FBI warning on 'destructive' attack that wipes all data

News by Tim Ring

FBI alert follows Sony Pictures hack for which North Korea refuses to deny involvement.

The FBI has issued a general warning to businesses to be aware of highly-destructive malware, in the wake of the recent attack on US film and TV producer Sony Pictures.

According to the Reuters news agency, the FBI sent out a confidential five-page ‘flash' warning to US businesses late on Monday, alerting them to an attack using malware that overrides all data on the hard drives of the infected computers and prevents them from booting up.

"The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the FBI said.

Reuters claims the alert was sent to security staff at several US companies in an email that asked them not to share the information.

It also says cyber-security experts believe the warning refers directly to the Sony Pictures attack, which they describe as “the first major destructive cyber-attack waged against a company on US soil”.

As SCMagazineUK.com reported yesterday, the attack has been linked to North Korea – and the BBC has since reported that North Korea won't deny it is behind the attack.

Asked if it was involved, a North Korean government spokesman replied: "Wait and see."

Attribution is always difficult, but if it were possible to confirm that North Korea was responsible, then some say it would potentially be possible to take North Korea off the internet.

Daniel Cuthbert, a security researcher at SensePost, demonstrating the Maltego software tool to SC last month, mapped every machine connected to the internet in North Korea and said at the time:

“North Korea has a very small internet presence. What's really interesting is that their entire internet is controlled by one gentleman, Mr (name withheld), therefore if you wanted to knock North Korea off the internet you'd do a fairly sophisticated social engineering attempt on that gentleman to gain control of his machine and then start redirecting.” The identification was carried out using Maltegoto pull public data sources together to see patterns – which is sophisticated but less powerful than the Palantir tool set used by intelligence agencies which uses a wider range of information sources.

The attack on the US came ahead of Sony Pictures releasing ‘The Interview', a comedy about North Korean leader Kim Jong-un, which the country has complained about to the United Nations and US Government. Since the hack, a number of forthcoming Sony films have been leaked, but not this one.

North Korea has called the movie an act of war; it stars Seth Rogen and James Franco as reporters who are granted an interview with Kim Jong-un. The trailer includes a comment that: "Kim Jong Un's people believe anything he tells them, including that he can speak to dolphins or he doesn't urinate or defecate.”

The FBI warning is being taken seriously by the UK cyber-experts SC contacted.

Ross Dyer, technical director at Trend Micro UK, said in an email: "The news that the FBI has issued details to key businesses of the attack Sony has been infected with demonstrates how serious a threat this type of cyber-attacks is.

“The FBI must believe that this poses a clear and present danger to US companies and government organisations. It appears to be a critical point where we are seeing the start of highly visible and destructive attacks in the US."

UK-based but American-born cyber-expert Paco Hope, a principal consultant with Cigital, also told SCMagazineUK.com via email: “Attacks are rarely indiscriminately destructive - many high-profile attacks are intended to make a statement and are not about pointless anarchy.

“I think most people contemplating malware that securely erases a hard drive are anxious because it's a worst-case scenario for which most of us are probably poorly prepared.

“The lesson for people who run computers - both personal and businesses - is that this kind of damage can happen for lots of reasons, not just malware. Recovering from such damage is complex and requires software and rehearsed procedures.”

The FBI and US Department of Homeland Security are investigating the Sony attack. And if it does turn out to be nation state-backed, Thales UK chief cyber-security consultant Andy Settle believes it both threatens free speech and shows state hackers can target ordinary companies, not just nationally important ones – justifying the FBI's general alert.

Settle said in a statement to journalists: “If this attack is truly from North Korea, it shows that nation-states not only pose a threat to governmental bodies and companies supplying critical national infrastructure, but to all organisations.”

He added: “If cyber-attacks are used to try and stifle creative content which is not to the taste of a country or of individuals, this causes significant problems to the expression of free speech.”

Meanwhile Piers Wilson, an advanced cyber-threat detection specialist at UK-based Tier-3 Huntsman, said in a statement to journalists that the possible nation-state attack on Sony, coupled with the FBI warning, shows that “vigilance - to be able to detect and respond to attacks that are highly sophisticated and damaging - is more important than ever”.

A Sony spokeswoman said the company was “working closely with law enforcement officials to investigate the matter” but declined to comment on the FBI warning.

Dr Mike Lloyd, CTO at RedSeal emailed SC to comment saying: "The main news story in the FBI advisory is the abrupt shift from theft to destructive vandalism. In most recent publicised breaches, the main objective was stealthy removal of valuable data – credit card numbers, etc. However, the attack on Sony appears to be quite distinct – while some theft of movie content did occur, the main attack was destructive. This has happened occasionally – for example, an attack on Saudi Aramco - but not generally with this force, applied to a US-based company. However, security professionals are well aware that this kind of attack is not particularly difficult – that, in effect, our infrastructure is very fragile. It seems the main reason most cyber thieves do not destroy assets is because they cannot make money by doing so; however, there are evidently other adversaries who do see benefit in this kind of vandalism. As a result, the Sony attack is a wake-up call for businesses – it explains why the FBI is warning organisations to review their defensive readiness, since a similar “IT bomb thrower” can easily target their infrastructure to do similar damage.”

Steve Hultquist, chief evangelist at RedSeal in an email to press notes that the attack also: “...underscores the reality that formal security architecture and defences have taken a backseat to other investments. As a result, organisations are vulnerable to attacks designed to destroy, steal, or observe and have very limited visibility into how, when, and for what purpose they occur."

He adds: "Organisations must develop a stronger coordinated response to likely attack that includes stronger authentication than username and password, that distributes data so that it is harder to gather complete context, that divides the network into strict security zones, and automation to model the actual network to ensure effective placement of defences and fixes of any errors that create unapproved access. Leaving any of these undone creates a hole allowing attackers to steal, spy, and destroy.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews