13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

RiskBasedSecurity
Notjustsecurity,therightsecurity.
CallUs!(855)RBSRISK|Login
AboutRBS
News
Products
Services
Research
ContactUs
Home
SecurityIntelligence
IndustrySolutions
Compliance
CyberLiability

ABreakdownandAnalysisoftheDecember,2014SonyHack
December5,2014ByRiskBasedSecurity
Note:ThisarticleisbeingupdatedalmostdailywithnewdevelopmentsregardingtheleaksfromtheSonyPicturesbreach.Changelogofupdates:
TheBeginning(November24)
SecondRoundofLeaks(December3)
TheAnalysisGame(December4)
TheNextChapter(December5)
TheAnalysisContinues(December7)
FifteenDaysUnderSiege(December8)
RealityandtheBlameGame(December9)
MyLifeAtTheCompany,Part1(December10)
AnotherDay,AnotherEmailSpool(December10)
CelebrityGossipandHackingBack(December11)
Debates,Goliath,andApologies(December12)
MyLifeAtTheCompany,Part2(December13)
OnNovember25,anewchapterwasaddedtothechroniclesofdatatheftactivity.AgroupcallingitselfGOPorTheGuardiansOfPeace,hackedtheirwayintoSony
Pictures,leavingtheSonynetworkcrippledfordays,valuableinsiderinformationincludingpreviouslyunreleasedfilmspostedtotheInternet,andvagueallegationsit
allmayhavebeendonebyNorthKoreainretributionfortheimminentreleaseofanupcomingmovietitledTheInterview.
Whilepoliticallymotivatedattacksandtheftofintellectualpropertyisnothingnew,thisincidentcertainlystandsoutforseveralreasons.First,viaaPastebinlink,the
groupreleasedapackageandlinkstotorrentfileshostedonfoursitesconsistingof26parts,brokenoutinto251GBfiles,andone894MBrarfile.Thefileswerealso
uploadedtothefilesharinggiantsMEGAandRapidgator,butremovedbysitemanagersshortlyafter.TheresearchersatRBSwereabletoaccessthefilesand
analyzethecontentpriortotheinformationgoingoffline,aswellasreachouttoGOP.
TheresultsoftheanalysisprovideunprecedentedinsightintotheinnerworkingsofSonyPicturesandleakedthepersonalinformationofapproximately4,000past
andpresentemployees.Asifthesensitiveemployeeinformationwasnttroublingenough,theleakalsorevealedcuriouspracticesatSony,suchasmoneyordersused
topurchasemovieticketsthatwereapparentlyresoldbacktoSonystaff.
TheGuardiansOfPeacemadetheircontactinformationavailableforabrieftime.RBSresearchersusedthatopportunitytocontacttothegroupseekingcommentand
receivedthefollowingresponse:
IamtheheadofGOP.
Iappreciateyouforcallingus.
Thedatawillsoongetthere.
Youcanfindwhatwedoonthefollowinglink.
ThelinkprovidedonlyledtoaFacebookpagethatwasnotinuse.Thefollowingtimelinegivesmoreperspectiveandanalysisofthedetailsoftheintrusionbasedon
informationmadeavailableviapublicsources.

TheBeginning(November24)
OnNovember24th,aRedditpostappearedstatingthatSonyPictureshadbeenbreachedandthattheircompleteinternalnetwork,nationwide,hadsignsthatthe
breachwascarriedoutbyagroupcallingthemselvesGOP,orTheGuardiansOfPeace.ThiscomesthreeyearsafteralargeseriesofattacksagainstSonybecame
public.
Withinhours,Geek.comhadreportedthatSonyjustgothacked,doxxed,andshutdownasSonywentintopanicmodeoverthebreach.Minutesaftertheoriginal
redditpostappeared,thethreadexplodedwithcommentsandfeedbackaboutthecontent.Severallinkstoadditionalfileswereincludedwithinthecommentsthat
includedtwotextfilesthatlistedadditionalfilenamesthatweresaidtobecominginasubsequentleakofinformationfromtheSonynetwork.
Inordertobetterunderstandthebreachandtheramifications,RiskBasedSecurity(RBS)reachedouttotheGuardiansofPeaceandaskedformoreinformation.
Duringthebriefemailconversation,theystatedthatadditionaldataleakswereforthcoming,andthattheyhadobtainedoveradozenterabytesofdatafromvarious
Sonyservers.Themailwentontosaythatadditionalinformationwouldbepublishedsoon,andprovidedalinktoaFacebookpagethatappearedtobeclosed.
https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

1/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

MovieLeaks(November26th)
Afewdaysafterthetheinitialbreachreportwasannounced,fourtorrentlinkswerepublishedtotorrenttrackersthatcontainedunreleasedmoviesfromSony,
obtainedbyGOPduringtheattack.ThesetitlesincludedAnnie(December19),MrTurner(December19),andToWriteLoveOnHerArms(March2015).According
toseveraltorrenttrackingsites,thesefileshavebeendownloadedover100,000times.
OnDecember1st,NBCNewsairedasegmentreportingthattheFBIwereinvestigatingthebreachandthepossibilitythatNorthKoreawasinvolved.Whilethismay
soundfarfetchedatfirst,NorthKoreahasaclearmotiveinattackingSony.OnDecember25th,SonyisreleasingamoviecalledTheInterview,whichfollowsthe
storyoftwocelebrityTVhoststhatgetachancetointerviewKimJongun.BeforeheadingtoNorthKorea,theyareaskedbytheC.I.A.toassassinatehim.Despite
themoviebeinglabeledacomedy,NorthKoreahasstatedthatifthemovieisreleased,theywouldconsideritanactofwar.
WhentheBBCreachedouttoNorthKoreanofficialsaskingiftheywerebehindtheattackonSony,theyweregivenacuriousresponseofWaitandsee.North
KoreahadalsocomplainedtotheUnitedNationsaboutthemovieearlierthisyearinJuly,whilenotnamingitspecifically.
FirstoftheLeaks(December1)
OnDecember1st,GOPstartedpublishingthefullcacheofdatafilestakenfromSonysserverswiththefirstchunktotalingarespectable24.87GBofcompressed
files.Surprisinglyenough,theGOPappearstohaveusedcompromisedserversonSonysnetworktouploadandseedthetorrentfortheleakeddata,aswellas
uploadingittoMEGAandRapidGator.Withinhoursoftheupload,MEGAremovedalllinkstothedata.[Dec9update:subsequentanalysisbyMarioGreenly
suggestsSonyisnotseeding/uploadingdata,onlydownloadingit,likelyinanattempttoslowprogressforotherdownloaders.]
Firstleakeddatasummary,someanalysiscourtesyofIdentityFinder:
26.4GBinsize,containing33,880filesand4,864folders.
Includes47,426uniqueSocialSecurityNumbers(SSN)
15,232SSNbelongedtocurrentorformerSonyemployees
3,253SSNappearedmorethan100times
18filescontainedbetween10,860and22,533SSNeach.
Exampleofemployeedatafound:
Onefile(\HR\Benefits\MayoHealth\MayoXEROXassessmentfeed)contains402fullSocialSecuritynumbers,internalemails,plaintextpasswords,and
employeenames
Anadditional3000ormoreSocialSecuritynumbers,names,contactdetails,contactphonenumbers,datesofbirth,emailaddresses,employmentbenefits,
workerscompensationdetails,retirementandterminationplans,employeespreviousworkhistory,executivesalaries,medicalplans,dentalplans,genders,
employeeIDs,salesreports,copiesofpassportinformationandreceiptsfortravel,aswellasmoneyorderdetailstopurchasemovieticketstoresellbacktothe
Sonystaff.Theleakedinformationalsoincludeddocuments,payment,andaccountinformationtoordercustomjewelryfromTiffany&COviaemail.

