The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures: According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems.
Screen shot from an internal audit report allegedly stolen from Sony and circulating on file-trading networks.
Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.
Sony officials could not be immediately reached for comment; a press hotline for the company rang for several minutes without answer, and email requests to the company went unanswered. But a comprehensive search on LinkedIn for dozens of the names in the list indicate virtually all correspond to current or former Sony employees.
Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.
The latest revelations come more than a week after a cyberattack on Sony Pictures Entertainment brought down the company’s corporate email systems. A Sony spokesperson told Reuters that the company has since “restored a number of important services” and was “working closely with law enforcement officials to investigate the matter.”
Several media outlets reported at the time that Sony employees had been warned not to connect to the company’s corporate network or to check email, and noted that Sony’s IT departments had instructed employees to turn off their computers as well as disable Wi-Fi on all mobile devices.” Other reports cited unnamed investigators pointing to North Korean hackers as the source of the attack, although those reports could not be independently confirmed.
Such extreme precautions would make sense if the company’s network was faced with a cyber threat designed to methodically destroy files on corporate computers. Indeed, the FBI this week released a restricted “Flash Alert” warning of just such a threat, about an unnamed attack group that has been using malware designed to wipe computer hard drives — and the underlying “master boot record” (MBR) on the affected systems — of all data.
KrebsOnSecurity obtained a copy of the alert, which includes several file names and hashes (long strings of letters and numbers that uniquely identify files) corresponding to the file-wiping malware. The FBI does not specify where the malware was found or against whom it might have been used, noting only that “the FBI has high confidence that these indicators are being used by CNE [computer network exploitation] operators for further network exploitation.” The report also says the language pack referenced by the malicious files is Korean.
The FBI alert references several network traffic “signatures” that organizations can use to detect the traffic seen in previous attacks from this malware — traffic that appears to beacon back to (most likely compromised) systems in Thailand, Poland and Italy. But the alert also says this type of vigilance may only serve to let organizations know that their files are currently in the process of being deleted.
“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.
Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:
Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;
Update: 1:58 p.m. ET: Multiple sources are reporting that the links to the torrents for the stolen Sony internal data were posted on Pastebin late Monday morning. Less than an hour after that post went live, the individual hosts that were sharing copies of the Sony data came under sustained denial-of-service attacks apparently aimed at keeping the files from being shared with other torrent users.
Also, the security guys over at Packetninjas have posted a useful write-up on a malware sample they spotted from early July 2014 that matches the file name of the malware described in the FBI’s Flash alert about the file-wiping malware. Packetninjas notes that the file also was calling home to the same control server in Thailand that was documented in this week’s FBI alert.
This file directory tree, included in the leaked data, offers a glimpse into the sheer volume of files apparently compromised in this breach.
This is a developing story. More to come. Stay tuned.
Tags: fbi, packetninjas, Snort, Sony Pictures breach
So, uh Jason, Mr. Spaltro. Can I call you Jason? ah good. I just got one more question for you and I’ll get outta your way, because it looks like you’ve got your hands full at the moment. Now about this hack and all these missing data files you say were deleted by someone from North Korea? I have to tell you that, if you had better internal security practices mandated, you know that this sort of thing wouldn’t have happened right?, and also since you’re the only one with the keys to the kingdom and the fact that you’ve seemed frustrated that you didn’t get the needed security items through out the years you’ve been asking for from the heads of the studio, so it would be logical, bear with me here. wouldn’t it make scene to perpetuate a hack internally and blame it on an external party all the while in your passive aggressive nature, you also get back at those whom have held you back in your position here as executive director of information security at Sony Pictures Entertainment.
Officer Arrest this man!
Brian – any information regarding your upcoming movie deal part of the take? Any chance this is in retaliation for that deal?
Would anyone be able to share a copy of the FBI’s flash alert?
http://krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data/comment-page-1/#comment-337635
Looks like there will be some amusing press reports and more bad days in the office when the mainstream press catches up…
Always wondered what senior movie exec’s Amex cards would look like.
2013
│ │ │ │ ├── Amex\ -\ October\ 2013.pdf
│ │ │ │ ├── Amex\ 12-25-13.pdf
│ │ │ │ ├── Amex\ 3-27-13.pdf
Also this
CBS.QueenLatifah.fullyexedcontract.tif
│ │ ├── CBS.Seinfeld5thcycle.revisedcontracts.tif
│ │ ├── CBS.Seinfeld5thcycle.revisedsignedcontract.pdf
Will no doubt make fun reading…
You do realise that Sony are a Japanese company, right?
