<img src="http://cdni.wired.co.uk/138x138/a_c/ars.png" alt="Ars Technica" style="float: left;"/>This weekend, the "Guardians of Peace" -- the cyber-attackers who brought Sony Pictures Entertainment's network down in November and have since shared over a terabyte of the company's internal data -- made two more dumps of SPE data to file sharing sites and torrents. The second of the two, on Sunday, was the e-mail box of Sony Pictures Releasing International president Steven O'Dell. And the hackers promised a "Christmas present" soon of even more data if the company does not relent and meet their unspecified demands. "We are preparing for you a Christmas gift," the GoP said in a post to Pastebin and Friendpaste. "The gift will be larger quantities of data. And it will be more interesting.The gift will surely give you much more pleasure and put Sony Pictures into the worst state. Please send an email titled by 'Merry Christmas' at the addresses below to tell us what you want in our Christmas gift."
As the breach spills into another week, details have emerged that suggest the attack may have begun much earlier this year, or even earlier, and that the attackers were able to collect significant intelligence on the network from Sony Pictures' own IT department. It's clear that those behind the attack were deep inside Sony's network for a long time before they set off the malware that erased Sony hard drives -- and some of the data they collected could have been used in other attacks.
Among the files leaked by the attackers in the past week were lists of what appears to be all of the computers on Sony Pictures' internal networks, including over 1,600 physical and virtual Linux and Unix servers, and 811 Windows servers. Additionally, a spreadsheet in the leak included the location, IP address, MAC address, Windows computer name and assigned username of over 3,000 individual PCs in North America and over 7,700 more worldwide on Sony Pictures' network. These details allowed the attackers to pick out Sony Pictures' most vulnerable servers and infrastructure.
Also among the spoils in one of last week's file dumps was a Sony Corp. CA 2 "root" certificate -- a digital certificate issued by Sony's corporate certificate authority to Sony Pictures to be used in creating server certificates for Sony's Information Systems Service (ISS) infrastructure. This may have been used to create the Sony Pictures certificate that was used to sign a later version of the malware that took the company's computers offline. There were also certificates for a JP Morgan Chase electronic corporate banking application, SSL certificates for sites including the Sony Pictures Store e-commerce site, and other certificates associated with intranet servers and other infrastructure from multiple telecommunications providers.
Also within the e-mails leaked last week were details on attacks on Sony Pictures that affected operations in Brazil early this year, as well as concerns about the possibility of an attack by a "known malicious actor." While there have been suggestions that these attacks may have been an opening salvo in the attack on SPE's entire network (particularly because of the large amount of data related to Brazilian markets included in the initial dumps of data by GoP), these attacks are likely unrelated. The e-mails do, however, provide a picture of how Sony Pictures handled security, and IT in general in the wake of downsizing.
At the top of Sony's corporate structure, the company has a history of bringing in military-grade executives in the role of Chief Information Security Officer. In August, Sony Group CISO Phil Reitinger, the former Director of the National Cyber Security Center at the Department of Homeland Security, announced he would be stepping down. His replacement was John Scimone, had served as a senior security advisor for the Defense Department's Joint Task Force-Global Network Operations-the network operations structure of U.S. Cyber Command. But at Sony Pictures, there were a number of archaic systems that had been in place for ages with plenty of potential attack points.
The problems began with an attack on a company FTP server used in connection with SpiritWorld, the company's international theatrical sales and distribution system. Sony became aware of the break only when it was pointed out by IDG News Service reporter Jeremy Kirk as he was reporting on thousands of FTP logins being passed around in online forums.
Login credentials for two "external corporate user" accounts were compromised, according to an internal Sony Pictures email, and the personal data of a large number of people connected with Sony distributors and theatres in Brazil was breached. Jason Spaltro, Sony Pictures' executive director of information security, said in a February 12 e-mail to chief financial officer David Hendler that while the server itself wasn't compromised, a significant amount of payment information for Brazilian film distributors was stolen off the server.
The system -- which stored invoice and payment confirmation information stored as .txt text files -- had been in place since 2008. "It is unclear how the passwords were obtained by the bad guys, and we may never know," Spaltro said in his e-mail. "We disable the two accounts involved and they will not be re-enabled until the investigation is complete and we are able to talk with the owners to do so safely."
In an update email two days later, Spaltro brushed off the significance of the attack from the standpoint of legal exposure:
Regarding the claimed hack of an SPE server, the investigation continues. However, at this point, it appears that business contact information (name, address, email address) for 759 individuals associated with theaters in Brazil was exfiltrated from SpiritWorld. The information was contained in .txt versions of invoices for the theaters. In terms of a notification obligation, Brazil does not have a breach notification law.
Although the Brazilian Constitution, Civil Code, and Consumer Protection Code contain general provisions on privacy protection, and data subjects are entitled to indemnification for moral and material damages that result from a violation of their privacy, based on the facts known thus far I recommend against providing any notification to individuals given a) the lack of a notification requirement; b) the limited data fields involved; and c) the fact that notifying would not likely have much effect in terms of mitigating potential damages.
On the other hand, Sony Pictures took very seriously the threat of denial of service attacks on its business, particularly after what hand happened to the Sony Playstation Network. Sony's internal Global Security Intelligence Response Team (GSIRT) regularly warned of potential impending DoS attacks.
In March, GSIRT issued a warning of a potential attack. "On March 7th the GSIRT received intelligence indicating that a known malicious actor was planning weekend attack activity against several targets including Sony," an internal report noted. "Expected activity will likely consist of DDoS attacks against Sony assets. This actor is considered a credible DDoS threat and has a successful history of DDoS attacks against large organisations."
And in April, as the MPAA filed a civil lawsuit against Megaupload.com, the GSIRT warned again of DoS attacks as "past actions involving MegaUpload have attracted hacktivist attention including distributed denial of service (DDoS) attacks. We ask you to be diligent in reporting any suspicious/malicious activity involving our websites."
The GoP, of course, launched its attack from inside Sony Pictures' network-a threat that Sony's intelligence never prepared the company for. And the cyber-attackers are still insisting that they will do more damage to the company if executives fail to meet their (so far only vaguely spelled-out) demands. "The sooner SPE accept our demands, the better, of course," the GoP said in their latest post. "The farther time goes by, the worse state SPE will be put into and we will have Sony go bankrupt in the end. Message to SPE Staffers: We have a plan to release emails and privacy of the Sony Pictures employees.If you don't want your privacy to be released, tell us your name and business title to take off your data."
This article originally appeared on Ars Technica
This article was originally published by WIRED UK