SecondRoundofLeaks(December3)
Bythispoint,wecanonlyimaginehowSonywasinfullpanicmodeattemptingtorespondto,andcontainthebreach.Bythispoint,Sonyexecutiveshadconfirmed
theleakeddatawasauthentic.Themainstreammediawascomingtogripswiththeordeal,exploringideasontheramifications,andtheresultingfallout.Initial
analysisofthedatafromthefirstsetoffilesdisclosedhadbegun,astheseconddisclosureoffilesoccured.AGOPmemberidentifyingthemselvesastheleaderofthe
grouptoldRBSTodaymoreinterestingdatawillbepresentedforyou.beforepointingRBStoanewlinkcontainingadditionalfiles,aspartoftheemaildialogue
established(interestingly,onemailcamefromHushmailwhoisknowntocooperatewithfederalagencies).Thesecondleakwasconsiderablysmaller,amere1.18GB
containingtwofilesnamedBonus.rarandList.rar.Whilethefilesaresmall,theyperhapscontainthemostsensitivedatatobedisclosedbythispoint.This
includesfullsecuritycertificateinformation,internalandexternalaccountcredentials,authenticationcredentialswithplaintextpasswordsforsystemssuchastheSony
YouTubepage,UPSaccounts.
Bonus.rarfilesummary:
33.7MBcompressed
Containsplaintextcredentials(~500total),serverinformation,internalIPaddressesandotherdata.
Listofsecuritycertificatesforservers,users,andservices,andalistofwhateachcertificateisrelatedto.
CredentialsincludeYouTubelogininformationfortheSonyPictures,Spidermanmovie,EvilDeadMoive,GrownupsTheMovie,andThisistheendmovie
channels,completelistofoldersocialmediaaccountsforcampaignsonfacebookandtwitter.
121FTPplaintextcredentials,includingthemainSonyPicturesFTPserver.
PlaintextCredentialsformajornewsandmediasiteslikeNYtimes,LATimes,DailyVariety,hollywoodreporter.com,indiewire.com.
Plaintextpasswordsinformatslikesony12345forcriticalinternalandforwardfacingservices.
UsernamepasswordscombosinafilenamedMyPAsswordscontain:novell,mediataxi,inflight,fidelity,spiDR,SPIRIT,sonystylefamilycenter,FEDEX,
Connect,SPTI,AcronTASS,SPECourier,Concur,SPCPress,AIM,HRConnect,AMEX,outlookallincleartextwithusernameandpasswordcombos.
AccountingandpaymentinformationforAMEXforTheInterviewinplaintext.
AccountingandpaymentandotherrelatedcredentialsforDeathataFuneral
List.rarfilesummary:
1.8MBcompressed
ThreefilescontaininginternalandexternalPCdata,Linuxservers,andWindowsservers

TheAnalysisGame(December4)
Whenanalyzinghighprofilebreaches,itiscommonforthemediaandsecuritycompaniestomakemistakes.Thisoftenoccursduetoconflictingorunclear
informationthatseemsvalidonthesurface,butfallsapartunderheavyscrutiny.Forexample,aGizmodoarticlesaysthatSonystoredpasswordinformationina
foldercalledPassword.AbetterexplanationisthatthearchivereleasedbyGOPwascreated,andthehackersnamedthatfolder,notSony.Belowisascreenshotof
someofthecontentsofthePasswordfolderfromtheGOPBonus.rarfile:
ScheduleADemo!

https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

2/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

Asmorejournalistscommittimetocoveringthebreach,moredetailsemerge,makingthisaconstantlyunfoldingstory.Italsolendstoaformofpublicdebate,where
onejournalistmaycallintoquestionconclusionsofanother.Forexample,Wiredreleasedanarticletodaythatwentintodetailabouthowthecompromisemayhave
happened(malwaredubbedwiper)andalsocalledoutotherjournalistssayingtheNorthKoreanlinkisnotlikely.WhiletheymakegoodpointsabouttheGOP
groupandhownationstatesgenerallyconductcomputerintrusions,thereisalsothepossibilitythatitwasspecificallydesignednottolooklikesuchanattackfor
plausibledeniability.OritmaybeassimpleasNorthKoreasuggestingtheymayhavehadahandinit,tobolsterthenotionthattheyareseriouscontendersin
Internationalcomputerintrusionsforespionageandspying,liketheircounterparts.
Whatiscuriousinthisstory,isthattheFBIreleasedaFlashAlertregardingmalwarethatcomesafterthereportedattacksonSony.Thiswarningcomesverylatein
thegame,andalsoleadstomorequestionsaboutthesecurityanalystsbroughtintofigurethingsout.ThesamearticlementionsthatMandiantwasbroughtinto
addressthisbreachbeforeitbecamepublic.Yet,Mandianthasnotmadeastatementonthematter,whilebeingnotoriouslymediafriendlyinblaminghackersources,
specificallytheChinese,eveniftheymaynothavebeeninvolved.
AccordingtoRe/code,SonyissettoannouncethattheyhaveattributedtheattackstoNorthKorea,makingthisahesaid,shesaidordealintheshortterm.Forthose
interestedinmoredetailsonthemalwarefoundinSonysystemsthatmayhavebeenthepointofcompromise,ArsTechnicahasreleasedamoredetailedarticle
focusingonit.