Perhaps they realised that doing a Megaupload style take down wouldn’t work on a company as big as Sony, so ‘stopped the foreign threat’ another way?
North Korea wouldn’t put two hours of effort into stealing some Sony films.
Vee, your statements that “WE” Americans are somehow more committed or “better” at securing data is sheer folly. I’ve been in the BIZ since the 1970’s – believe me – we have just as many dodo-heads here as they do in other countries. I KNOW – I have BEEN to nearly every country on earth, and I have assessed data centers in India, China, Thailand, the Philippines, Australia, Israel, Kenya, Nigeria, and many South and Central American countries. You are blatantly wrong in your assumptions that outsourcing is somehow responsible. In fact, Target received info from an “OUTSOURCED” data center in India that had they heeded the info, they may have stopped their breach. The so-called “committed” Americans chose to ignore the info they received from the “Outsourced” folks…
I don’t know who you are, and I don’t care. Could be coincidence, but I had used “Vee” for years on here, years ago. And you ain’t me.
I can’t say I really care about a 3 lettered username on a comments section- I really don’t. Carry on, coincidence or not. Seriously, man, I couldn’t care, honestly.
But to point out to the older members around here, like JCitizen: that guy isn’t me, who was the Vee back from years ago. I haven’t posted on Krebs in a year or more.
And you know this how?
North Korean officials are upset about the Sony movie depicting an assassination plot against their fearless leader. Don’t you think that is a form of provocation. I am not condoning the hack, but it seems reasonable to me that would be sufficient motivation for state-sponsored hackers to ‘have at it’.
If they reached a mainframe CISC (which they seem to have by the look of this 3270 screenshot), that clearly means they got access to a core infrastructure server. They probably got access to a lot of things surrounding it as these mainframes usually acts a middleware between other critical infrastructure components.
Hell is just starting for the employees and other victims…
Yep, good eye Vee… Probably CICS tranid EYTF .
It is probably a downloaded screenshot graphic file sitting in a Win/Unx user directory rather than one the intruder captured him/herself by accessing CICS, hence the KOS caption “Screen shot from an internal audit report …” .
Not saying CICS or MVS is impervious to penetration but definitely much harder (assuming rational security manager configuration) target than Win/Unx.
That is only a screenshot from an internal audit report. Auditors routinely dump all kinds of errata into their reports. ALT-PRT SC, then paste into Word…
This is a serious enough breach without adding unnecessarily to hysteria.
CICS (‘customer information & control system’) is IBM’s adaptation of the ‘online, all the time’ airline control program originally developed for American Airlines back in the 60s and 70s. ACP and CICS were designed for high efficiency, high volume access and high security.
I was a mainframe computer operator on a IBM CICS system that managed a large insurance company utilizing over 600 terminals, all in an operating system that fit itself and all of the user’s applications into 16MB of RAM on a mainframe system that filled a room the size of a department store.
I also was a CICS systems programmer for six years back in the 80s. There are virtually no recorded instances of CICS systems being systematically, externally hacked by interlopers and outsiders.
The odds of compromising a CICS mainframe system are quite long – those kinds of things are locked down beyond belief.
Even if you had every user IDs and password for a CICS system (and there’s no evidence posted yet of user / PW lists for mainframe system access), it would not help you.
IBM’s RACF (resource access and control facility) is the gold standard for mainframe security.
This is a serious enough breach without adding to hysteria by stating “they reached a mainframe CISC” – there’s no evidence that this happened.
Dear B_Brodie – Youe assertions about the inherent security of CICS are totally misplaced. Until very recently almost every CICS installation out there was still running telnet and ftp as the access protocol and many still are. Once a hacker is on the LAN of a company they can sniff passwords in a second and then log in as an existing user. In my experience most system administrators and programmers for mainframes live in an absurd bubble of self mis-belief that their systems are secure by design, or more usually “by obscurity” and just because they are old. As a result they run the risk of being complacent and ignorant of security practices. That said, when it comes to the other enemy of security, change, they often score quite highly!
But Mainframees are just softwware systems attached to a network and as Joshua Corman says software=vulnerable, networked=exposed.