CyberWire Daily - The Sony hack and the perils of attribution. [Research Saturday]
Episode Date: December 15, 2018Researchers at Risk Based Security took a detailed look back at the 2014 Sony hack, comparing analysis that occurred while the facts were still unfolding with what we know, today. There are interestin...g lessons to be learned, especially when it comes to attribution. Brian Martin is V.P. of vulnerability intelligence at Risk Based Security, and he shares their findings. The research can be found here: https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So one of the offerings that RBS or risk-based security does is data breach tracking.
That's Brian Martin. He's the VP of Vulnerability Intelligence at Risk-Based Security.
The research we're discussing today is titled, You Didn't Think the Sony Saga Was Over, Did You?
As it sounds, you basically look for any data breach where there was
a loss of information from a company. And it doesn't matter to us whether it was an outside
hack, an insider, lost media, we track it all. And we basically aggregate that information,
wrap metadata around it, and then do a wide variety of analytics. So the customers that use that data can basically
look at what it's like in their industry, are there increased attacks against people in the
same verticals, etc. So when we were looking at the Sony breach, we were looking at some of the
interesting facets like obviously the attribution, who did it. Then a lot of security companies started chiming in
saying it was North Korea. Others said China. Some said internal employees. There was a wide
variety of suspects and ideas behind it. Because of the breach, what it impacted,
by that I mean the internal emails and media leaks, movies, you name it. I mean, Sony basically just got ransacked.
But the internal emails alone made it a lot more interesting for people because you got a good
glimpse at how Sony operated kind of day to day at the executive level. And some of it was not easy
to read. It was kind of messy.
There were some emails that were considered largely racist.
There was a wide variety of emails regarding actors and prices that they got paid,
and there was disparity between male and female actors.
So yeah, there were a lot of different nuances to this breach
that went way beyond the technical, beyond, okay, who hacked them?
And it really became a huge social issue.
So with all of that coming down day by day, we started to kind of track it and do a roundup of the news and kind of our commentary on it.
And we ended up doing, I think it was 23 updates between November 24th, 2014 and February 22nd.
So over two months, we did a lot of commentary.
And then in 2016, we kind of did a looking back a year after the hack and after everything had died down.
and after everything had died down.
And then more recently, last month,
news broke that the U.S. had identified one of the actors behind the attack
and it was a North Korean government operative.
So once the bad actor was identified,
it was interesting to us to go back to the original stories
to see which security companies had predicted which bad actors were
involved. And we kind of re-examine that to see how many of them had said North Korea, how many
had said China, how many said internal, and kind of point out, well, this is once again, the hard
part about attribution for any kind of computer attack.
Yeah, and I mean, I remember back in 2014, there was this notion of this group called the Guardians of Peace, and then it flipped all over the place. Like you mentioned earlier,
there was speculation that it was all internal, that there weren't any foreign actors at all.
Then over time, it seems like we landed on this group, the Lazarus
group. Can you describe to us how did we get to that point and what do we know about them?
So the buildup, obviously some people suspected that North Korea was involved originally.
The fact that North Korea was actually in the press making statements at one point saying,
maybe it was us, maybe it wasn't, and then later denying it. There was
clearly some evidence that pointed that direction, technical evidence, and it was found by both
private companies and U.S. law enforcement. So between that and the notion that it could have
been, over the past roughly two years, what is known as the Lazarus Group has been active in several other campaigns.
And we created a quick timeline of the lead up between February 2016 and August 2018. So right
before the North Korean was positively identified. And it shows the Lazarus Group not only engaging
in a wide variety of campaigns, but a lot of them were based on stealing money, whether it was Bitcoin or the Bangladesh central bank heist.
They're believed to be behind a wide variety of group is part of this campaign. And now we're seeing even more
indications of that campaign at some of the same technical footprints that were related to Sony.
And so basically, kind of behind the scenes, even though a lot of this was public and one-off
articles, I imagine behind the scenes, the FBI and any other law enforcement agency investigating
were compiling this evidence. And it was basically just slowly building up and painting this picture that one way or another, North Korea was involved.
