hell, Deadline even ran a piece that effectively stated “If we don’t go see ‘The Interview’ then the terrorists win!”…. and if you don’t think that someone’s first though on the (very real) hack was how to turn it into publicity for a movie, you don’t know the entertainment industry.

    One thing I have noticed though; Once someone pointed the finger at North Korea, nobody started judging the actual evidence dispassionately. All indicators that it was NK, no matter how weak, were seized on as proof and anything that suggested otherwise was immediately discounted.

    For example, it took the hackers a full two weeks to even bother mentioning the movie and even then it was buried in a reiteration of their original request – their first contact with the studio (which surfaced as a result of leaked emails) was basically a straight up extortion demand:

    We’ve got great damage by Sony Pictures.
    The compensation for it, monetary compensation we want.
    Pay the damage, or Sony Pictures will be bombarded as a whole.
    You know us very well. We never wait long.
    You’d better behave wisely.
    From God’sApstls

    Nothing at all about the movie, one would think that if the movie was actually a primary motivator for the hack that they might have thought to mention it?

    Even the first public email from the hackers explicitly stated that the attack was revenge for Sony’s layoffs and corporate sexism & racism, not things that North Korea is likely to care about.

    How do the NK conspiracists reconcile this with their ideas? “Oh, that’s just a smokescreen to make people think NK weren’t responsible”… yeah, right.

    Same goes for the tactics involved, NK apparently had a hand in an attack on South Korea last year which used very similar malware and had a similar approach – OK, fair enough, but what they didn’t do was all this grandstanding and publicity crap afterwards, they disabled their targets and stayed completely silent on the matter. Again, the grandstanding is apparently just a smokescreen to give NK plausible deniability as though NK has ever cared about that (bearing in mind that the malware used in that attack has been widely available ever since, so who the hell knows how many hacker groups have access to it now).

    It’s very curious to see how people latch onto a fantastical idea and want it to be true so much they willfully ignore all evidence to the contrary, sound familiar?

  2. kyoseki says

    but if they were sued by a secretive rogue nation state

    … obviously this should have been “attacked” and not “sued”.

  3. says

    the most bizarre theory that it was done by the North Korean government

    A little bird told me that the malware with korean text in it appears to be google translate-quality korean and was almost certainly put there as a red herring.

  4. says

    Sony off the hook for having farcically inept network security

    I may be biassed because I know the team, but Sony’s security is par for the course. You’d be surprised at how quickly and thoroughly this kind of situation can go off the rails.

    they’re going to get sued into oblivion for failing to secure their data

    That’s about as likely as Dick Cheney appearing in the defendant’s box in a trial for torture. There is no question this is going to cost Sony a lot of money, but it’s far from catastrophic.

  5. says

    The Washington Post seems pretty sure it was “North Korea or its affiliates”

    The FBI, NSA, and defense/intelligence industrial complex have a strong interest in passing off any significant attack as potentially a state-sponsored attack, mostly to distract the listener from the fact that US and its affiliates have been running roughshod over the internet for the last decade.

  6. kyoseki says

    I may be biassed because I know the team, but Sony’s security is par for the course. You’d be surprised at how quickly and thoroughly this kind of situation can go off the rails.

    I’ve actually seen a lot of the network security guys complaining in the Hack group on Facebook that corporate didn’t take their suggestions seriously. Here’s Sony’s Executive Director of Information Security justifying why they don’t really bother to secure anything on the corporate network, this was in 2007 (same guy was still in charge when this hack went down) – it basically boils down to “why spend $10m to secure the network when it’ll only cost $1m to notify people that their shit’s been stolen”.
    http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html

    Even after Lulzsec breached SPE in 2011, nothing changed; According to Blue Coat security, only a single account was used in the attack (with the password “P@ssw0rd123”). One account had access to everything from HR to Legal to travel itineraries & email spools because, as the hackers themselves put it “Sony don’t lock their doors”.

    I’m one of the victims of the hack, all my shit (anything I gave Sony, bank records, passport, visa information) was scanned & left sitting around unencrypted on an HR/Legal drive somewhere and I haven’t worked for Sony for nearly a decade, same goes for a lot of other people I know.

