On November 24 the world found out that Sony Pictures Entertainment was hacked and had disabled its entire corporate network, including locations that spanned Culver City, New York, and overseas.
This breach has very few analogues in history, outside of the Snowden documents, to any other type of breach on record. The combined corporate intellectual property, financial and legal information, contact databases and health records, passwords and encryption keys for Sony Pictures Entertainment can’t be compared to a breach of a retailer’s email or credit card database.
Home Depot said that 53 million email addresses were swiped in its recent data breach, where 56 million credit card accounts were also compromised.
But in the case of Sony’s compromise, individual files can be spreadsheets with multiple records each. Some of the 38 million (known) files exfiltrated in this carefully planned attack are entire databases.
This is comparative to source code being leaked. Unpublished scripts for movies, contract negotiations, NDA’s (thousands are listed), secret terms for payment schemes, the very information Sony uses to keep its entire company relevant, are in the stolen files.
The benefits to Sony Pictures Entertainment competitors — Universal, Warner, Disney — in terms of competitive intel, is priceless.
The hacking crew taking claim for popping one of the world’s largest film and entertainment companies identified themselves as #GOP (“Guardians of Peace”). News of the compromise emerged when a friend of a Sony employee posted to Reddit an image seen by anyone trying to log in on Sony Entertainment employee computers Monday morning.
This notice stuck on lifts at Sony Pictures in London.. pic.twitter.com/RMZcQhjfYI
— James Dean (@JamesDeanTimes) November 28, 2014
The image loaded onto every Sony Pictures employee’s computer when anyone attempted to log in was a very cheesy, grinning, sinister skeleton that threatened Sony, saying that unless GOP’s requests were met, GOP would release all of Sony’s ‘secrets’ to the world. After reporting the story, security column Salted Hash received a second image in which GOP threatened to release all of Sony’s data if any attempt was made to find GOP.
Sony Pictures spokeswoman Jean Guerin said in a brief statement that the network was experiencing “a system disruption” and that technicians are “working diligently to resolve”.
That Monday evening, GOP followed through by publishing a gigantic text file that listed what GOP said was every file in its possession: approximately 38 million file names.
What’s named in that file list should have been enough to make everyone sit down and shut up about whether or not this hack was serious, or real.
Salted Hash reported, “GOP says they’ve accessed private key files; source code files (CPP), password files (including passwords for Oracle and SQL databases), inventory lists for hardware and other assets, production outlines and templates, as well as production schedules and notes.”
The file hit Reddit, and commenters noted they’d found over 9,000 passport scans listed in the file (including Angelina Jolie, Daniel Craig and Cameron Diaz). There are over 3,800 files named ‘password.’
If you’ve ever worked with, or even tangentially for, Sony Pictures Entertainment, this crew and anyone who gets ahold of these files have all of your personal information, your private information, and anything else Sony touched.
There are filenames listing over 8,000 non-disclosure agreements (NDA’s), and over 6,000 files named MPAA. There are files with Pirate Bay in the title, as well as MEGA (Megaupload). Some file names are specific, like the ‘MPAA piracy project lunch receipt’ filename. Financials on pirated media losses dating back as far as 2006. One Redditor found the file for his Imageworks letter of resignation, dating back to 2005.
Basically, if you’ve ever had a tangle with Sony Pictures, or Sony Entertainment ever thought about putting you in its legal crosshairs you’re in there, too.
GOP left an interesting clue in its communication with media outlets after this release; this hacking crew appears to welcome press inquiries, though we can only hope the journos emailing GOP have half a clue about operational security.
The attackers said they had physical access. Communicating with Salted Hash Tuesday morning, GOP’s ‘Lena’ said, “I’ve already contacted the UK register with details.”
“However I’ll tell you this. We don’t want money. We want equality. Sony left their doors unlocked, and it bit them. They don’t do physical security anymore.”
We may very well find out exactly what ‘Lena’ means. Monday night’s massive file list includes filenames of security audits and reports, and documentation of penetration tests performed by external companies.
No doubt, in those files would be any recommendations made to SPE on its information and physical security practices.