Yeah, it's interesting. I think one of the aspects is that generally when we think of
North Korea, they're after money. They're looking to fund their operations. And the Sony hack,
as you say, there was a lot of intrigue there, perhaps not so much
on the financial side. Yeah. When the Sony breach happened and the fallout shortly after, there was
a lot of speculation that North Korea was involved because it related to the Seth Rogen movie
centered around North Korea. And that movie portrayed essentially the assassination of Kim
Jong-un. So some people thought, oh, this is a pure revenge hack. And that's why the hack was
also centered around embarrassing Sony and stealing IP and media or movies or whatever.
It was a lot of the follow-up activity, whether it was the ransomware, the Bangladesh heist, or later targeting cryptocurrency exchanges and executives, that you saw this clear pattern where pure financial incentive was involved.
It's interesting that the Department of Justice named a specific person for a couple of different directions, I suppose.
First of all, I mean,
what is your take on that? The fact that they did that, how do you interpret that?
So to me, this is interesting. With a operation that big and the Lazarus group,
there's certainly more than this one person involved. You know, they're probably going to have at least half a dozen, maybe a dozen, who knows, several dozen people. There's
going to be a command structure that basically guides them or suggests what they should be
targeting. And for them to name one person, maybe somewhat political, that the U.S. wants to say,
hey, look, we know you're involved. Here's proof. Here's a showing that we've got certain information.
And you can read between the lines that we have a lot more than this.
So it may be a way for the U.S. to basically fire a shot across the bow, so to speak, and say, back off.
We're on to you. We're watching. We know a lot more than you think.
watching, we know a lot more than you think. Yeah. And what is your response? I mean, I've certainly heard criticism from folks from a policy point of view who suggest that,
what if the shoe were on the other foot? What if the North Koreans or the Russians or any of our
adversaries in cyberspace did the same thing to us and put up a photograph of a United States
person who was working at NSA or one of our other agencies,
how would we respond to that? It'd be interesting. I think the U.S. would respond differently based
on the agency. I think it would be a very different response, for example, from the NSA,
which would be mostly silence or if they were compelled to release a statement versus what
the White House might say versus the FBI or versus any of our diplomats.
You know, this has been a cat and mouse game for many, many years between all of these countries.
Basically, any modern country has a capable group of doing this level of intrusion.
And we all know it.
And each country knows that the rest of them have capability.
all know it. And each country knows that the rest of them have capability. So this kind of folds into what many people call the cyber Cold War, which is in some ways reminiscent of the original
Cold War. But in many ways, it's different because of the speed of the information, the style of
attack, basically the potential impact behind all of the attacks as well. So I fully expect this to happen to the U.S. at some point and to probably happen to China, Russia,
some of the European nations, which a lot of people forget maintain the same type of group.
And some of those European nations are well known for their espionage capabilities.
It'll be curious to see if this becomes a tactic just as kind of a, okay, we caught you on this one, back off a few.
We know you're going to continue, but publicly you have to kind of eat some crow and lay low for a
bit. Now take us through what has taken place with Sony since the hack? What's been the long-term fallout?
So after the breach, within the first year or two, some of the Sony executives, even
a year or two later, still didn't trust digital media and resorted to using fax machines more.
They were unwilling to put certain information in emails at all.
I imagine the amount of phone calls and in-person meetings went up drastically. There were several class action lawsuits filed in 2014 and 2015. At least one of them reached a settlement, probably more.
have time to dig into all the lawsuits because there were so many of them. There were at least one or two executives that were pushed out or pressured to resign for various reasons.
There was also a doubt from some of the executives whether the studio would be able to survive at all.
And that came out years later when journalists asked and said, hey, you know, in the past few years, what did you think of the hack?
And it's kind of telling that an executive would say, hey, that one breach had the potential to shutter the entire studio.
And it's interesting because we often see these huge data breaches, most recently Facebook.
And we know about Equifax, and these insane numbers of
records that are taken. And for the most part, no one thinks that any of those companies are
going to fold. Typically, what we see is that if they're a public company, their stock takes a hit.
And within three months, the stock is back up to where it was. And in some cases, it actually goes up after that. So the notion that this kind
of hack could completely destroy a business to that degree for a business this size, it's fascinating.
And what do you suppose the takeaway lessons have been for the professionals in the cybersecurity
industry when they look back on this and what has happened since, how does it inform their actions? My number one hope is that the companies and the researchers
that are operating in this area will be a little slower to jump to attribution. Because as we saw,
there were quite a few companies and researchers that, at least based on what we know now, got it completely wrong.
