Rants of a deranged squirrel.

You Didn’t Think the Sony Saga Was Over, Did You?

[This was originally posted to the Risk Based Security blog. Unfortunately, no copy made it to the Internet Archive. A re-imagined version appeared on the Flashpoint Blog. The original is below.]


On November 24th, 2014 a Reddit post appeared stating that Sony Pictures had been breached and that their complete internal network, nationwide, had signs that the breach was carried out by a group calling themselves GOP, or The Guardians Of Peace. This started a long twisting road for Sony as details of the hack came out for months after. The resulting fallout had considerable impact for Sony, their executives, and many others unaffiliated with Sony.

Risk Based Security covered this incident with an initial blog written on November 24, 2014, and updated 23 times with the last update on February 22, 2015. We followed that up with what was to be a final piece on February 18, 2016, taking a look a “Year After the Hack”. While we didn’t count Sony out for further news, large-scale hacks like this rarely see definitive attribution or any form of closure. We moved on, cataloging the thousands of other breaches that have happened since.

On September 6, 2018, news broke that the U.S. Department of Justice (DOJ) announced charges and filed an indictment against a North Korean “spy” for his role in the hacking of Sony (and others) and the authoring of the Wannacry 2.0 malware (PDF of Indictment). The indicted, Park Jin-hyok (박진혁; a/k/a Jin Hyok Park and Pak Jin Hek), was charged for violating 18 U.S.C. § 371 (Conspiracy) committing the following offenses: 18 U.S.C. §§ 1030(a)(2)(c), 1030(a)(4), (a)(5)(A)-(C) (Unauthorized Access to Computer and Obtaining Information, with Intent to Defraud, and Causing Damage, and Extortion Related to Computer Intrusion); and (2) a violation of 18 U.S.C. § 1349 (Conspiracy), for conspiring to commit the following offense: 18 U.S.C. § 1343 (Wire Fraud).

(source: https://www.fbi.gov/wanted/cyber/park-jin-hyok/@@images/image/mini)

It is believed that Mr. Park works for North Korea’s Reconnaissance General Bureau (their equivalent of our C.I.A.) according to the DOJ. Specifically, the complaint alleges that Mr. Park is a member of the DPRK-sponsored hacking team known in the private sector as “Lazarus Group” (a/k/a Hidden Cobra), and worked for a front company named Chosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”) while conducting the activity.

You can read more about this latest development all over the media, including The New York Times, CNET, Motherboard, the Washington Post, Reuters, Bloomberg, and others. If you are a journalist, we sympathize with you!

Lazarus and the Lead Up

Since the news of the Sony hack slowly faded out of public attention, one group suspected to be involved in the hack has been active. Over the last few years, news and research about Lazarus Group has continued to come out. Looking back at a brief highlight of the history of these stories makes a North Korea indictment not so surprising.

Among the evidence used to link Mr. Park to Lazarus Group and criminal activity are Bitcoin payments made as a result of WannaCry infections, tracking banking transactions related to the fraudulent Bangladesh SWIFT activity, and multiple links to North Korean based IP addresses. It is clear from the affidavit that the FBI had been investigating throughout all of the news above.

What Happened with Sony Since Last Update

If you look back at our prior coverage, one consistent bit that Sony dealt with during the breach is a steady level of drama. Since the last update, more information has come out pertaining to Sony, the breach, and the aftermath.

Attribution

We said in the original Sony blog series, and many times since, that attribution of a hack is difficult at best, impossible many times. Being able to track the attack to a single person, if a skilled attacker, presents many challenges that make law enforcement ineffective. In many cases, it is third-party security firms with research divisions that do a lot of the heavy lifting. They share this information with law enforcement and many times can greatly improve the odds of attribution.

With Sony, it was curious to see who blamed who in 2014 and 2015. Note that it was a fluid situation during the breach and subsequent fallout, as different people and firms investigated, selectively sharing their findings (sometimes with media, sometimes with law enforcement). It caused a bit of flip-flopping in some cases for the Obama administration while others took a stance early on and doubled-down at every opportunity. Reading back through the articles, we have created a list of who attributed to who back then:

AttributorAttributionDateSource
North Koreamaybe North Korea2014-12-02BBC Article
North Koreanot North Korea2014-12-07New York Times
Joe Demarest, FBInot North Korea2014-12-09Reuters Article
Unnamed Source InvestigatingChina2014-12-15Deadline Article
Marc Rogers, CloudFlarenot North Korea2014-12-18Blog Post
Marc Rogers, CloudFlareSony Insider2014-12-18Blog Post
Obama Administrator / FBINorth Korea2014-12-19FBI Press Release
CrowdStrikeNorth Korea2014-12-19CrowdStrike Blog
Taia GlobalRussia2014-12-26NPR Article
Gotnews.comSony Insiders2014-12-27Gotnews.com
Norse CorporationSony Insiders2014-12-28Security Ledger
James Clapper, DNINorth Korea2015-01-07Business Insider
Seth Rogennot North Korea2018-04-15IGN Article

As you can see, attribution was all over the place back then, and what appear to be some mistakes as recent as April of this year (Rogen), and some relatively safe bets (Clapper after seeing the evidence the FBI had). Perhaps the most fascinating is the Norse claims that a Sony insider was involved. That is actually part of a larger, more specific attribution they made then:

Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President at Norse, said that his company identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand.  The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.

That is a very specific list of people, supposedly with evidence enough to make them go public, and doesn’t include a North Korean as far as they knew. Hopefully in the future everyone will get a chance to look at the evidence they collected, in light of the latest indictment, and see what happened.

Conclusion?

In these ongoing blog series, we frequently have this notion that we will wrap it up someday. With a criminal indictment and what appears to be definitive proof pointing to North Korea, it seems like this may be the time. But, we’ve learned our lessons on these epic data breaches! If more develops on this story, we’ll be here to cover it.

Exit mobile version