14 DAY TRIAL // New information, allegedly from someone close to the investigation of the breach of Sony Picture Entertainment (SPE) network, says that the hackers benefited from help from a person inside the company.
This theory has been promoted before as the hackers, who operate under the name Guardians of Peace (GoP), are said to have stolen about 100 terabytes of data.
It would be difficult to extract such an amount of data if the attack span over a short period of time; in this case, it would be plausible that the files were smuggled out of the offices through physical storage devices.
However, there is undeniable evidence that the breach happened much earlier than the overt action from GoP on November 24, when they wiped all the data from the computers at Sony’s unit in Culver City, California.
Phishing attacks linked to IP used by the malware
An analysis of the malware used in the attack from Blue Coat security company showed that the threat contained a text file connecting more than 10,000 computers to internal IP addresses.
This suggests that the intruders had time to prepare the last stage of the attack and carried out reconnaissance missions to get familiar with the network.
Blue Coat said that through their URL scanning tool, WebPulse, they identified traffic in May, to one IP address hard-coded into the malware code. The IP belonged to a web hosting company in Bolivia and it is believed that it was as a result of a phishing attack.
There is no official intel to support any of the theories in the media
Immediately after the incident in November, SPE contracted the services of Mandiant, FireEye’s cyber-response division for forensics investigation. The FBI is also part of the inquiry.
In a note to SPE CEO Michael Lynton, Kevin Mandia, head of Mandiant, said that the piece of malware evaded detection of standard antivirus solutions, which makes it very interesting, from a security researcher's standpoint.
Whether GoP had an insider, as reported by TheWrap, allegedly from someone claiming to have knowledge of the situation, to smooth the path into the network or to exfiltrate the files, it remains to be seen. There is plenty of evidence to suggest otherwise, though.
In an email conversation with FireEye, we were told that Mandiant experts “cannot deny or confirm any of the theories that have been published.” This is understandable, considering that it is an ongoing inquiry and that there is no clue, at least not from the parties directly involved in the investigation, about the intruders.
At the beginning, the finger of blame was pointed at North Korea, for their stance against the release of the comedy movie “The Interview,” a fiction about two reporters tasked by the CIA to kill Kim Jong-un, the North Korea leader.
Officials of the country have denied having anything to do with the attack, but said that it “might be a righteous deed of the supporters and sympathizers with the DPRK [Democratic People's Republic of Korea].”
Bottom line is that until official information is provided, everybody is entitled to their own theory about the event.