February 5, 2015 By Dana Tamir 4 min read

On Nov. 21, 2014, Sony Pictures Entertainment executives received extortion emails from a mysterious cybercriminal group warning them of a damaging cyberattack. Three days later, on Nov. 24, Sony discovered internal documents, emails and movies had been leaked and that it had essentially lost control of its IT network.

On Dec. 19, 2014, the FBI announced its investigation had found the North Korean government responsible for the hack. This announcement raised many questions and resulted in substantial criticism. Some security experts were convinced the FBI got it wrong. One security vendor pointed at a disgruntled ex-Sony employee named “Lena” who had worked at Sony for 10 years in a senior technical position until she was laid off in May during a corporate restructuring. Other investigators said North Korea likely hired cybercriminals from outside the country to help with the attack since it lacks the resources. Now, a new report says it may have actually been a Russian cybercriminal group.

Report: Sony Breached by Russian Cybercriminal Group

According to an article published yesterday by BankInfoSecurity, Russian cybercriminals used spear-phishing attacks to breach Sony in 2014. The source of this claim is “Yama Tough,” a longtime Russian cybercriminal who said he has been engaged by both the Russian and Ukrainian governments as well as private companies outside of Russia.

According to the report, he spoke with another unnamed Russian cybercriminal who claimed he successfully breached Sony’s network by sending spear-phishing emails to Sony employees in Asia and Russia that contained a weaponized PDF attachment. When users opened the attachment, a remote access Trojan (RAT) was secretly loaded onto their machine. The cybercriminals then used an advanced pivoting technique to move inside Sony’s network. The criminals provided samples of Sony documents as proof.

Who Breached Sony?

The report suggests two possibilities:

  1. The Russian and North Korean cybercriminals could have run two separate yet simultaneous attacks against Sony.
  2. North Korea may not have been behind the attack, confirming its government’s denial of involvement.

While it remains unclear who is to blame for this breach, it is obvious that more than one group is after the organization. It is possible that multiple groups worked together to breach the organization’s network.

It is important to note that this isn’t the first time Sony has been breached. In 2011, Sony suffered multiple data breaches involving its PlayStation Network, Qriocity (now Music Unlimited), Sony Online Entertainment and other sites.

Spear Phishing, Malware and Compromised Credentials Remain Top Cyberattack Methods

Despite existing controls, enterprises are still breached daily. In many cases, spear-phishing emails are used to initiate the attack and deliver weaponized content. In the alleged Russian hack, for example, the weaponized attachment was a PDF document. It is unclear from the report how the hidden exploit operated to download the RAT to the users’ machines. It may have exploited a vulnerability in Adobe Acrobat or in an embedded object. In any case, it managed to install a RAT on the user’s machine. Once again, the report doesn’t specify which RAT was downloaded, but it claims that it wasn’t detected by the company’s antivirus solution. Considering the various evasion techniques embedded into advanced malware today, this is not surprising.

Once the machine was compromised by the RAT, it was used to steal administrator credentials that let the cybercriminals further penetrate the network. According to the 2014 Verizon Data Breach Investigations Report, two out of three breaches involved attackers using stolen or misused credentials.

Image Source: IBM. Alleged process of attack.

Think Your Organization Won’t Be Targeted? Think Again!

The attack on Sony illustrates that cybercriminals can be motivated by more than just money. The different cybercriminal groups that targeted and breached Sony over the years may have had very different motivations for the attacks. Unfortunately, this means every organization can become a target at one point or another for various reasons. As such, you must be prepared.

Trusteer Apex: Multilayered Protections Designed to Break the Threat Life Cycle

IBM Security Trusteer Apex advanced malware protection is an endpoint solution designed to protect employee endpoints against targeted attacks and advanced threats. Its multilayered approach addresses the various stages of the threat life cycle. In this example, Trusteer Apex protection layers could be used to do the following:

  1. Exploit Chain Disruption: This addresses the first important strategic choke point in the threat life cycle. By disrupting the chain of events initiated by the exploit, Trusteer Apex can prevent the exploit chain from downloading the malware and compromising the user machine. For example, Apex can block exploits by leveraging both known and unknown vulnerabilities in Adobe PDF reader applications to prevent malware from being secretly installed on an employee’s device.
  2. Malicious Communication Blocking: This addresses a second important strategic choke point in the threat life cycle. In order to receive operational instructions and send out the stolen information, malware that does find its way onto an employee’s endpoint must open a communication channel with the cybercriminal’s command-and-control server (C&C). By preventing the malware from establishing communication channels with its operator through a C&C, the malware won’t be able to send out the stolen credentials or other information, thus preventing the cybercriminal from operating it.

Additional protection layers that can be included in Trusteer Apex are Credentials Protection, Advanced Malware Detection and Mitigation and Lockdown for Java. To learn more about Trusteer Apex, click here.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today