    There was apparently a single unencrypted excel spreadsheet containing everything from social security numbers to bank accounts for anyone who has ever worked for Sony, thousands upon thousands of people.

    Why was this on a drive that was exposed in any way to the internet?

    Their movie production networks are all secure, because they’re air gapped with no internet access (the Fury, Annie etc.. screeners were leaked because they were on a cloud storage network and the passwords for those accounts were stolen in the hack). Imageworks/Animation continued working through the attack having lost only email, there was no damage or infection to their servers, so I don’t believe for one second that Sony CAN’T secure a network – of course, as the article in the original post indicates, Sony’s managed to kill off Imageworks through sheer ineptitude & cost cutting, so the hack hasn’t actually harmed them much, in fact, it might be the kick that turns Imageworks around.

    That’s about as likely as Dick Cheney appearing in the defendant’s box in a trial for torture. There is no question this is going to cost Sony a lot of money, but it’s far from catastrophic.

    It’s not going to bring down Sony Corporation, but Sony Pictures Entertainment is in deep shit.

    Employees are already starting to assemble class action suits and that doesn’t even begin to address damages from companies that may have been impacted by the attack (for example, banks have been given the all clear to sue Target over that breach and the entertainment industry is even less warm & fuzzy than the financial industry).

    SPE was already on the rocks, having laid off a ton of people earlier this year as a cost cutting measure (they brought in Romney’s Bain management to do the layoffs) and there was a very public spat between an activist investor (Daniel Leung, Third Point) & Sony corporate because he wanted them to spin SPE off into it’s own corporate entity because it was dragging down the rest of the company.

    After this attack and having their secrets laid bare, I’d be surprised if any of the senior management at SPE are still employed there 6 months from now.

  7. kyoseki says

    Maybe I’m just an overly cynical old fart, but my first thought was that there was no data breach: the whole thing is a PR stunt cooked up by Sony for their movie.

    The hack is definitely real, I’m affected by it and so are thousands of others.

    The attribution to North Korea? Yeah, that’s the publicity stunt.

  8. lorn says

    If people realized the depth and breadth of information held by major corporations, most of it given away by people quite casually, they would realize that government efforts are, in comparison, amateurish. The government has to tap lines and ask for information. Your, credit card company, bank, cell service provider, ISP, Facebook, Twitter, the people holding everything you store on clouds, by default, own all your information and will sell it to anyone, including the government if the price is right.

  9. Holms says

    Later, massive amounts of data were released, including films that had been recently released or were about to be released, and again it was not clear why that was done since doing so eliminated the leverage that original threat had.

    I’m going with either ‘chaos’ or ‘lulz’. Or a blend of both.

  10. kyoseki says

    I’m going with either ‘chaos’ or ‘lulz’. Or a blend of both.

    It doesn’t make any sense if North Korea is behind it, but if this is a failed extortion attempt then it’s likely being done as a warning to the next target.

  11. kyoseki says

    What, North Korea is known for always doing sensible things?

    They’re known for acting in their own best interest and this hack does the exact opposite of what they want, it’s substantially raised public interest in what is, by all accounts, a pretty terrible movie.

    If North Korea was behind the attack, once they realized they were driving the Streisand effect with respect to the movie, they’d have immediately shut the hell up.

    That the hackers continue to poke & prod Sony generating interest in the movie (90% of the articles related to the hack continue to push the North Korean angle) suggests that the attack has no real connection to the movie whatsoever.

  12. Mano Singham says

    kyoseki #17,

    This threat sounds to me like it may be a hoax, sent by a different group trying to take advantage of a threat made by #GOP that they will release blockbuster information on December 25 if their demands are not met.

    This group may be trying to take advantage of that threat and the speculation of North Korean involvement. Because really, do we have to be warned that this is going to be a bad film?

  13. kyoseki says

    I think it’s still the same group because it was linked to a Pastebin dump of more hacked information (in this case, the email spool from the CEO), but I still don’t know how seriously to take any threat.

    Up until this point, the whole thing felt like an extortion deal that fell apart, which may still be the case, now they’re doing everything they can do hit Sony financially, which includes trying to suppress moviegoer turnout.

Leave a Reply

Your email address will not be published. Required fields are marked *