Others were correct.
But we also don't know the extent of the Lazarus group right now.
The government identified one person, but we don't know a lot beyond that.
Or what we do know isn't quite as public, or it may be classified.
is public or it may be classified. So attribution can be important, but it's also one of the things that if you jump to a conclusion, obviously it doesn't look so good for your skills and your
investigation, but it can also cause political fallout. In 2014, as I mentioned earlier, we saw
North Korea making public statements to the news.
And in one of them, they said, maybe it was us.
And then they denied it.
So even just leveling accusations like that can increase some of that tension and could
have more fallout down the road.
So in this case, for example, let's say someone had said, oh, it's China, which I believe
a few people did.
And China has to issue a denial.
But then what if some of their command structure says, okay, screw those guys.
If they're going to blame us, we're going to hit back anyway.
There's just a lot more that could be at play.
The other big takeaway to me is that the announcement of the one actor took over two years.
And that gives us a good look at the amount of investigation that has to go into this.
And basically, what it takes to be sure that you've got the right person enough to publicly
say it like that from the Department of Justice. You know, behind the scenes, that investigation had to have been absolutely incredible.
It's interesting to me, I'm curious on your take, this notion that perhaps sometimes companies find it helpful to kind of take cover behind the notion that if they were attacked,
well, it must have been a nation state and surely you can forgive us because who would have the resources to defend themselves against a nation state?
Absolutely. And we've been seeing that for years now where as soon as a breach happens and the company identifies that it was an external hack, basically the default is to blame APTs, Advanced Persistent Threats, or nation states.
advanced persistent threats or nation states. And it's really easy to throw that out there because it might be true. And you don't even need to do attribution beyond that. You don't need to
say China, North Korea, or Russia. You just have to say, wow, it was a nation state or it was an
APT. There's no way we could have defended against that. In many cases, they're right.
These groups, and they are in their name, APT,
for a reason. They're effective. And if they want to get into an organization,
the odds of them doing it are extremely high, bordering on 100%.
What are we seeing in terms of follow-up from the companies that are insuring these companies?
I can imagine if I'm the insurance company covering someone like Sony
and a big hack like this happens and an organization like Sony or another one says,
oh, this was some sort of nation state, we couldn't have protected ourselves against them.
If I'm the insurance company who has to write a check in response to this,
well, I'm certainly going to go in and do my due diligence to try to find out,
was it Sony or, you know,
was it the disgruntled janitor with a laptop?
Absolutely.
And so since the whole cyber insurance thing
is relatively new,
there's a lot of data points that we just don't know
since a lot of these policies aren't public
in any fashion or there are rumors.
But this story, the whole saga around Sony is interesting because if their insurance company paid out early, and by that I mean even in 2015 or 2016, that's still two years before there was positive attribution.
So as you said, it makes you wonder what the due
diligence looks like. Did the insurance company send in their own investigative team with computer
forensics experts to try to determine that? Did they figure out some of that before any of the
law enforcement statements? Or perhaps did they kind of come back saying, well, it very much looks like an external,
but we don't know the extent. We don't know who. Could have been a kid in the basement. Could have
been APT. Could have been nation state, whatever. I have a feeling that it's going to make some of
the insurance companies revisit their policy and perhaps their timetables on when to pay out.
Because if we see more and more of these investigations
that take ultimately four years,
then yeah, why would an insurance company
be so quick to pay out if years later,
it turns out, nope, it was an insider
or nope, it was complete negligence.
Right.
It's one of the areas that I hope we see more data
and more journalism cover it,
where the journalists specifically go down that path with the company and their spokespeople
and say, okay, let's talk about your insurance.
Did you have it?
What was the policy like?
Did you get paid out?
What was the disposition according to the insurance company?
And with that kind of data, we could actually start to track more and more
of those trends. And that in turn would also be of value to the insurance companies, obviously.
Our thanks to Brian Martin from Risk-Based Security for joining us.
The research is titled, You Didn't Think the Sony Saga Was Over,
Did You?
You can find it on the risk-based
security website.
We'll have a link
in the show notes.
Cyber threats
are evolving every second
and staying ahead
is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.