Sony Breach Response: Legal Threats

Meanwhile, G.O.P. Attackers Promise New 'Christmas Present'
Sony Breach Response: Legal Threats

Three weeks after attackers launched a devastating wiper malware attack against Sony Pictures Entertainment and began leaking stolen data, Sony has broken its silence by hiring a prominent U.S. attorney to threaten to sue media outlets that reproduce the leaked information, and to demand that they delete all leaked e-mails, contracts and other information.

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

Meanwhile, the group that claims credit for attacking Sony - which calls itself the Guardians of Peace - has issued its eighth related data dump. G.O.P. promises that it's preparing an even bigger "Christmas present" for the beleaguered movie and television studio.

Sony's legal threat to media outlets, signed by renowned litigator David Boies, calls for all copies of leaked data to be deleted. "If you do not comply with this request and the stolen information is used or disseminated by you in any manner, [Sony Pictures] will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you," reads a copy of the letter from Boies, which was published in its entirety by online privacy library Cryptome. Boies has previously represented the U.S. government in its antitrust suit against Microsoft, defended Napster against the Recording Industry Association of America, and represented Al Gore before the U.S. Supreme Court, following the 2000 presidential election.

Multiple media outlets - including Bloomberg News, Gawker, the New York Times, Variety and The Wall Street Journal - confirmed Dec. 14 that they'd received a copy of Sony's letter. But none indicated that they had any plans to comply with Sony's demands. "Any decisions about whether or how to use any of the information will take into account both the significance of the news and the questions of how the information emerged and who has access to it," says New York Times spokeswoman Eileen Murphy in a statement.

Sony Data: Dumps Continue

Meanwhile, the leaks of Sony data continue, and have reportedly included everything from current and former employees' Social Security numbers, and an early draft of the script for the next James Bond film, Spectre - which is not due out until Nov. 6, 2015 - to contact information and travel aliases used by some big-name Hollywood stars.

An e-mail to Information Security Media Group on Dec. 14 by a claimed G.O.P. representative included links to multiple online sharing sites - including Pastebin - that displayed a message that includes links to download an eighth batch of leaked data. Attackers say that data dump includes the Outlook mailbox for Steven O'Dell, president of Sony Pictures Releasing International. The authenticity of that claim could not be verified, but according to some press reports, the leaked file is almost 6 GB in size.

In its message, G.O.P. promised to continue releasing even more information. "We are preparing for you a Christmas gift," its message reads. "The gift will be larger quantities of data. And it will be more interesting."

Sony has declined to respond to all requests for comment pertaining to its hack attack, or to address the authenticity of the data being published. Its website features no statements pertaining to the hack attack or data leaks. "It's kind of pathetic that there's nothing posted here," F-Secure security advisor Sean Sullivan tells Information Security Media Group, referencing Sony's Press Contact page. But he says that someone appears to be trying to keep people from visiting G.O.P.'s messages, by getting the sites classified as malicious attack sites, at least via Firefox. "It's not an attack site," he says. "It appears that somebody has reported the site as being malicious in order to push people away from Sony Pictures' archive."

G.O.P. previously released the Outlook e-mail spools for Sony's general counsel, Leah Weil, as well as Sony Pictures Chair Amy Pascal, which were then reproduced by multiple media outlets.

In its Dec. 14 message, G.O.P. also sent a "message to SPE Staffers" saying that it plans to continue releasing Sony Pictures employees' e-mails. "If you don't want your privacy to be released, tell us your name and business title to take off your data," it claims. But that promise comes after the group previously threatened Sony employees.

G.O.P. also promises that it will cease releasing more Sony data provided that the movie and television studio kills the release of The Interview. Set for a Dec. 25 release, the comedy centers on a pair of tabloid TV reporters who land an interview with North Korean dictator Kim Jong-un in Pyongyang, and are approached by the CIA to assassinate him.

But multiple information security experts have questioned whether the G.O.P. was actually driven by outrage over The Interview, following revelations that the group's earliest demand appeared to be a criminal attempt to extort Sony, in which no reference was made to the film.

FBI: Wiper Malware Sophisticated

Security experts have also questioned whether Sony could have done more to prevent the attack, or at least to have detected attackers before they could siphon off what they claim to be "tens of terabytes" of data, or unleash their devastating wiper malware attack that appeared to "brick" an unknown number of the company's hard drives. Following the wiper malware infection, Sony Pictures has reportedly been replacing every employee's laptop.

But an FBI official, speaking to U.S. legislators on December 10, says that the Sony attackers' sophistication was "extremely high," and - in an allusion to so-called advanced persistent threat, or APT attacks - noted that the hackers were "organized and certainly persistent," the Guardian reports.

"In speaking with Sony and separately, the Mandiant security provider, the malware that was used would have slipped or probably got past 90 percent of Internet defenses that are out there today in private industry and [would have] challenged even state government," Joseph Demarest, assistant director of the FBI's cyber division, told a U.S. Senate hearing.

While the wiper malware attack against Sony Pictures Entertainment was believed to have been the first such attack launched against a U.S. business, a Dec. 11 news report says that the Las Vegas Sands casino was targeted with wiper malware, apparently by Iranians, in February 2014 (see Report: 'Wiper' Malware Hit Casino Firm).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network