TheNextChapter(December5)
Asmentioned,thisstoryisunfoldingeveryday.Newinformation,newperspective,andnewdeductionscomeeveryday.RiskBasedSecurityhasbeentracking
breachesforaverylongtime,andhasfrequentlyseensuchhighprofilebreachesunfoldoveryears.Aftertheinitialweeksormonthsofabreach,mostnewsoutlets
andsecuritycompaniesloseinterest.Longtermthough,partofthestoryincludestheeventualinvestigation,consultants,lawsuits,stockpricefluctuations,andmore.
Theentirepictureofamajorcompromiseistherealvalue,asthatiswherecompaniescanfullylearnoftherisksofabreach.
TodaytheGuardiansofPeacehavecontactedRBS,andlikelyothercompaniesorjournalists,withathirdlinktoleakeddataalongwithashortstatementandrequest
callingforotherstojointhem:
Anyonewholovespeacecanbeourmember.
Pleasetellyourmindattheemailaddressbelowifyoushareourintention.
PeacecomeswhenyouandIshareoneintention!
jack.nelson63vrbu1[at]yopmail.com
YoucandownloadapartofSonyPicturesinternaldatathevolumeofwhichistensofTerabytesonthefollowingaddresses.Theseincludemanypieces
ofconfidentialdata.
Thedatatobereleasednextweekwillexciteyoumore.
TheleakeddatahasbeenuploadedasBitTorrentlinkstovariousfilesharingsitesviathesamemethodsusedinpreviousdisclosures,someofwhichareservedoff
breachedSonyPicturesEC2serversaswellasbeinguploadeddirectlytotheRapidGatorfilesharingservice.Asbefore,RapidGatorquicklyremovedthedatawithin
threehoursofitbeingposted.
Thetorrentisbrokeninto22filesspanning52partswhichappeartobejustover100GBofcompresseddata.ThisleakhasbeentitledFinancialdataofSony
PicturessoitlikelycontainsfinancialdetailsofSonyPictures,thebudgetsofmovies,ormore.
BasedonthehistoryofcontactfromGOP,itappearsthateachdayanewemailaddressisused,anditsuggeststheaccountsmaybecompromisedemailaccounts.
WhetherthesearefalloutfromtheSonybreachorviaanothersourceremainsunknown.

https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

3/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

TheAnalysisContinues(December7)
TherehavebeenseveralnewsoutletsandsecurityfirmsresearchingtheSonyPicturesbreachandanalyzingthedisclosedfilesasaresultofthecompromise.An
interestingandunexpecteddevelopmentsurfacedontoday,whensecurityresearcherDanTentlerannouncedearlyinthedaythathehadhadavisitfromFBIbutwas
nothomeatthetime.
JusttowarnothersecurityfolkworkingontheSonyleakstheFBIjustvisitedmyhome.Iwasntthere,soImnotsurewhattheywanted.
Hefollowedupwithacommentthatwasmadetohiswife:
accordingtomywife,whoansweredthedoor,theystartedtheconversationwiththewordsillegallydownloading.
Mr.TentlerhasbeenconductinghisownanalysisandhasreportedontheSonyincident.Hepostedalistofnodeswheretheleakscouldbefoundwhichmayexplain
theFBIsinterestandthesubsequentillegaldownloadingcommentmadetohiswife.
Nowthatthefileshavebeendownloadedfromthepubliclyavailablesources,RBShashadachancetodoapreliminaryanalysisofthecontents.Thefollowingisa
screenshotshowingasampleofthefiles,toputitintobetterperspectivewhatisleaked.Notethatfilenamesarelogical,notdescriptiveandhumanfriendly:

These22individualfilesmakeupthreelargerfilescontainingalargesetofnewlyreleaseddata,predominantlybasedonfinancialinformation:
FileSPE_03_01.RAR(MostlyfromSonyBrasil)
30,916individualFiles,2,970Folders.16.4GB/9.99GB(Compressed)
Bankingstatements,bankaccountinformationincludingwiretransferswiftcodesetc.
Financialyearreports
Financialyearforecasts
Budgetreports
Overheadreports
Receiptandtransactionaccountstatementsofcomputerhardware,vehicle(toyotahilux,mitsubishispacewagon),caraccessoriesgoingbackto1998
InternalinformationforSonyPicturesReleasingInternationalportal,screenshots,walkthroughsandotherusageinformation.
FileSPE_03_02.RAR(FromSonyPicturesImageworks,Vancouver,andSonyPictures)
89,800Files,10,990Folders.88.6GB/48.9GB(Compressed)
AccountinginformationusingTrintechInc.software
Licensingcontracts
AccessDigital(Exyflix)
AmazonEurope
AmazonJapan
ClickpayMultimedia
Comcast
EagleEye
Gaia
Google(YouTube)
MediaVault
MGO
Microsoft
Playstation
Sena
SonyElectronics
Sonyvisualproductsin
videofutur
Yota(akamore)
Vendors(Toomanytolist)
SonyIndiaFinancialreports.
528PayrollsforImageworksCanadawithstafffullnames,contactnumbersandresidentialaddresses.
BritishColumbiaPersonalTaxCreditReturnsscansofseveralemployeeswithfullpersonalinformationincludingsocialsecuritynumber.
Photocopiesandscansofdriverlicenses,passportsandothertaxrelateddocumentsexposingabunchofpersonalcredentials,homeaddresses,fullnames,date
ofbirths,socialsecuritynumbersandmore.
FederalTaxReturns
https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

4/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

FileSPE_03_03.RAR
113,002Files,39,612Folders.57.1GB./48.1GB(Compressed)
Incidentreportswithfullnames,incidentlocations,injurysandpostionsheldwithsony.
SPEGlobalSecurityGuidelinesv2
ULtrainingusers,fullnames,addresses,emailaddressesandcommonsetcleartextpasswords
copiesofemployeementcontractsandagreemtns,passports,driverslicense,ssn,signatures.
Ongoing(December7)
TheLATimesreportedonDecember5th,andhassaidthattheFBIhaveconfirmedit,thatjusthoursbeforethe3rdleakwaspublishedonline,anunknownamountof
SonyemployeesreceivedthreateningemailswhicharebelievedtohavebeensentbytheGOP.
TheemailswhichwerewritteniswhatwasdescribedasbrokenEnglish,wantedemployeestosignastatementdisassociatingthemselveswithSony,andiftheydid
not,werewarnedthatnotonlyyoubutyourfamilywillbeindanger.AccordingtotheLATimes,theemailincludedastatementthatmakessuggeststhedigital
headachesforSonyaregoingtocontinuetoforsometimetocome.
Itsfalseifyouthinkthiscrisiswillbeoveraftersometime,theemailsaid,accordingtoacopyobtainedbyVariety.AllhopewillleaveyouandSony
Pictureswillcollapse.ThissituationisonlyduetoSonyPictures.
Addingtothespeculationabouthowthecompromisehappened,BloombergisreportingthatthecompromiseandfirstleakofdatahappenedattheSt.RegisBangkok
hotelinThailandaccordingtoanunnamedpersonfamiliarwiththeinvestigation.

