Hackers spear-phished Sony employees in Asia and Russia

Feb 4, 2015 13:55 GMT  ·  By

A cyber security and data mining company has received undeniable evidence that Russian hackers were involved in the Sony hack announced in November 2014, and that they are still able to steal information from the network.

At least two documents stand as proof for this information, dated January 14 and 23, 2015, and regarding screening reactions for the movies McFarland, USA and Jupiter Ascending, which are slated for release in the US on February 20 and February 4, respectively.

The cache of documents received by the company also includes files that have not been made available in the leaks published by the group of hackers that claimed the attack.

Info passed from one Russian hacker to another

Taia Global security company says that it turned to a Russian black-hat hacker known as Yama Tough, who agreed to assist in tracking down the real actors behind the Sony hack.

Yama Tough’s real name is known by the FBI, as the hacker served time in the US for hacking activity and, upon release, was deported to Russia. His deeds speak volumes on his computer intrusion skills, as he is responsible for stealing source code from Symantec in 2006 and for breaching Russian IT security company SearchInform.

In a report released on Wednesday, Taia Global says that Yama Tough managed to contact an individual implicated in the SPE attack, who provided multiple files that were confirmed not to be included in the data leaks from GoP by sources with access to the full Sony document dumps.

Furthermore, “Taia Global has received independent confirmation from the author of one of the documents listed that it is indeed authentic,” the report says.

Targeted phishing used on multiple Sony employees

The Russian hacker contacted by Yama Tough said that the attack method used was spear-phishing aimed at several Sony employees in countries in Asia (India among them) and in Russia. Next it was a matter of getting deeper into the SPE network through an advanced pivoting technique.

According to Taia Global, the malware used by the hackers was a remote access Trojan (RAT) antivirus products had no signature for and it was embedded in a PDF file. Once the document was opened, the malware would execute and create a backdoor to the compromised system.

As per the information from the security company, Sony’s network may still be vulnerable to cyber-attacks as it appears that the hackers can still exfiltrate information despite hardened security having been deployed after the incident.

There is also the possibility that currently the hackers do not have access to the entire network but only to the computers or email accounts of certain Sony employees that were among the recipients of the messages passed to Yama Tough. Should this be true, though, they could devise an attack to reach other resources.

The new details also reveal that more than one threat actor may have attacked SPE, with North Korea not necessarily out of the question since governments often contract the services of mercenary black-hat hackers to carry out cyber operations, eliminating any hints in the malicious code that would point to the real culprit.

Sony hack and official attribution

On November 24, 2014, a cyber attack on Sony Pictures Entertainment (SPE) offices in Culver City, California, caused a message to be displayed on the computer screens from a group called Guardians of Peace (GoP). They demanded monetary compensation in exchange of keeping private the information they had stolen.

In a later stage of the attack, all the data available on storage units connected to the computers was wiped.

Despite voices in the security industry urging for extreme caution in attributing the incident, the FBI officially pinned the attack on the North Korean government, which had expressed in June 2014 its disapproval for Sony releasing the comedy movie “The Interview,” which depicted the assassination of Kim Jong-un.

Determining the threat actor in a sophisticated attack, like the one sustained by SPE, is very difficult because the attackers often leave false leads to hide clues that may reveal information about them or even their identity.

Hacker shows new docs from Sony (3 Images)

January 2015 emails from Sony
Screening evaluation form for A Most Violent YearConfidential booking form with Sony Theater ID list
Open gallery