Sony Hack's Scope Gets Much, Much Worse

The Sony Pictures Entertainment attack that shut down its corporate network before Thanksgiving would appear to be much more broad-ranging than originally thought—and is believed to have been caused by a destructive wiper dubbed Destover.

It’s also believed that North Korea is behind the incident, in retaliation for the release of the comedy The Interview, which features Seth Rogan and James Franco as hapless journalists recruited by the CIA to assassinate North Korean leader Kim Jong-un. Pyongyang has called the film “an act of war.”

Sony chiefs Michael Lynton and Amy Pascal have sent an email to employees noting that the company was still examining the full extent of the attack, which resulted in the leaking of upcoming movies like Fury and Annie online, as well as the lifting of various corporate data. It also wiped out data on a swath of its network.

“It is now apparent that a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents,” Lynton and Pascal said in the memo, which a source provided to Infosecurity. “This is the result of a brazen attack on our company, our employees and our business partners. This theft of Sony materials and the release of employee and other information are malicious criminal acts, and we are working closely with law enforcement.”

In addition to the intellectual property, employees could find their confidential data exposed. “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession. While we would hope that common decency might prevent disclosure, we of course cannot assume that.”

In the meantime, the FBI has issued a Flash warning about Destover, which is firmly aimed at sabotage: the Trojan has droppers that install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the master boot record (MBR) itself.

It also contains configuration files created on systems using Korean language packs, and the FBI urged businesses to remain vigilant against the destructive malware in the wake of the Sony incident, suggesting a link between the two (this has yet to be verified).

In any event, the bug’s methods could lead to permanent data loss.

“There are implications for data recovery in this,” said Kaspersky researcher Kurt Baumgartner, in an analysis. “In the case of the DarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data. Destover data recovery is likely to be the same.”

Destover appears to share some DNA with previous wiper bugs, like Shamoon, which targeted Saudi oil production: its progression for instance follows multiple stages, with capabilities set to run in several modes. Also like Shamoon, its wiper drivers are commercially available EldoS RawDisk driver files, which are maintained in the droppers' resource section.

Also, like Shamoon and the DarkSeoul wiper event (also believed to be authored by North Korea), Destover uses vague, encoded psuedo-political messages used to overwrite disk data and the MBR. And like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack.

“It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack,” Baumgartner said.

In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own. 

“All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter,” the researcher added, noting that while none of this definitively proves that Destover is from the same authors as the other two, it does have all of the characteristics of nation-state-sponsored attacks of the past.

What’s Hot on Infosecurity Magazine?