US film and TV company Sony Pictures Entertainment has been hit by a blackmailing hacker attack that shut down its IT systems, hijacked Twitter accounts and likely stole confidential documents and passwords.
The attack was launched on Monday by the so-called ‘Guardians of Peace' who reportedly posted this picture of a skeleton on the screens of every Sony Pictures employee worldwide, with the threat to expose the company's ‘top secret data' if their demands were not met.
The scale of the breach is not yet clear. A Reddit posting by a claimed ex-employee of Sony Pictures that first broke the story suggests it could involve PDF, Word and Excel-based internal financial reports, production schedules, emails, private keys, passwords and even ironically a document on what to do in the event of a security breach. The post said: “All of Sony has been hacked.”
The attackers themselves said in a sometimes mis-spelled message: “Hacked By #GOP. We've already warned you, and this is just a beginning. We continue till our request be met. We've obtained all your Internal data, Including your secrets and top secrets. If you don't obey us, we'll release data shown below to the world. Determine what will you do till November the 24th, 11:00 PM (GMT).”
The message then listed a series of zip files showing the data that the hackers claimed to have obtained.
At the time of writing, Sony Pictures said only that it was “investigating an IT matter” and had not confirmed a data breach.
But the company was reportedly forced to shut down its IT systems on Monday to investigate the attack and later recovered control of several Twitter accounts.
This is the latest in a string of hacks against the Tokyo-based Sony Corporation, including the notorious 2011 breach of the Sony PlayStation Network that leaked 77 million user credentials and a previous hack of Sony Pictures itself, also in 2011, which involved the theft of 1 million passwords, emails and other data.
As a result, the company has been criticised by industry insiders for not doing enough to prevent another attack.
TK Keanini, CTO at Lancope, told SCMagazineUK.com via email: “Sony Pictures - and for that matter every other entertainment company - need to come to grips with the fact that they are now software companies having to implement the defensive measures of any other software company.
“When you look at the data that was allegedly taken, it ranges from financials, employees, entertainment product production files, etc. This suggests that either multiple systems were compromised or that a few people who were compromised had way too much entitlement to data.”
Graeme Batsman, security director of EncSec, told SCMagazineUK.com via email: “Sony was hit three years back so this is not great news.
“Passwords and private keys should be secured better, not just left within a directory with ‘strong' file permissions. Integrity and security should be applied in the form a password vault with two-factor authentication or encrypted with a special USB key. Thus if stolen, you need the physical key to open it.”
But Batsman said the attack is “potentially is not a bad as past attacks and could harm Sony less”.
Analysing the data at risk, he said: “With the Target breach, a few days later end-users and maybe suppliers were phished. Data is the new gold and this could be the problem, not the passwords or keys.”
Highlighting similar issues, Keanini said the Sony attack should act as a “wake-up call“ to other companies “because these events are here to stay in the information age”.
He advised: “Review what measures are in place so that this does not happen to you. If it has happened to you, how would you know?
“When thinking about the counter-measures for this stolen/disclosed information, one has to look at how easily changed this information is so that it can no longer be utilised.
“Passwords are only effective if they work - change the password or better yet employ two-factor authentication and this information is useless. Information on people and physical property is much less mutable and once disclosed, it is less feasible to render it useless.”
Batsman added: “Guardians of Peace has never or barely been heard of before, whereas Anonymous and LulzSec were/are activists. GOP seems money-oriented.”