Modern field guide to security and privacy

Sony hack fits pattern of recent destructive attacks

The ferocity of the Sony Pictures attack took the technology world by surprise. But it has similarities to other destructive hacks. Among other things, the Sony malware relied on the same commercial software to access and erase Sony hard drives as was used in a destructive attack on oil giant Saudi Aramco in 2012.

Nick Ut/AP
The hacker strike on Sony Pictures Entertainment, which is headquartered in Culver City, Calif., shares similarities with at least two other recent, major cyberattacks.

Sony Pictures Entertainment struggled to regain its footing Thursday, more than a week after unknown attackers unleashed a furious assault on the company’s computer network.

In the days since the attack became public, the hackers have released thousands of sensitive files: from pre-release feature films to detailed account information needed to run Sony’s day to day operations.

At a time when companies are warned to be on the lookout for “low and slow” attackers who studiously avoid notice, the Sony breach will be remembered for its unusual ferocity. On Nov. 24, the assailants declared their presence by decorating employee desktops with a belligerent message before erasing the hard drives of computers and servers they compromised as a parting shot.

While destructive hacks such as the one on Sony are atypical, they are not unknown. In fact, the attack on Sony shares many similarities with at least two other recent, destructive cyberattacks: from the methods used to carry out the strike to the software used to compromise Sony’s computer systems. Those earlier hacks also suggest that attackers had access to Sony’s network long before they played their hand.

Two incidents in the last two years are worth particular notice: the August 2012 attack on oil giant Saudi Aramco that resulted in the destruction of an estimated 30,000 computer systems and a March 2013 attack on South Korean media outlets and financial institutions. That attack also destroyed around 30,000 computer systems. Both attacks used so-called “wiper” malware similar to the attack on Sony.

If you are interested in stories like this, sign up for Passcode, the Monitor's forthcoming site covering security and privacy in the digital age.

Similar the Sony hack, the attacks on Saudi Aramco in 2012 came at the hands of a shadowy hacking group, the “Cutting Sword of Justice” an “anti-oppression hacker group” that cited ideological reasons for the attack – in that case the “crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt.”

Both hacks also involved multistage attacks consisting of an initial infection by a malware “dropper” that downloaded and installed the actual “wiper” malware. And both the Saudi Aramco hack and the Sony hack featured malware that "beaconed" to external IP addresses to inform the attackers of the progress of the hack.

Commercial tool used in attacks

In fact, the Sony malware and “Disstrack” (the malware used in the “Shamoon” attack on Saudi Aramco) relied on the same commercial tool to access and erase the hard drive, a program called RawDisk by the company Eldos, according to a source with knowledge of the attack.

RawDisk is a Windows library that is sold to software developers, providing tools for accessing the hard disk on a local system. The version used by the malware authors in the attack on Sony was an older version of RawDisk and was installed using a stolen license key, Eldos’s chief executive officer Eugene Mayevski tells Passcode.

“The idea behind our product is that the legitimate software is willingly installed by the limited user,” says Mayevski.

There are even more similarities between the Sony attack and what has been dubbed “Dark Seoul,” the March 2013 attack on media outlets and financial services firms in South Korea. That attack, like the Sony hack, has been linked – tentatively – to the government of North Korea.

In that attack, as in the attack on Sony, a previously unknown “hacktivist” group claimed responsibility. In the case of the South Korean attacks, it was the NewRomantic Cyber Army Team. Like the Sony attacks, the hack of the South Korean firms involved a long-term infection and substantial theft of data from the target organizations before the “wiper” component was deployed, destroying thousands of infected systems.

Subsequent analysis by the firm McAfee suggests that the wiper attack known as “Dark Seoul” was just the dénouement of a much longer-lasting and sophisticated cyber-espionage campaign that they dubbed “Operation Troy” and that involved hallmarks of so-called “Advanced Persistent Threat” (or APT) attacks, such as customized software — developed incrementally over years — targeted attacks and data exfiltration. That malware was used to gain access to software management tools that were then hijacked and used to distribute malicious code across the target networks, McAfee revealed.

Waiting to strike 

That may be the case with Sony, as well. Evidence suggests that the group behind the attack was at work honing their tools long before November. In fact, the wiper software with the same name and cryptographic signature as the malware used against Sony was observed in the wild as early as July 2014. The domains it communicated with were also noted at the time, according to the security firm PacketNinjas.

"That may be evidence that the attackers were already in Sony’s network and testing their final payload to make sure it would escape notice by Sony’s security software,” says Dave Thompson, a Senior Director of Product Management at the cybersecurity firm LightCyber. “They had plenty of time to test against what Sony had in place,” he says.

A detailed analysis of the Sony hack hasn’t yet been published, but cybersecurity experts say it is almost certain to reveal that the attackers had access to Sony Pictures Entertainment’s networks long before they revealed their presence last week, Thompson says.

“Typically breaches aren’t detected until almost a year after initial penetration,” says Thompson. “I think we can imagine that these hackers didn’t come in on Saturday and have their attack go off on Monday.”

The attack on Sony will be cold water in the face of many firms who have become accustomed to the idea of “low and slow-moving” attacks. Thompson says that, while threat intelligence such as lists of malicious files and IP addresses are common, it can be hard for companies to grasp which information demands immediate action in the absence of any overt signs of trouble.

“You have all these artifacts, but they don’t give you a good picture of the urgency of what’s happening,” he says.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Sony hack fits pattern of recent destructive attacks
Read this article in
QR Code to Subscription page
Start your subscription today