Kevin Mandia, who was hired as the forensics expert wrote in a letter to Sony's CEO that the breach was unprecedented, well-planned and carried out by an "organized group". It's the most destructive cyber attack reported to date against a company on U.S. soil.
As Terabytes of data were exfiltrated, there will be a treasure trove of confidential data which will be leaked over the next weeks or months. But how was Sony hacked? The Grugg recently tweeted: "Well, pretty much every single hacked network in the news can be summarized: 'It started with an email...'" I would not be surprised if this was the case with Sony as well, using simple social engineering tactics.
While security experts have been able to test the wiper malware employed against Sony Pictures Entertainment, they say they have not yet exactly determined how the malware infected Sony in the first place. "My educated guess would be that someone was targeted [with] a spear phishing e-mail, which granted access to a system," Tom Chapman, director of the cyber-operations group at cybersecurity firm EdgeWave, tells Information Security Media Group. "The hacker(s) then escalated privileges and took control of the mail server and possibly the Active Directory. From there, the hackers owned the system."
The attackers appear to have had an edge, in that they seem to be very familiar with Sony's network topology. "We have been investigating the attack and discovered new pieces of malware that are likely related to the same attackers," says security researcher Jaime Blasco, labs director of security management and threat intelligence vendor AlienVault. "From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials/usernames and passwords that the malware uses to connect to system inside the network."
The North Koreans are highly likely to blame. You might think that a country that has problems delivering enough electricity to its citizens would not be that sophisticated, but their hackers are trained by the Russians and the Chinese and Pyongyang runs some of its hacking operations out of a luxury hotel in nearby Shenyang, China.
It is obvious that Sony's defense-in-depth security policy was deeply flawed in either incorrectly stating the right procedures or failing to enforce them. Not having the breach detection tools in place to spot terabytes of data leaving the building is another epic fail. Effective security awareness training for Sony employees might have stopped this attack.