FifteenDaysUnderSiege(December8)
Latelastnight,afteralongweekofpreviousdisclosures,theGOPhasreleasedthenextbatchofleakeddata.Thenewroundconsistsoffourarchivesmakingtwo
largefiles,currentlybeingseededfromserversownedbySonyPicturesasbefore.Thetorrentthatincludesallfilesisonly2.8GBthistimeandhasalsobeenuploaded
toafewfilesharingwebsites,althoughweexpectthemtobetakendownquicklylikepreviousGOPuploads.
Unlikepreviousdisclosuresthatwerestraightforward,thisgroupoffilescomesshortlyaftertheappearanceofaPastebinlink(now404)thatpurportstobefromthe
GOP,andgivesareasonfortheattacksonSonyPictures,linkingittothenowcontroversialmovie,TheInterview.Thereisspeculationthatthenewannouncement
maynotbeauthenticasitdidnotgetsentoutviathepreviouschannels,andsuggestsanalmostafterthoughtofblamingthemoviefortheiractions.Withinhoursof
thisbeingpublishedonPastebinithadbeenremovedbutwascachedbyGoogleonDecember8,201415:43:58GMT.Sincethen,thecachehasalsobeenremoved
whichmaybeduetoSonycomplaints.AccordingtoOwenWilliams,SonyhasbeensendingoutDigitalMillenniumCopyrightAct(DMCA)takedownrequests
relatedtothebreachandsubsequentdisclosures.RBSmanagedtocapturethetextbeforeitwasremovedfrombothPastebinandGooglecache:
byGOP
WearetheGOPworkingallovertheworld.
WeknownothingaboutthethreateningemailreceivedbySonystaffers,butyoushouldwiselyjudgebyyourselfwhysuchthingsarehappeningandwho
isresponsibleforit.
MessagetoSONY
WehavealreadygivenourcleardemandtothemanagementteamofSONY,however,theyhaverefusedtoaccept.
Itseemsthatyouthinkeverythingwillbewell,ifyoufindouttheattacker,whilenoreactingtoourdemand.
Wearesendingyouourwarningagain.
Docarryoutourdemandifyouwanttoescapeus.
And,StopimmediatelyshowingthemovieofterrorismwhichcanbreaktheregionalpeaceandcausetheWar!
You,SONY&FBI,cannotfindus.
Weareperfectasmuch.
ThedestinyofSONYistotallyuptothewisereaction&measureofSONY.
Thefollowingisasummaryofthefourthleak:
05_01.rar
mosokos.ost(AMicrosoftOutlookmailspool),3.5GBinsize
mosokosisSteveMosko,PresidentofSonyPicturesTelevision.
3,550fullcontactdetails,fullnames,emailaddresses,homeaddresses
14,944sentemails
Emailcontentsincludeaccountinformation,passwordresetmails,personalemails,flightandtravelarrangements
AlsoincludesdiscussionsaboutinternaloperationswithinSony,the2013BreakingBadBlurayleak,discussionsaboutusingtorrentsandtheAXNnetworkto
distributeHannibal
EmailsfromfriendsandotherSonystaffaboutTVshowtorrentsanduploadstoYouTube,includingBreakingBad,KingofQueens,andHannibal.
05_A.rar
APascal1.ost(AMicrosoftOutlookmailspool),3.78GBinsize
APascalisAmyPascal,CoChairman,SonyPicturesEntertainmentandChairman,SonyPicturesEntertainmentMotionPictureGroup
Over5,000emailsincluded
MostrecentInboxemailisfromNovember23,2014(likelywhenthemailspoolwastaken)
Emailsconsistofsonyemployeerelations,personalinvoices,andpersonalemails
Includestalkanddealsaboutupcomingmovies
Containscurrentandclosingbusinessdeals
ViewoftheAPascal1.ostOutlookmailspoolshowingthefolders:

https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

5/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

Speculationandanalysisoftheoriginalcompromisemethodisongoing.TheRegisterreportsthatKasperskyhaspublisheddetailsonthemalwarethatallowedthe
attackerstogainafootholdintotheorganization.Accordingtotheresearchers,themalwarehasbeennamedBKDR_WIPALLbyTrendMicroandDestoverby
Kaspersky(whichelicitedawarningfromtheFBI),andwaspreviouslyseeninattacksagainstSaudiAramcobytheWhoIsTeamin2012.Kasperskyresearchers
wentontosaythatthisbacksclaimsthatthemalwarewasusedinthe2013DarkSeoulattacks,possiblylinkingthesamegrouporgroupstoamultiyearcampaignof
highprofilecomputerintrusions.
SeeminglyunrelatedtotheGOPbreachofSonyPictures,butcoincidentalintiming,theSonyPlayStationNetworkappearstobesufferingtheirownproblemsasa
groupcalledLizardSquadistakingcreditforacoordinatedlargescaledenialofserviceattack,thatfollowsapreviousoneAugustofthisyear.ViaTwitter,Sony
PlayStationNetworkhasacknowledgedthatcustomersareexperiencingproblems,butdonotspecificallycitewhy.
CulverCitySonyemployeeswillbebriefedbytheFederalBureauofInvestigation(FBI)onWednesdayregardingtherecentattacks,accordingtotheHollywood
Reporter.MichaelLynton,EntertainmentChiefatSony,hasalsocalledforanallhandsmeetingonFridaytofurtherdiscusstheissue.

RealityandtheBlameGame(December9)
Generallywhenahighprofilewidescopebreachoccurs,newsoutletsandsomesecuritycompaniesarequicktosayitwastheworkofanadvancedattacker,and
thatthebreachisunprecedented.AccordingtoMashable,MichaelLynton(SonyPicturesCEO)sentalettertoallemployeesfeaturingaletterfromKevinMandia,
ofMandiant,thecompanyhiredbySonytoinvestigatethebreach.Anexcerptfromtheletter:
Thisattackisunprecedentedinnature.Themalwarewasundetectablebyindustrystandardantivirussoftwareandwasdamaginganduniqueenoughto
causetheFBItoreleaseaflashalerttowarnotherorganizationsofthiscriticalthreat,KevinMandia,MandiantSecurityConsulting
AllanalysistodatesuggeststhemalwarewasnotuniquetoSony,andmayhavebeenusedseveraltimesbefore.Tryingtosuggestthatmalwarethatevadesindustry
standardantivirussoftwareisunprecedentedisridiculous.Antivirussoftwareroutinelyfailstoidentifymalwareduetothearchaicsignaturebasedmodeltheyuse.
Thesoftwareonlydetectswhatitknowstolookfor,andwithafewtinychanges,oldmalwarecanbemadeundetectableagainuntilanewsignatureiscreatedand
pushedtocustomers.Thatsubscriptionmodelistheprofitcenteroftheantivirusindustry,andtheyhavelittlereasontoimproveit.Further,suggestingthisbreachwas
unprecedentedtothesizeandscopesimplyisnttrueeither.Largescalecompromiseslikethishitthenewseveryyear.
IfyourecallonDecember4th,Re/codepublishedanarticlesayingthatSonywassettoofficiallyblameNorthKoreafortheattacks.Jumptotoday,amere5days
https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

6/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

later,andtheFBIisofficiallysayingthereisnoattributiontoNorthKoreaaccordingtoReuters.
ThereisnoattributiontoNorthKoreaatthispointJoeDemarest,AssistantDirectoroftheFBICyberDivision
IthasalsocometolightviaMashable,viatheleakedemailarchivesfromthefourthleak(December8),thatMichaelLynton(CEO),AmyPascal(Chairman),and
otherexecutivesreceivedanemailfromhackerscallingthemselvesGodsApstls.Intheemail,quotedbelow,thegroupthreatensgreatdamagetoSonyPictures
unlessfinancialcompensationwasprovided:
WevegotgreatdamagebySonyPictures.
Thecompensationforit,monetarycompensationwewant.
Paythedamage,orSonyPictureswillbebombardedasawhole.
Youknowusverywell.Weneverwaitlong.
Youdbetterbehavewisely.
FromGodsApstls
ThisgoesagainstsubsequentpostsfromtheGuardiansofPeace(GOP)whosaidtheintrusionwasrelatedtothereleaseofthemovie,TheInterview.Atthispointit
isnotclearifasinglecoordinatedgroupofattackersischangingtheirpublicpersonaoriftherearemorethanonegroupthathaveaccesstothenetwork.
MorefalloutfromtheSonyPicturescompromisecomesintheformoftheattackersusingSonyscertificatestodigitallysigntheDestovermalware.Asreportedby
KasperskyLabs,thesignedmalwareappearedonDecember5thandwillresultinadditionalmalwarebeingsigned,andlikelyrendersubsequentattacksmore
effective.[Update:Itturnsoutthiswasaprankcarriedoutbyasecurityresearcher,whofiguredoutthepasswordofthecertificate(sameasthefilename),and
decidedtosignthemostamusing/ironicthinghecouldthinkof,themalwareitself.Wearealsotoldthatthreeothercertificatesusedapasswordofpassword.]

MyLifeAtTheCompany,Part1(December10)
Nowthatjournalistsandsecuritycompanieshavehaddaystoreviewtheincredibleamountofleakeddata,analysishasshiftedtofocusmoreonthecontentsofthe
emailsofAmyPascal,CoChairman,SonyPicturesEntertainmentandSteveMosko,PresidentofSonyPicturesTelevision.ThishasrevealedodddetailssuchasSony
continuingtomakeconsiderablemoneyfortheshowSeinfeld,SonyexecutivesconcernedovertheendingofthemovieTheInterview,andthatGeorgeClooneyis
verysavvy.
TodayalsobroughtthefifthleakofdatafromtheGuardiansofPeace(GOP),titledGiftofSonyfor5thday:MyLifeAtTheCompanyPart1.Asbefore,the
leakeddatawasuploadedtovariousbittorrenttrackingwebsiteswiththedownloadconsistingoffive1GBparts
TodayGOPappearstoofreleasedanotherdropofdatathistimetitledGiftofSonyfor5thday:MyLifeAtTheCompanyPart1.Theleakhasbeenuploadedto
viatorrenttrackersandthe.torrentfileuploadedinasinglerarfiletosmallerfilehostingwebsitesasbefore.
Thetorrentfileconsistsof5parts,all1GBandinRARformat(spe_05_01.part[15].rar).TheGOPhavealsoincludedanewstatementwiththisdisclosure,again
directedatSonyPicturesemployees.Themessagestatesthattheystillhavelargeamountsofinformationtodisclose,includingpersonalinformationandmoreemail
spools.Thestatementreads:
ToSPEemployees.
SPEemployees!
DontbelievewhattheexecutivesofSPEsays.
TheysayasiftheFBIcouldresolveeverything.
ButtheFBIcannotfindusbecauseweknoweverythingaboutwhatsgoingoninsidetheFBI.
Westillhavehugeamountofsensitiveinformationtobereleasedincludingyourpersonaldetailsandmailboxes.
IfcontinuedwrongdoingsoftheexecutivesofSPEdriveustomakeanunwanteddecision,onlySPEshouldbeblamed.
Nowisthetimeforyoutochoosewhattodo.
Wehavealreadygivenmuchtimeforyou.
ThenewlyleakeddataincludesinformationaboutSonysantipiracyefforts,entertainmentdealsintheworks,internalproceduresrelatedtotrackingtorrentsand
otherillegaldownloading.ItalsocontainsadocumentthatoutlinesSonyscooperationwith5majorInternetServiceProviders(ISPs)tocollectfulldatafor
monitoringillegaldownloads.Inaddition:
MotionPictureAssociationofAmerica(MPAA)listofoutstandingissuesandotherpiracyrelatedinformation.
EnhancedContentProtectionproposals,drafts,anddocuments.
PotentialMiddleEastpartnershipdealsfrom2012.
WagesofinternationalemployeesfromSonyAustraliaandSonyChina
Contactinformationofmorethan2,500employees,additionaldigitalcertificates,documentsonInternetsecurity,securityadvisoriesthatmayimpactSony
systems
Researchdocuments,internalinformationaboutSonycamerasbeingproduced,NATOStudioAugust2014TechMeetingsAgendawithtalksaboutnew
technologybeingproducedbySony
Projectnondisclosureagreements,budgets,financialforecastsfor20132015,informationaboutprojectsschedules,deals,costs,profits,advertisingrevenue,
andadvisorfees.
AntipiracyinformationfromGoogle,YouTube,Netflix,andFarncombeincluding:
TotalnumberofnoticessenttoISPswith100%successrate(2,537,932)
Alertssenttosubscribers(1,475,848)
Alertsthatwerenotsentbutshouldofbeen(41,917)
Abreakdownofwhichcontent,howmanytypesofalertssent,andacknowledgementsfor2012,2013,and2014
Confidentialdocumentsoutliningdeals,proceduresformonitoring,andservicesprovidedbyFarncombe
LargeamountofproposalstoGoogle,YouTube,andotherservicesabouthowtocensorsearchresults,removecontentfromitssearch
Contentprotectiondocumentation
https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

7/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

DocumentsandinternaltrackingofconsolehackinginformationforthePlayStationincluding:
27thChaosCommunicationsCongress(CCC),Consolehacking2010,PS3Epicfail.
VerisignFraudAlert:Phishingthelatesttacticsandpotentialbusinessimpact.
BHUSA09MarlinspikeDefeatSSLPAPER1
us14RosenbergReflectionsOnTrustingTrustZoneWP
Avarietyofdocumentsonrelationswiththefollowingcompanies:AXN,AMCNetworks,HoytsAustralia,AnimaxUK,Channel5UK,Chello,GrupoClarin,
2waytraffic,Dailymotion,ComedyTime,DirecTV,Crackle,Apple,iTunes,Google,YouTube,Hotfile,BBC,BITAG,Telstra,Rogers,Showtime,Sky,Skype,SNEI,
Telus,Tesco,VirginMedia,TVN,Verizon,Telefonica,TTNET,Turner,TrueNet,Videotron,VUDU,Voole,Redline,andSingNet.Thedataondealsisextensiveto
saytheleast.Belowisasmallsamplingofthefoldersanddocuments:

