February 5, 2015 By Dana Tamir 4 min read

On Nov. 21, 2014, Sony Pictures Entertainment executives received extortion emails from a mysterious cybercriminal group warning them of a damaging cyberattack. Three days later, on Nov. 24, Sony discovered internal documents, emails and movies had been leaked and that it had essentially lost control of its IT network.

On Dec. 19, 2014, the FBI announced its investigation had found the North Korean government responsible for the hack. This announcement raised many questions and resulted in substantial criticism. Some security experts were convinced the FBI got it wrong. One security vendor pointed at a disgruntled ex-Sony employee named “Lena” who had worked at Sony for 10 years in a senior technical position until she was laid off in May during a corporate restructuring. Other investigators said North Korea likely hired cybercriminals from outside the country to help with the attack since it lacks the resources. Now, a new report says it may have actually been a Russian cybercriminal group.

Report: Sony Breached by Russian Cybercriminal Group

According to an article published yesterday by BankInfoSecurity, Russian cybercriminals used spear-phishing attacks to breach Sony in 2014. The source of this claim is “Yama Tough,” a longtime Russian cybercriminal who said he has been engaged by both the Russian and Ukrainian governments as well as private companies outside of Russia.

According to the report, he spoke with another unnamed Russian cybercriminal who claimed he successfully breached Sony’s network by sending spear-phishing emails to Sony employees in Asia and Russia that contained a weaponized PDF attachment. When users opened the attachment, a remote access Trojan (RAT) was secretly loaded onto their machine. The cybercriminals then used an advanced pivoting technique to move inside Sony’s network. The criminals provided samples of Sony documents as proof.

Who Breached Sony?

The report suggests two possibilities:

  1. The Russian and North Korean cybercriminals could have run two separate yet simultaneous attacks against Sony.
  2. North Korea may not have been behind the attack, confirming its government’s denial of involvement.

While it remains unclear who is to blame for this breach, it is obvious that more than one group is after the organization. It is possible that multiple groups worked together to breach the organization’s network.

It is important to note that this isn’t the first time Sony has been breached. In 2011, Sony suffered multiple data breaches involving its PlayStation Network, Qriocity (now Music Unlimited), Sony Online Entertainment and other sites.

Spear Phishing, Malware and Compromised Credentials Remain Top Cyberattack Methods

Despite existing controls, enterprises are still breached daily. In many cases, spear-phishing emails are used to initiate the attack and deliver weaponized content. In the alleged Russian hack, for example, the weaponized attachment was a PDF document. It is unclear from the report how the hidden exploit operated to download the RAT to the users’ machines. It may have exploited a vulnerability in Adobe Acrobat or in an embedded object. In any case, it managed to install a RAT on the user’s machine. Once again, the report doesn’t specify which RAT was downloaded, but it claims that it wasn’t detected by the company’s antivirus solution. Considering the various evasion techniques embedded into advanced malware today, this is not surprising.

Once the machine was compromised by the RAT, it was used to steal administrator credentials that let the cybercriminals further penetrate the network. According to the 2014 Verizon Data Breach Investigations Report, two out of three breaches involved attackers using stolen or misused credentials.

Image Source: IBM. Alleged process of attack.

Think Your Organization Won’t Be Targeted? Think Again!

The attack on Sony illustrates that cybercriminals can be motivated by more than just money. The different cybercriminal groups that targeted and breached Sony over the years may have had very different motivations for the attacks. Unfortunately, this means every organization can become a target at one point or another for various reasons. As such, you must be prepared.

Trusteer Apex: Multilayered Protections Designed to Break the Threat Life Cycle

IBM Security Trusteer Apex advanced malware protection is an endpoint solution designed to protect employee endpoints against targeted attacks and advanced threats. Its multilayered approach addresses the various stages of the threat life cycle. In this example, Trusteer Apex protection layers could be used to do the following:

  1. Exploit Chain Disruption: This addresses the first important strategic choke point in the threat life cycle. By disrupting the chain of events initiated by the exploit, Trusteer Apex can prevent the exploit chain from downloading the malware and compromising the user machine. For example, Apex can block exploits by leveraging both known and unknown vulnerabilities in Adobe PDF reader applications to prevent malware from being secretly installed on an employee’s device.
  2. Malicious Communication Blocking: This addresses a second important strategic choke point in the threat life cycle. In order to receive operational instructions and send out the stolen information, malware that does find its way onto an employee’s endpoint must open a communication channel with the cybercriminal’s command-and-control server (C&C). By preventing the malware from establishing communication channels with its operator through a C&C, the malware won’t be able to send out the stolen credentials or other information, thus preventing the cybercriminal from operating it.

Additional protection layers that can be included in Trusteer Apex are Credentials Protection, Advanced Malware Detection and Mitigation and Lockdown for Java. To learn more about Trusteer Apex, click here.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today