The Hack on Sony Group Pictures Entertainment The Anatomy of One of the Most Devastating Attacks in History How The Lazarus Group Executed the Compromise THE LAZARUS GROUP’S 2014 HACK ON SONY PICTURES ENTERTAINMENT Over the past few years, hacks against compa- weeks the hackers posted statements online nies and governments have continued to grow, containing links to data from Sony networks6 and their methods become more varied and including emails, salary information, movies that effective. Memorable hacks include the attack had not yet been released, as well as additional against Yahoo!, which compromised every active information.7 The malware also destroyed 70 account—a total of 3 billion,1 the Wannacry ran- percent of Sony’s laptops and computers.8 In somware attacks which struck across the globe, an historic move, the United States government most notably affecting England and Scotland’s formally attributed the hack to North Korea and National Health Service Hospital’s computers, charged a North Korean government hacker forcing hospitals to turn away patients,2 and the with the crime, based on a variety of indicators.9 2014 Sony hack, which unlike many other hacks These included the hacker’s call for Sony to not caused actual physical damage, and appeared to release the movie, “The Interview,” which was a have been directed by a nation state to achieve comedy about the assassination of Kim Jong-Un its political ends.3 (Sony eventually bent under the pressure and only released the movie for download).10 This While these attacks initially captured the atten- paper provides an overview of how the hack- tion of the world, they have become less inter- ers, members of what is commonly called the esting as time has passed, but past hacks can Lazarus Group,11 carried out the hack and how offer insights into dealing with IT security in the the hack was traced to North Korea. future. For example, the Sony hack has at least three very good lessons: first, it was one of the first times actual physical damage was done using a cyberattack, and it forecasts some of the greater damage some experts fear a cyberattack could wreak, second, the Sony attack used piec- es of the Wannacry ransomware, which shows how hackers can use old attacks to formulate new efforts. Third, some of the steps, like strong password protocols and data encryption or dele- tion, that would have helped to protect against the Sony hack are still important today, and still are not properly administrated. For these rea- sons, the Sony hack is a valuable case study, and it is worth a close examination. In September 2014, unbeknownst to Sony Pic- tures Entertainment (Sony), hackers broke into Sony’s networks and stole significant amounts of confidential data and planted malware.4 On the Monday before Thanksgiving, when Sony em- ployees tried to log into their computers a pic- ture of a red skeleton appeared on their comput- er screens with the words “’#Hacked by GOP#’” and a threat to release data later.5 In the coming Phishing for Access employees, including Michael Lynton, Sony There are two technical ways for hackers to CEO,19 had received phishing emails emails pre- obtained data that belongs to people or orga- tending to be from Apple.20 These emails asked nizations: break in and take it or intercept their users to verify their Apple IDs because of sup- data as it is transmitted and then decrypt it.12 posed unauthorized activity and provided them Social engineering is another way to get data— with a link to click on that took them to a form the hacker just asks for it in a way that tricks the that appeared to be from Apple but were fake, users into believing they should give their infor- when the Sony employees typed their creden- mation to the hacker. Often, before conducting tials into the fake forms the credentials fell into a phishing attack, hackers will search online for the hands of the individuals who sent the fake information about individuals whose information emails.21 It appeared that the phishing emails they hope to steal, and then use that informa- were especially directed at Sony employees who tion to specifically target that person, a method had “broad access to the company’s networks,” called spear-phishing.13 Often, hackers will copy information the hackers may have gathered by legitimate emails, but then replace the hyper- conducting surveillance about Sony employees links in those emails “with hyperlinks that would via LinkedIn.22 re-direct potential victims to infrastructure under the [hacker’s] control” where the hacker would Although experts cannot point to one specific then deliver malware to the victim’s computer.14 set of spear-phishing emails that gave the hack- The methods of tricking users into handing over ers the access they needed to infiltrate Sony’s their data are only limited by hackers’ ingenuity networks, it is quite clear the hackers used and users’ credulity. spear-phishing to gain the initial information necessary to stage the hack. The hackers who participated in the 2014 Sony hack had a variety of possibilities for phishing Infrastructure Used in the Hack attacks, according to the FBI investigation. For To carry out the Sony hack, the actors used example, Facebook sends emails to users to various infrastructure components including alert them when a computer with a new IP ad- certain IP addresses, compromised hop point dress signs into their account, and contain links computers, proxy IP address services, and Dy- to follow-up on the sign-in.15 In this instance, namic Domain Name System, or DDNS. An IP the hackers copied these legitimate emails, address (Internet Protocol address) is “a set of but changed the hyperlinked text for logging four numbers…ranging from 0 to 255 and sep- in to Facebook to the link http://www.fancug. arated by a period…that is used to route traffic com/link/facebok_en.html, which likely would on the internet.”23 Each device that uses the have sent the user to malicious infrastructure internet has an IP address that can be used to (although the hyperlink was not active by the identify it and send data to the device. The FBI time the FBI obtained access to the email).16 The investigation of the Sony hack found malicious hackers also created emails that looked like they activity related to the hack originating from sev- came from Google to try to gain access to Sony eral IP addresses assigned to North Korea.24 The workers’ computers, one email, for example, pur- IP addresses associated with the activity come ported to “welcome a recipient to Google’s Drive in two blocks: the first, “is a block of IP addresses, service” but included a link to http://.[[DOMAIN 175.45.176.0-175.45.179.255,” and are registered to REDACTED].com/x/o?u=2cfb0877-eaa9-4061- a company in North Korean, and the second is a bf7e-a2ade6a30d32&c=374814 which was block of addresses, “210.52.109.0—210.52.109.255” also likely to have sent the user to a malicious which are registered to a Chinese company, but file.17 Another email claimed to be from Google, have been used or leased by North Korean since alerting the user that “’malicious activities are before 2009.25 From the devices associated with detected’” but the Google hyperlinks offering these addresses, the hackers carried out activity information about how to mitigate malicious ac- directed against Sony. tivities and Google’s terms of service contained URLs that were not related to Google, and in- The hackers also used hop point computers stead were likely malicious.18 to help hide their identity and location. A hop point conceals a user’s original IP address be- A private researcher found a number of Sony cause it acts as an intermediary between the original IP address and the victim’s network, so Proxy services were another infrastructure com- the victim can only see the address of the hop ponent the hackers used to hide their identity.37 point computer.26 Hop point computers usually Proxy servers act much like hop points, in that belong to innocent users who are not involved they are an intermediary between the original in the hack, but use their devices without know- user and the end computer, but unlike hop ing hackers have compromised their comput- points which are formed using hacked com- ers.27 In this case, the hackers used a particular puters, proxy servers are offered by businesses piece of malware called the “Brambul” worm to to consumers who want to avoid sending their compromise computers and use them as hop IP address across the internet for good, or bad points.28 Malware is a piece of software, or code, reasons.38 The proxy service user can still use which is designed to take control away from the their original computer, but their request for legitimate owner of the computer, and give it to data gets routed through another, intermediate another, usually without the legitimate owner server, who then contacts the end destination, knowing about it.29 This piece of malware came effectively obscuring the original IP address.39 in the form of a worm, which tries “to progres- The Sony hackers used proxy services as another sively infect computers, typically by exploiting way to disguise their identity. a vulnerability in the victim’s computers or by ‘brute force’ attacks upon victim computers.’”30 The Brambul worm spread itself using “self-repli- cation by infecting new victim systems via brute force attacks on the victim’s Server Message Block (‘SMB’) Protocol.”31 A brute force attack is an attack that tries to log in to a computer using a list of combinations