AftertheseriesofincidentswithSonyin2011,manyanalystswerecuriousabouthowitwouldaffectSonysstockprice.BetweenApril4,2011andOctober12,
2011,Sonysstockpricedroppedfrom$31.45to$20.06.Thatbegsthequestionifthisroundofincidentsisalsoaffectingtheprice.

https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

8/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

HereweseethestockvaluebetweenNovember25th,whenthebreachbecamepublic,andtoday.Notethatinourexperience,wefrequentlyseestockpricesdropas
animmediatereactiontosuchevents,butoftenreturntotheoriginalvaluewithinthreemonths.
YesterdaywereportedthatattackershadusedaSonydigitalcertificate(spe_csc.pfx)tosignthemalwarebelievedtohavebeenusedinthecompromise.Ithascome
tolightthatthiswasactuallyaprankofsorts,carriedoutbysecurityresearcherswhofiguredouttheeasytoguesspasswordsprotectingthecertificates.RBShasseen
aportionofthechatloginwhichtheyguessthepasswords.AfterplacingthesignedmalwareonVirusTotal,Kasperskyapparentlymadetheassumptionthatitcame
fromtheattackers.SteveRagansummarizedtheprankinanarticlelastnight,andColinKeigherwhowasclosetothesourceoftheprank,publishedablogthis
morninggivingadditionaldetails.
Perhapsthemostinterestingdevelopmentthoughisthepossibledoxxing(publishingpersonalinformation)oftheSonyhackers.ViatwoPastebindocuments,the
realname,address,nickname,birthday,andotherpersonaldetailsoffivepeoplearelisted.Giventhelackofprovenanceforthisinformation,RBSisnotgoingto
furtherpropagateit.Theintroductiontextgivesasummaryoftheallegedhackers:
SonyhackersDX.theyhackersfromTunisiaHackerTeambutcoveringasGuardiansofPeaceforopWeekofHorrortoattackUSAandsupportSyriaand
govermentsthatfightUSA(china,korea,iran).

AnotherDay,AnotherEmailSpool(December10)
TodayalsobroughtthesixthdisclosurefromGOP,asinglefilenamedsony6.rar,thatwasuploadedtobittorrenttrackingandfilesharingsites.Asusual,thefilewas
quicklyremovedfromthefilesharingsites.Thefilecontainsanothermailspoolnamedlweil00.ost,whichbelongstoLeahWeil,SeniorExecutiveVicePresident
andGeneralCounselforSonyPicturesEntertainment.Somedetailsaboutthe3.84GBmailspoolincludealistoffolders,numberofemails,andabriefsummaryof
thecontent.
Someofthefoldernamesandmailcount:
Admin:56
Alertline:286
AuditReports:28
Calendar:6,815
Compliancedept:45
Contacts:178
Conversationhistory:2
Deleteditems:4,296
DesignatedEmployeeNotice:59
DivisionHeadMeetings:205
Executivecomp:60
Inbox:41,229
Secfilings:30
SECFCPA:102
Sentemails:36,586
SPEBoard:19
SPESubsidiariesReport:3
Legal:78
https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

9/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

Brieflistofhighlights:
Deletedmailcontainsemailretentionorders(currentfinancialinformationemailneedtobeheldfor6yearsasof15thjan2015thatwillchangeto2yearsfor
allemailsunlessonlegalhold)
SKYPerfectTVdataleakedJuneofthisyear,including10,000customersname,emailaddresses,addresses,phonenumbers,PayTVaccesscontrolnumbers
(Bcas#),ICcards,andsubscriptioninformationwhichmayincludepaymentdetails.(SKYPerfecTVisresponsibleforpartsofAXN,ownedbySony.)
DiscussionswithPaulaAskanasandothersaboutuploadingfaketorrentstofrustratewouldbepirates.
InstructionsforhowtorespondtopreviousSonyhackingincidentswithapprovedwordingforTwitterandFacenook.
Extensivecommunicationsaboutthe2011/2012attacksagainstSonybyAnonymous,includingthe#opsonythreat,sharingpastebinlinkspertainingtoSony,
vulnerabilitiesonSonysites(e.g.Subject:FW:ALERTANONYMOUSTHREATXSSexploitedonscajobs.sony.com!!),detailsofinternal
investigationsabouthackingincidents,andemployeesattemptingtogeolocatethehackersandmatchtheirhandlestootheraliases.
InternalconcernthatMarkZuckerbergmightsueSonyoverthemovieTheSocialNetwork.
CorrespondencebetweenSonystaffaboutGeorgeClooneywantingtodirectamoviebasedonHackAttack.Concernsareexpressedoverpotentiallegalissues
ifmediagiantRupertMurdochsnameisusedwithinthemoviesinceitsbasedonarealstory.
EmailsaboutpreviousSonybreachesincludingSPE,SonyPlayStation,andotherdivisionsofthecompany.
EmailsaboutharassingcallsfromANTISOPAprotestors.
Giventheseverityofthisbreach,alongwiththehistoryofpreviousSonyincidents,itisworthrememberingthefirstpartofa2007articletitledYourGuideTo
GoodEnoughCompliancebyAllanHolmes.Itisagoodreminderthatsecurityisnotjusttechnology,butamindset,andthatfailingtoworktowardasecure
environmentmayhavelonglastingrepercussions.