Sony only hired its first CISO in 2011, after the PlayStation Network was massively hacked (former gov cyberdude Philip R. Reitinger, formerly DHS, Microsoft, DoD and DoJ). He left Sony to start a consulting company in 2014 — a company whose online presence died off right around the time Sony filled his position by hiring from within, promoting its own director of security engineering, John Scimone, just last September.
On November 30 Sony hired security firm FireEye’s Mandiant for incident response (and the FBI’s participation in an investigation became official). Hiring Mandiant is smart, because they’re the most popular girls in school when it comes to incident response, if not also well-known for scary OMG-the-APTs-are-coming dire warning research papers.
But bringing in Mandiant is also disheartening — in light of the fact that SPE never really got its act together to hire and retain IT security staff. Currently, Sony infosec job listings sit unfilled on job boards, some over 30 days old, others since June.
Variety reported that over the following weekend, “five of the studios films, including pictures that have yet to be released yet such as “Annie” and “Still Alice,” turned up on the Internet, where they have been widely pirated.”
Also that weekend, Salted Hash reported GOP had “published sales and contract data from Sony Pictures Television, taken after the group compromised the entertainment giant’s network last week. The 894MB archive contains thousands of items, covering a period between 2008 and 2012.”
GOP published its second big weapon on Monday, December 1: A massive ‘partial release‘ of multiple compressed files containing more files, posted to Pastebin, several torrent sites and Reddit (among other websites).
There’s no doubt that its contents will severely impact Sony Pictures Entertainment and its employees (and contractors) indefinitely — but reporting on the gravity and severity of this release has been curiously eclipsed by a rumor.
On November 28, Re/code pulled a Zoolander-does-infosec-reporting move when the silver spoon tech media outlet claimed an insider told them “Sony and outside security consultants are actively exploring the theory that the hack may have been carried out by third parties operating out of China on North Korea’s behalf.” (Mandiant was announced as Sony’s incident response team November 30.)
This unsubstantiated claim was picked up and reported at face value in headlines by Forbes, NPR, Guardian, NBC, ABC, CBS and many more. But the rumor was angrily blasted as irresponsible and unlikely by many in the infosec communities.
The data drop is huge: 25GB’s — compressed. No one has yet reported the full size of all told in the release, which is supposedly a fraction of what GOP is holding.
Needless to say, the drop contains piles and piles of Sony IP. The employee handbook. Leave of absence records. Salaries and financials, and a plethora of sensitive internal documentation.
It also contains employee and contractor records, social security number files, a listing of over 30,000 HR documents, criminal background checks, even employee badge photos. For these employees, this is unbelievably awful. They are no longer safe, and they can expect the hardships of identity theft to screw up their lives for some time to come, and the lives of their families.
We can only hope Sony tells its employees how much personal risk they currently face.
This release has been publicly accessible for two days, and while the first Pastebin page was removed, the page’s Google Cache was shared widely — it was on Reddit, for example. GOP also emailed a 1.15GB subset of the files to its media correspondents, additionally publishing a list of what it sent to press on Pastebin.
This data dump is just starting to be combed over and unpacked by media, online forums, and anyone else who gets their hands on it. GOP wrote on Pastebin that the large data dump is, “a part of Sony Pictures internal data the volume of which is tens of Terabytes (…)”
And it’s in the hands of people who have more files like this, and who named that file’s password ‘diesony123’.
The same day this file hit the torrent sites, Sony Pictures told Hollywood media site Deadline that its networks were back online in an exclusive statement, which Sony tastelessly combined with a plug for one of its upcoming films.
So, how exactly do you steal an amount of data so big it’s comparative in size to all the books in the U.S. Library of Congress?
This is a heist, plain and simple — but this was no simple plan.
Exfiltrating ‘tens of terabytes’ takes planning. GOP has told media it had an insider working on this heist for a year, and I think we have every reason to believe this.
‘Lena’ told The Verge, “Sony doesn’t lock their doors, physically, so we worked with other staff with similar interests to get in. Im sorry I can’t say more, safety for our team is important.”
If Sony Pictures Entertainment made a movie about this attack, we’d all think it was the usual made up Hollywood ‘cyberwar’ fantasy… and ridicule it like we do the TV show “Scorpion.”