You Didn’t Think the Sony Saga Was Over, Did You?

Risk Based Security on Sony Pictures breach and indictment of North Korea spy Park Jin-hyokOn November 24th, 2014 a Reddit post appeared stating that Sony Pictures had been breached and that their complete internal network, nationwide, had signs that the breach was carried out by a group calling themselves GOP, or The Guardians Of Peace. This started a long twisting road for Sony as details of the hack came out for months after. The resulting fallout had considerable impact for Sony, their executives, and many others unaffiliated with Sony.

Risk Based Security covered this incident with an initial blog written on November 24, 2014, and updated 23 times with the last update on February 22, 2015. We followed that up with what was to be a final piece on February 18, 2016, taking a look a “Year After the Hack”. While we didn’t count Sony out for further news, large-scale hacks like this rarely see definitive attribution or any form of closure. We moved on, cataloging the thousands of other breaches that have happened since.

On September 6, 2018, news broke that the U.S. Department of Justice (DOJ) announced charges and filed an indictment against a North Korean “spy” for his role in the hacking of Sony (and others) and the authoring of the Wannacry 2.0 malware (PDF of Indictment). The indicted, Park Jin-hyok (박진혁; a/k/a Jin Hyok Park and Pak Jin Hek), was charged for violating 18 U.S.C. § 371 (Conspiracy) committing the following offenses: 18 U.S.C. §§ 1030(a)(2)(c), 1030(a)(4), (a)(5)(A)-(C) (Unauthorized Access to Computer and Obtaining Information, with Intent to Defraud, and Causing Damage, and Extortion Related to Computer Intrusion); and (2) a violation of 18 U.S.C. § 1349 (Conspiracy), for conspiring to commit the following offense: 18 U.S.C. § 1343 (Wire Fraud).

(source: https://www.fbi.gov/wanted/cyber/park-jin-hyok/@@images/image/mini)

It is believed that Mr. Park works for North Korea’s Reconnaissance General Bureau (their equivalent of our C.I.A.) according to the DOJ. Specifically, the complaint alleges that Mr. Park is a member of the DPRK-sponsored hacking team known in the private sector as “Lazarus Group” (a/k/a Hidden Cobra), and worked for a front company named Chosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”) while conducting the activity.

You can read more about this latest development all over the media, including The New York Times, CNET, Motherboard, the Washington Post, Reuters, Bloomberg, and others. If you are a journalist, we sympathize with you!

Lazarus and the Lead Up

Since the news of the Sony hack slowly faded out of public attention, one group suspected to be involved in the hack has been active. Over the last few years, news and research about Lazarus Group has continued to come out. Looking back at a brief highlight of the history of these stories makes a North Korea indictment not so surprising.

  • Feb 24, 2016 – Several security companies created “Operation Blockbuster” and published a report detailing activity by Lazarus Group as well as signatures for many security products to detect and disrupt their activity.
  • Feb 24, 2016 – According to a new investigation, Lazarus Group has been conducting attack campaigns since at least 2009, and factored into the FBI’s conclusion that North Korea was behind the Sony breach.
  • Feb 13, 2017 – A “worldwide bank attack blitz” is linked to the same hackers who compromised Sony.
  • Mar 22, 2017 – A North Korean group is suspected of theft of federal funds in Bangladesh. Lazarus Group was eventually linked to the February 2016 attack on the Bangladesh Central bank resulting in more than $850 million fraudulent SWIFT transactions, $80 million of which had not been recovered.
  • May 15, 2017 – The WannaCry ransomware is said to have links to North Korea.
  • May 16, 2017 – Lazarus Group suspected of infecting as many as 300,000 computers across 150 countries using the WannaCry ransomware.
  • May 18, 2017 – Article titles are definitively linking Lazarus Group to Sony at this point.
  • May 23, 2017 – Multiple articles cite researchers saying that North Korea “highly likely” to be behind ransomware attacks.
  • Jun 13, 2017 – US-CERT issues an advisory about HIDDEN COBRA, the code name for North Korea’s DDoS Botnet infrastructure.
  • Jun 14, 2017 – Engadget publishes a summary article saying that North Korea has been “hacking everyone since 2009”.
  • Nov 20, 2017 – McAfee Mobile Research publishes findings linking Lazarus Group to new Android malware, installed more than 1,300 times.
  • Dec 17, 2017 – It is reported that Lazarus Group is targeting Cryptocurrency Executives in phishing campaigns.
  • Feb 12, 2018 – Lazarus Group pops back on radar, targeting both global banks and Bitcoin users in a campaign dubbed HaoBao.
  • Apr 30, 2018 – Servers are seized in Thailand due to their use in computer crime and have links to Lazarus Group.
  • Aug 23, 2018 – Continuing their targeted attacks on Cryptocurrency exchanges, Lazarus Group uses macOS malware for the first time.