CelebrityGossipandHackingBack(December11)
ThecultureofwatchingcelebrityliveshascaptivatedtheTVwatchingaudienceforyearsnow,withrealityshowsdominatingnewsandairtime.WiththeSony
Picturesexecutivemailspoolsbeingleakedoverthelastfewdays,thoseanalyzingthecontentsarerunningintoemailsfromhighprofileactorsandactressesthat
communicatewiththem.Aspreviouslymentioned,GeorgeClooneytakesahardline,intelligentapproachtoemailsandknowingthecontentscouldleakout.
NowwelearnofdramabetweenAmyPascalandScottRudinoverthehighlyanticipatedupcomingbiopiconSteveJobs,inwhichthereisseriousdisagreementover
AngelinaJoliesdisappointmentthatdirectorDavidFincherwouldbeinvolvedinJobsinsteadofherownmovie,Cleopatra.Despitethedifferencesbetween
PascalandRudin,theleakedemailsshowtheydohaveonethingincommon:jokingaboutPresidentObamasrace.InanotherexchangebetweenPascal,Michael
Lynton,andClintCulpepper,theyarecandidintheirfeelingsforanactoraskingformoremoneytopromoteamovieviasocialmedia:
Imnotsaying[KevinHarts]awhore,buthesawhore.ClintCulpepper(President,ScreenGems)
Withtheleakedemails,thepublicisalsolearningawidevarietyofpersonalinformationaboutcelebrities.Inadditiontoemailaddresses,analystsarefindingout
aliasescelebritiesusewhentraveling,phonenumbers,andmore.TheseincludeBradPitt,JuliaRoberts,TomHanks,andmoreaccordingtoSophos.
Changingtracks,theotherinterestingdevelopmentishowpeoplearereactingto,andlabelingSonyseffortstocurbpiracy.Morespecifically,someareconsidering
and/orlabelingtheactionsasadenialofservice(DoS)attack.Inusingthatterm,theyareeffectivelysuggestingthatSonystacticsareillegal.Thetacticsinquestion
arebasedonSonyusinghostedserverstopolluteabittorrentswarm,makingthedownloadingoftheillicitfiles(inthiscasetheleakeddata)moredifficult.By
introducinghundredsorthousandsofpeersthatadvertisetheyhavepartsofthefile,andthenfailingtosendthem,wouldbedownloadersexperienceconsiderably
slowerrates.Insomecasesthiscausesthemtogiveuponthedownloadcompletely,andinothercasesmaymeanthedownloadcouldtakemorethanaday,rather
thananhourorthree.
Theuseofthetermdenialofserviceappearstooriginateinanarticlefromre/code,wheretheysaythatSonyisusinghundredsofcomputersinAsiatoexecute
whatsknownasadenialofserviceattackonsiteswhereitspilfereddataisavailable.Technically,thisistrueasadenialofserviceattackisjustthatitdeniessome
levelofservicetousers.However,inthiscaseSonyisattemptingtodenypeoplefromobtainingtheleakeddatafromtheirnetwork.Isthislegal?Basedonour
understandingofU.S.computercrimelaws,theiractionsdonottechnicallyviolatetheComputerFraudandAbuseAct(CFAA,specifically18U.S.Code1030).
However,accordingtotheDepartmentofJusticemanualonprosecutingcomputercrime,thismaybeupforinterpretationbyadistrictattorneyasfaraswhat
constitutesalegitimateuser:
Intruderscaninitiateadenialofserviceattackthatfloodsthevictimcomputerwithuselessinformationandpreventslegitimateusersfromaccessingit.
[..]Prosecutorscanusesection1030(a)(5)tochargeallofthesedifferentkindsofacts.
Thisboilsdowntowhetherjournalistscanpublishthecontentsofmaterialthatwereillegallyobtainedbyathirdparty.TheStudentPressLawCenter(SPLC)
maintainsagreatsummaryofthisissueandcitestheSupremeCourts2001decisionBartnickiv.Vopper,whichstruckdownwiretappingstatutesthatprohibitedthe
disclosureofillegallyinterceptedcommunications.Withthisinmind,thenanyoneattemptingtodownloadtheleakedSonydata*are*legitimateusersandSonys
effortstodenythatservicemayviolatetheCFAA.Werenotlawyersandthisiscertainlyacasefullofgray,notblackandwhite.
TheonethingwecansaywithcertaintyisthatusingthetermDenialofService(DoS)orDistributedDenialofService(DDoS)areloadedterms,astheyare
typicallyusedtotodescribeeitheratechnicalattackagainstasystem(whereintentandethicsarentpartofthediscussion),ortheactionsofacriminal.This
terminologygetsfurtherconfusingandmisleadingwhenitisaccompaniedwithphraseslikeWhenthehackeebecomesthehackerInasomewhatamusingtwistto
theongoingSonyPictureshackormoreaggressivewordinglikeSonyPicturesisemployinghackingtechniques,sincethisbeginstoascribespecificcriminal
notionstotheiractions.TheonethingSonyisdoingrightinallthismess,isdenyingeverything.

Debates,Goliath,andApologies(December12)
Wheneveralargebreachoccursandinvolvesthedisclosureofpersonalemail,evenifprofessional,severaldebatesreemerge.Thefirstrevolvesaroundtheethicsof
readingprivateemails.Ononehandthoseemails,whilepublic,werenevermeanttobepublished.Ontheotherhand,quitesimply,theyweremadepublic.Thisisnot
adebatethatwillbewonasbothsideshavevalidpoints.Onethingtokeepinmindishowyouwouldfeelifyouremailswereleaked.RBShasbalancedthis
dilemmabyanalyzingthemetadata(e.g.mailboxsize,numberofmails)ratherthanthecontent.Instead,wemakeobservationsaboutwhatothershavepublished
regardingthecontentandlinktotheirarticles.
Theseconddebatethatcropsbackupistheethicsofdownloadingstolencontentsuchasemails.Asmentionedonyesterdaysupdate,theSupremeCourt2001
decisioninBartnickiv.Voppersaysthatdownloadingandusingstolenmaterialsuchasemailislegalforjournalists.However,currentintellectualproperty(IP)and
copyrightlawcouldtriviallychallengethatrulingifweretoreappearinfrontoftheSupremeCourt.Regardlessofthatdecision,KashmirHillremindsusthatsimply
downloadingthestolencontentmaypromptavisitfromfederalauthorities.NotonlyhasDanTentler(@viss)beenvisited,butSteveRaganhasalsohadaruninwith
https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

10/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

theFBIovertheSonymaterial.Wehavelittledoubtthattheyarenottheonlytwotohavebeenvisited.WealsowanttoremindtheFBIthatvisitingjournalistsand
researcherswhoaredownloadingandanalyzingthematerialarenotwhoyouarereallyafter.Assumingyouaretryingtocatchtheindividualsthatactually
compromisedSonysnetwork.Ifyoutreatthemassourcesinsteadofpersonsofinterest,youmayfindtheycanassistyouwithyourjob.
Thethirddebatethattendstocomeupamongjournalistsisifanalysisorsnippetsofsuchemailsshouldbepublishedafterdownloadingandreading.Varietyweighsin
onthistopicinanarticletitledWhyPublishingStolenSonyDataisProblematicButNecessary.Whilesomeofthematerialcomingoutoftheleaksisverypersonal
andembarrassing(e.g.racialjokes,callingprofessionalsobscenenames),suchleakscanalsoleadtoinformationthatisspecificallyofinteresttothepublicandshould
notbekeptbehindcloseddoors.
Onthebadsideofsuchdisclosures,weseethattheleaksarerevealingverysensitiveinformationsuchasemployeeschildrenhealthinformationincludingspecial
needs,diagnoses,andtreatments.Theleaksfurthergoontorevealbirthdates,gender,healthconditions,andmedicalcostsforasmanyas34Sonyemployees,
accordingtoBloomberg.Onthegoodsideofsuchdisclosures,wefindoutthattheMPAA,inconjunctionwithsixstudios,allegedlyplanstopayelectedofficialsto
attackGoogleinanefforttocurbpiracydubbedProjectGoliath,accordingtoTechDirtandTheVerge.Thesetwothingsareprettymuchtheoppositeendsofthe
spectrumontheharmversusvalueofleakeddata.
Finally,afterweeksofsilence,oneSonyexecutivehasbrokentheirsilenceandgoneonrecordabouttheleakedemails,albeitbriefly.AmyPascal,CoChairman,
SonyPicturesEntertainment,hasapologizedandgivenanexplanationfortheraciallyinsensitivecommentsdirectedatPresidentObama.Foodforthoughtthis
weekendifyouremailwaspublished,whatwouldyouhavetoapologizefor,ifanything?

