Sony Breach: Was it the Russians, not North Korea?

While it’s been widely reported (and confirmed by the US government) that North Korea was behind the massive data-harvesting attack on Sony Pictures late last year, one security firm said that it has confirmed that a team of Russian hackers were involved in the mix as well.

US cybersecurity firm Taia Global said in a report that the breach was initiated via spear-phishing emails sent to Sony employees in Russia, India and other parts of Asia. Those emails contained an attached .pdf document that was loaded with a remote access trojan (RAT). Once Sony employees’ computers were infected, the hackers used advanced pivoting techniques to gain access to the Sony Pictures Entertainment network.

Taia Global said that evidence that it has gathered on the $15 million attack suggests two possibilities.

“One - that Russian hackers and North Korean hackers ran separate attacks simultaneously against Sony Pictures Entertainment; two - that the North Korean government’s denial of involvement in the Sony breach is accurate,” it said in its report. “Regardless of which possibility is correct, the attribution made in the Sony case failed to differentiate or even acknowledge that more than one state or non-state actor was involved.”

The firm also said that despite Sony’s assurances that the breach has been remediated, “Sony Pictures Entertainment remains in a state of breach and is actively losing files to Russian mercenary hackers.”

How it went about getting this knowledge is the stuff of Ian Fleming novels. Taia Global said that it determined via linguistic analysis that Russians were probably involved. It then reached out to one of its “trusted contacts” in the Russian underground, a black-hat hacker who goes by the snappy handle “Yama Tough.” He was supposedly responsible for the Symantec source code breach of 2006, and is known to the FBI because he has served eight years in US prison for hacking, Taia Global claims.

He has also worked as a contractor for Lt. Col. Bodrov of Ukraine’s Intelligence Service (SVR), who is currently in prison after revealing corrupt practices by the Ukraine Prosecutor’s Office. “It was in response to Taia Global president Jeffrey Carr’s blogging about the plight of Lt. Col. Bodrov that Yama Tough agreed to assist Taia Global in tracking down who might have been involved in the Sony attack,” the firm said.

Yama Tough said that he made contact via IRC chat with an unnamed Russian hacker (URH) who has been known to contract with Russia’s Federal Security Service. URH confirmed that he was on the team that mounted the Sony attack, and offered to prove it by providing stolen documents and information.

In all, URH turned over two Excel spreadsheets with new Sony information, to Yama Tough, followed by 100MB of additional Sony data—none of which had been seen in previous data dumps. Also, and critically, there were several Sony emails with dates as late as January 14 and January 23, 2015.

“It became apparent that URH had ongoing access to Sony’s network despite the numerous companies and agencies involved in investigating the breach,” Taia Global said.

Further, “Taia Global has received independent confirmation from the author of one of the documents listed that it is indeed authentic.”

Ultimately, the company has relied on classic spy work to build its case.

“Intelligence gained strictly from technical sources like the malware that was used, or from the ‘working hours’ of the attackers, can be easily faked,” it said. “Historically, there is an over-reliance upon signals intelligence (SIGINT) to the detriment of traditional human intelligence (HUMINT). This report could not have been produced without Taia Global’s long-term interest in seeking and building trusted contacts throughout the world.”

What’s Hot on Infosecurity Magazine?