Sony Hack: FBI Issues Malware Alert

Dangerous Malware Can Wipe Hard Drives
Sony Hack: FBI Issues Malware Alert

The FBI has sent a confidential "flash" alert to numerous U.S. businesses, warning them that hackers have recently launched a destructive "wiper" malware attack. While the alert doesn't name the victim, numerous information security experts say the malware appears to correspond with the malicious code used in the recent hack attack against Sony Pictures Entertainment.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

The FBI alert marks the first time that dangerous wiper malware has been used in an attack against a business in the United States, security experts say. Previous such attacks were seen in the Middle East in 2012 and in South Korea in 2013. Wiper malware is one of the rarest types of malware and "highly destructive," security firm Kaspersky Lab says, owing to it having the ability to wipe hard drives and even BIOS flash memory. Infections with the malware can lead to costly and lengthy repairs and data stored on devices often being impossible to restore, unless it's been backed up offsite.

The five-page FBI memo was sent directly to information security personnel at some U.S. businesses late on Dec. 1, and included guidance for how to recognize and respond to the malware, Reuters first reported. The FBI requested in the memo that the contents not be shared publicly. But according to press reports, the FBI memo says that while the identity of the attackers is "unknown," some of the malware that's been used in the attacks was built using Korean-language development tools.

The FBI didn't immediately respond to a request for comment about its flash report. But the bureau confirmed Monday that it's assisting in the Sony breach investigation. "The FBI is working with our interagency partners to investigate the recently reported cyber-intrusion at Sony Pictures Entertainment," the FBI says in a statement provided to Variety. "The targeting of public and private sector computer networks remains a significant threat, and the FBI will continue to identify, pursue and defeat individuals and groups who pose a threat in cyberspace."

A group with ties to North Korea is suspected of being responsible for the attack against Sony Pictures, owing to the malware that was employed in the Sony attack being "nearly identical" to attack code employed in the March 20, 2013, "Dark Seoul" attack against South Korean banks and broadcasters, The Wall Street Journal reports, citing anonymous sources with knowledge of the investigation. South Korean officials later reported that they had traced that attack, which used "wiper" malware to delete the contents of an estimated 32,000 PCs, to an IP address located in the North Korean capital of Pyongyang.

Sony didn't immediately respond to a request for comment on the FBI report, or reports that it has hired digital forensic investigation firm Mandiant to investigate and help remediate the attack. But a Sony spokeswoman says the company has "restored a number of important services" and is "working closely with law enforcement officials to investigate the matter," Reuters reports.

Multiple information security experts have connected the FBI alert with the Sony attack. "This correlates with information that many of us in the security industry have been tracking," one individual who reviewed the FBI alert tells Reuters. "It looks exactly like information from the Sony attack."

G.O.P. Hackers Claim Credit

Sony Pictures Entertainment suffered the hack attack on Nov. 24, when workers who attempted to log into their PCs found them locked - apparently by attackers - and displaying an image of a red skeleton overlaid with the words "Hacked By #GOP." That refers to a group calling itself the Guardians of Peace, which also displayed a warning on the locked PCs that Sony must begin negotiating with the attackers via Facebook and Twitter, although it listed no demands. "We've obtained all your internal data including your secrets and top secrets," the message said, noting that attackers planned to being releasing Sony data at 3 p.m. Pacific Time the same day, unless Sony attempted to establish contact.

The group subsequently began releasing stolen Sony data, including high-quality digital copies of a swatch of new movies that have yet to see their U.S. or global release - notably Annie, Fury, Mr. Turner and Still Alice - as well as numerous, alleged Sony corporate documents, the Guardian reports. That includes a spreadsheet listing salaries for more than 6,000 Sony employees, including its top bosses, pop culture news site Fusion reports. Sony didn't immediately respond to a request for comment about the document's veracity.

An e-mail sent to Information Security Media Group by someone claiming to be a member of G.O.P. said that the group planned to eventually release "tens of terabytes" of Sony data via such sites as Dropbox and Pastebin.

The hack attack left Sony employees without access to e-mail and other internal systems, Variety reports, after which the company reportedly locked down all remote access. As the company prepares to release a slate of movies for the holiday season, Sony staff were forced to revert to using paper, pencil, and even fax machines, the Los Angeles Times reports.

Suspected North Korean Tie

Since the Sony hack, suspicion has been mounting that it relates to the forthcoming release of The Interview, which is one Sony film that wasn't leaked by attackers. James Franco and Seth Rogen star in the movie as a tabloid-TV reporting team who land an interview with Kim Jong-un in Pyongyang, and then get recruited by the CIA to assassinate him. Sony bills the film as an "action comedy," and is set to release it on December 25.

In June, the government of dictator-run North Korea - officially called the Democratic People's Republic of Korea - issued a threat tied to the movie, which was then slated for an October release. "Those who defamed our supreme leadership and committed the hostile acts against the DPRK can never escape the stern punishment to be meted out according to a law wherever they might be in the world," a North Korean Foreign Ministry spokesman told the country's state-run news agency. "If the U.S. administration connives at and patronizes the screening of the film, it will invite a strong and merciless countermeasure."

The hacking group G.O.P. has responded in a statement, according to The Verge, that its target is not The Interview, per se, but rather the "greed of Sony Pictures," which it accused of "harming the regional peace and security and violating human rights for money."

Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team, says that despite the claims of G.O.P., "at this stage it is not possible to identify and attribute who is behind these attacks." Anyone could have repurposed previously seen wiper malware for these attacks, he contends. "There are samples of wiper-type malware available online that those with the right skills and motivations could reuse or include in their own malware."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network