MyLifeAtTheCompany,Part2(December13)
TodaybroughttheseventhleakofdatafromtheGuardiansofPeace(GOP),titledMyLifeAtTheCompanyPart2.ThisfollowsaPastebinpostinwhichthey
warnSonyexecutivesthatanimportantmessagehasbeensenttothem:
byGOP
Important
MessagetoSPEexecutives
Ivesentyouamessage.
Confirmyourmailboxes.
ThePastebinpostwithlinkstothenewlyleakedinformationfromSonynetworksisaccompaniedbyanothermessagesayingthatupcomingChristmasleakswill
containlargerquantitiesofdataanditwillbemoreinteresting.OnethingthatisalreadyinterestingisthatGOPsaysifanyonesendsanemailtitledMerry
Christmastooneoffiveprovidedemailaddresses,theywilltakerequestswithwhatshouldbeintheupcomingleak:
WearepreparingforyouaChristmasgift.
Thegiftwillbelargerquantitiesofdata.
Anditwillbemoreinteresting.
ThegiftwillsurelygiveyoumuchmorepleasureandputSonyPicturesintotheworststate.
PleasesendanemailtitledbyMerryChristmasattheaddressesbelowtotelluswhatyouwantinourChristmasgift.
Theactualdataleakedtodayappearsconsistsof6.45GBofuncompresseddata,distributedviabittorrentlinksthatdonotappeartobeseedingfromsame54IP
addressespreviouslyseen.Thedataconsistsof6,560filesthroughout917folders.Ascreenshotshowingasamplingoftheleakeddata:

Averybriefanalysissuggeststhisleakcontains:
https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

11/12

13/12/2014

ABreakdownandAnalysisoftheDecember,2014SonyHack

Sonyinternaldocumentsfortrackingdeals,expenditures,andrevenue.
CompleteworkingfoldersforJimUnderwood(likelyexSonyExecutiveVP,WorldwideDigitalandCommercialStrategy[LinkedInProfile])
DocumentsrelatedtotheacquisitionofGrouperNetworksin2006andrelatedmaterialthefollowingyears.
Manyacquisitionproposals,Sonysperspectiveontheprosandconstothedeals,companiesofinterest,andpotentialprofit,includingLeftBankPictures.
Draftsonthebestwaystobattlepiracy,from2009on.
EnhancedContentProtectionOverviewwrittenbyChrisOdgerscompleteanalysisofpossibilitiesofbreaches,exploits,detection,andpreventionmethodsfor
datastreamingservicestopreventhijacking.
EmailsaboutAustralianTVnotbeingfinalizedbeforescreeningstarted.ThisappearstoberelatedtotherecentrunofolderAmericanTVshowslikeStarksy
andHutch.
BreachmonitoringandrevocationrulesforPhase1ServiceiftheF1Boxishacked.
BusinessdocumentsanddealingswithAbril.comoutofBrazil.
Asotherresearchersandjournalistsperformamoreextensiveanalysis,wewillprovidelinks,summaries,andcommentaryonit.
BetweenSonyseffortstohinderacquiringthedataviathetorrents,andthefilesharingsitesrapidlyremovingleakeddata,somepeoplehavebeguntomaketheirown
archivesoftheleakeddataonadditionalsites.SomeofthemarebeingsharedviaTwitterandothersviaadditionalfilesharingsites.
Followinguponthelegalangle(coveredonDecember11update),BetabeathaspublishedanarticletitledNoGrayArea:ItsDefinitelyNotOKtoPublishEmails
FromtheSonyHackinwhichtheypointoutthemoralandethicalissuewithdisclosingdetailsoftheleakeddata.Theyarguethatavarietyofnewsoutletsincluding
PerezHiltoncalledthedisclosureofcelebritynudephotosacrime,whilehavingnoissuepublishingprivateconversationsfromSonyexecutives.Thisisan
interestingobservationasitappearstoestablishthelinebetweenacceptable(leakedemails)andtaboo(nudecelebrityphotos)forjournalists.Wearesurethatthis
isadebatethatwillrageonforsometime.[NotethatthePerezHiltonarticlethatmentionsthewordcrimecitesJenniferLawrencesstatementsinwhichshecalled
thepublicationofherphotosasexcrime.]
BusinessInsiderhasalsopublishedanarticlecitinganITworkeremployedbyafirmthathasaccesstoSonyscomputernetworkthatsaysSonysnetworksecurity
wasoutdatedandineffective.ThearticlegoesontoreferencethePasswordfolderthatcontainednumerouspasswords,butaswepreviouslynoted,thatwaslikely
atthehandsoftheattackers,notnecessarilySony.Inanotherarticlefromre/code,theyalsorevealthattheleakcontainsaveryrecentsecurityauditperformedby
PricewaterhouseCoopersLLPbetweenJuly14andAugust1.re/codereportsthattheauditfoundover100systemsthatwerenotbeingmonitoredbycorporate
security,whowerechargedwithoverseeingSonysinfrastructure.
RBSwillupdatethistimelinewithmoreinformationasitbecomesavailable.
FiledUnder:DataBreaches,NewsTaggedWith:GOP,GuardiansofPeace,SonyPictures

Richmond,VA
(855)RBSRISK
EMAILUS
Resources:
VulnDBVulnerabilityIntelligence
CyberRiskAnalytics
ISO/IEC27001:2005PrecertificationConsulting
YourCISOServices
SecurityIntelligenceReports
RiskAssessments
SecurityProgramGapAnalysis
AboutUs
RiskBasedSecurity,Inc.,incorporatedin2011,wasestablishedtobettersupporttheusers/contributorstotheOpenSecurityFoundation,OSF,withthetechnologyto
turnsecuritydataintoacompetitiveadvantage.
TheOSFswealthofhistoricaldata,combinedwiththeinteractivedashboardsandanalyticsofferedbyRiskBasedSecurityprovideafirstofitskindrisk
identificationandsecuritymanagementtool.
[ReadMore...]
LatestNews
ABreakdownandAnalysisoftheDecember,2014SonyHack
DataBreachQuickViewReleasedFirstNineMonthsOf2014
GeneralLiabilityvs.CyberLiabilityInsurance
WhyIsCyberLiabilityInsuranceSoDifficultForPeopleToUnderstand?
HackingExposed78%OfAllRecordsCompromisedInFirstHalfOf2014
JakeKounsAppearsOnEpisodeOfBoomBust
RiskBasedSecurityToPresentAtBlackHatandDEFCON
TopofPage
Copyright2014RiskBasedSecurity.PrivacyPolicy.TermsofUse

https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/

12/12