The FBI has been forced to issue a confidential flash warning to US firms claiming they are at risk of a new destructive malware campaign designed to wipe corporate data, in a move which may have been presaged by the attack on Sony Pictures last week.
The five-page warning issued on Monday provided technical details on the malware and advice on how to respond, according to Reuters, which obtained the report separately.
There’s no definitive link between the FBI’s claims to have seen a destructive cyber attack for the first time on US soil and the Sony hack, but the timing would seem to suggest some connection.
Such was the severity of the attack, Sony Pictures was forced to shut down its corporate network for a week and has now apparently recruited FireEye business Mandiant to help with incident response.
Mandiant is best known for its work in unmasking the Chinese PLA units behind several high profile state-backed APT groups.
As for the attacks themselves, the FBI report apparently claimed the malware works to override data on the victim company’s hard drives including the master boot record, preventing them from booting up.
“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” it explained, according to Reuters.
So far the attackers have not been identified, although news emerged on Monday that they could be connected to North Korea and launched the attack in retaliation for a new film, The Interview, which lampoons the totalitarian state.
Several Sony Pictures films have been leaked online following the cyber attack.
North Korea certainly has previous when it comes to destructive online attacks, having been blamed for the Dark Seoul campaign which knocked out computers in several TV stations and banks in the South Korean capital last year. The attacks also took banking services offline for customers.
Piers Wilson, head of product management at Tier-3 Huntsman, argued that with all organizations technically at risk from state-sponsored attacks these days, greater vigilance is needed to detect and respond.
“If an attack does take place, particularly if the impact is going to be harmful, then detecting the activity and being able to understand and contain the threat before data is destroyed or leaked in large quantities, as in these recent cases, is vital,” he told Infosecurity.
“Since such attacks are often hard to predict, organizations need to ensure they can spot potentially dangerous behavior from personnel or systems and respond swiftly to remove the threat.”
A Malwarebytes spokesperson added that US businesses should heed the FBI's advice.
“What’s particularly interesting about this recent attack is its destructive nature,” they added.
“This goes against the grain of today’s sophisticated corporate malware, which is usually designed to secretly gather valuable information whilst remaining under the radar. By contrast, it seems that the intention of these attacks was purely disruptive.”