Sony Suffers Further Attacks

Disruptions Follow 'Unprecedented' Hack Attack
Sony Suffers Further Attacks

Sony has been attacked again, with a distributed-denial-of-service attack gang claiming credit for knocking the company's PlayStation Network and related store offline.

See Also: Evolving Cybercriminal Attack Methods

Visitors to the PSN sites - which support multiplayer gaming and distributes Sony's movies and games - have instead been seeing the following error message: "Page Not Found! It's not you, it's the Internet's fault."

Sony says via Twitter that it's aware of the outages: "We are aware that users are having issues connecting to PSN. Thanks for your patience as we investigate."

A hacker or gang called Lizard Squad claimed credit for the attacks in a Dec. 8 message posted to Twitter at 12:29 a.m. GMT. The disruption follows the group in recent days claiming that it disrupted other gaming networks, including Valve's Steam, and Microsoft's Xbox Live. And Lizard Squad says the disruptions are just a "small dose" of what it has planned for December. "Unlike Santa, we don't like giving all of our Christmas presents out on one day. This entire month will be entertaining," the group tweets. The gang previously claimed credit for a series of August DDoS attacks against Sony, as well as for a tweet about explosives being aboard an American Airlines flight on which Sony president John Smedley was traveling, which caused authorities to divert the flight. No explosives were found; the FBI launched a related investigation.

Lizard Squad has been cagey about its motives and declined to say who's funding its DDoS attacks against gaming networks, saying only that they're "interested parties." But whoever's behind Lizard Squad claims that it previously sold "DDoS as a service" to the public, starting at about 300 euros ($370) per hour to disrupt a site.

Sony's Latest Security Setback

The PSN and Sony online store disruption is only the latest of many information security setbacks for Sony, following a massive hack attack against Sony Pictures Entertainment, which resulted in attackers obtaining what they claim are "tens of terabytes" of Sony corporate data and digital media, as well as using wiper malware to erase an unknown number of Sony employees' hard drives and "brick" their computers, which prevents them from booting (see Sony Hack: FBI Issues Malware Alert).

Sony has not responded to repeated requests for comment about the hack, for which a group calling itself the Guardians of Peace - or G.O.P. - has claimed credit.

To date, G.O.P. has reportedly leaked about 40 GB of stolen Sony data, which remains in circulation on BitTorrent networks. The data includes exhaustive lists of Sony's passwords for social media networks, private details for 47,000 employees - including the Social Security numbers for Expendables star Sylvester Stallone and other actors - as well as other HR-related information, including copies of disciplinary letters and termination notices, Mashable reports.

Sony employees recently also received an e-mail, allegedly from G.O.P., warning them that "your family will be in danger" unless they signed their names to an e-mailed petition in support of the hacker's activities. The e-mail also stated that the attacks and leaks to date were "only [a] small part of [a] further plan"' (see Hackers Threaten Sony Employees). The attackers declined to elaborate on what that plan entailed.

'Unprecedented' Attack

In the wake of the attacks, many information security experts have been asking if Sony's defenses were sufficient, and whether it should have been able to rebuff attackers. Furthermore, much of the leaked data appeared to be stored in unencrypted format, and security experts say many of the passwords being used by Sony - which were also leaked - were weak.

But a report into the investigation from digital forensics investigations firm FireEye, which was hired by Sony to investigate the attack, suggests that the hack attack that victimized Sony Pictures Entertainment would have compromised most organizations. "The attack is unprecedented in nature," Kevin Mandia, chief operating officer of FireEye, says in a Dec. 6 report addressed to Sony Pictures Entertainment CEO Michael Lynton and also distributed to Sony employees, The Wall Street Journal reports. "This was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared," Mandia says.

One explanation for the Nov. 24 hack attack - and subsequent data leaks - is that it was commissioned by the government of North Korea, in retaliation for the forthcoming comedy The Interview, in which a tabloid TV reporting team, heading to Pyongyang to interview dictator Kim Jong-Un, are approached by the CIA to kill him instead.

While referring to the film as a "terrorist act," North Korean officials have denied having any ties to the Sony hack. But in a statement issued Dec. 7, a spokesman for the country's National Defense Commission referred to it as a "righteous deed" that may have been launched by its "supporters and sympathizers."

Still Suspected: North Korea

The FireEye investigation team, however, says North Korea is "likely linked" to the attack, three anonymous sources with knowledge of the FireEye investigation tell the Journal, citing as partial evidence the Korean-language and timing of builds - which correspond with working hours in North Korea (see Sony Hack: 'Destover' Malware Identified). But other security experts have said those details could also be "false flags" planted by attackers to fool investigators.

New details about the attack continue to surface. Citing people with knowledge of the investigation - who spoke on condition of anonymity - Bloomberg reports that the Sony data was first leaked from an IP address tied to the five-star St. Regis Bangkok hotel, located in the capital of Thailand, at 12:25 a.m. local time on Dec. 2. But it's not clear if the attackers may have been working from the hotel, or merely routing their data via its systems.

Information security researcher Liam O Murchu at Symantec tells Bloomberg that at least one of the command-and-control servers used by attackers to communicate with the Sony PCs they'd infected with their malware - known as both Destover and Wipall - used an IP address in Bolivia that was also used in the 2013 Dark Seoul campaign that targeted South Korea banks and broadcasters. South Korea has attributed that attack to North Korea, although multiple security experts interviewed by Information Security Media Group have suggested those allegations have not been fully confirmed.

"This is the same group that was working in Korea a year ago," O Murchu says. "There are so many similarities - this must be the same people."

Anti-virus vendor Kaspersky Lab likewise reports seeing "extraordinary" similarities between the wiper attack against Sony, Dark Seoul, and the 2011 "Shamoon" attack against Saudi Arabia's national petroleum and natural gas company, Saudi Aramco.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.