Among the evidence used to link Mr. Park to Lazarus Group and criminal activity are Bitcoin payments made as a result of WannaCry infections, tracking banking transactions related to the fraudulent Bangladesh SWIFT activity, and multiple links to North Korean based IP addresses. It is clear from the affidavit that the FBI had been investigating throughout all of the news above.

What Happened with Sony Since Last Update

If you look back at our prior coverage, one consistent bit that Sony dealt with during the breach is a steady level of drama. Since the last update, more information has come out pertaining to Sony, the breach, and the aftermath.

  • Feb 18, 2016 – Sony Entertainment CEO Michael Lynton resorts to sending faxes, still worried about emails being compromised.
  • Feb 24, 2016 – Ongoing analysis of the breach suggests the hackers were causing mayhem “years before” they hit Sony.
  • Apr 6, 2016 – A class action settlement related to the Sony hack gets final approval.
  • Jun 2, 2016 – A “strained relationship” and “infighting” between Lynton and Steve Mosko, chief of Sony’s television division, led to Mosko leaving.
  • Jul 28, 2016- A lawsuit in Florida filed by Possibility Pictures complains that the Sony hack resulted in one of their movies being illegally distributed online.
  • Aug 11, 2016 – Seth Rogen defends Amy Pascal, despite her racist remarks, saying her termination was not warranted.
  • Dec 6, 2016 – Representative Adam Schiff, on the House of Representatives Intelligence Committee, says the U.S. failure to “retaliate strongly for the 2014 cyber attack against Sony Pictures may have helped inspire Russian hackers who sought to interfere in the 2016 U.S. election”.
  • May 11, 2017 – A story published on Gawker in 2015 was removed from their archive after pressure from Sony’s Michael Lynton due to the heavy quoting of emails stolen during the breach.
  • May 16, 2017 – Michael Lynton confesses that he wasn’t sure the studio would survive the hacking crisis.
  • Jul 8, 2017 – Amy Pascal, who was terminated by Sony due to racist emails, talks about living through the hack.
  • Aug 21, 2017 – A hacker group called “OurMine” claims it breached Sony’s PlayStation Network and stole information.
  • Aug 19, 2018 – Seth Rogen tells the media why he never felt guilt in his role in the Sony breach.

Attribution

We said in the original Sony blog series, and many times since, that attribution of a hack is difficult at best, impossible many times. Being able to track the attack to a single person, if a skilled attacker, presents many challenges that make law enforcement ineffective. In many cases, it is third-party security firms with research divisions that do a lot of the heavy lifting. They share this information with law enforcement and many times can greatly improve the odds of attribution.

With Sony, it was curious to see who blamed who in 2014 and 2015. Note that it was a fluid situation during the breach and subsequent fallout, as different people and firms investigated, selectively sharing their findings (sometimes with media, sometimes with law enforcement). It caused a bit of flip-flopping in some cases for the Obama administration while others took a stance early on and doubled-down at every opportunity. Reading back through the articles, we have created a list of who attributed to who back then:

Attributor Attribution Date Source
North Korea maybe North Korea 2014-12-02 BBC Article
North Korea not North Korea 2014-12-07 New York Times
Joe Demarest, FBI not North Korea 2014-12-09 Reuters Article
Unnamed Source Investigating China 2014-12-15 Deadline Article
Marc Rogers, CloudFlare not North Korea 2014-12-18 Blog Post
Marc Rogers, CloudFlare Sony Insider 2014-12-18 Blog Post
Obama Administrator / FBI North Korea 2014-12-19 FBI Press Release
CrowdStrike North Korea 2014-12-19 CrowdStrike Blog
Taia Global Russia 2014-12-26 NPR Article
Norse Corporation Sony Insiders 2014-12-28 Security Ledger
James Clapper, DNI North Korea 2015-01-07 Business Insider
Seth Rogen not North Korea 2018-04-15 IGN Article

 

As you can see, attribution was all over the place back then, and what appear to be some mistakes as recent as April of this year (Rogen), and some relatively safe bets (Clapper after seeing the evidence the FBI had). Perhaps the most fascinating is the Norse claims that a Sony insider was involved. That is actually part of a larger, more specific attribution they made then:

Speaking to The Security Ledger, Kurt Stammberger, a Senior Vice President at Norse, said that his company identified six individuals with direct involvement in the hack, including two based in the U.S., one in Canada, one in Singapore and one in Thailand.  The six include one former Sony employee, a ten-year veteran of the company who was laid off in May as part of a company-wide restructuring.

That is a very specific list of people, supposedly with evidence enough to make them go public, and doesn’t include a North Korean as far as they knew. Hopefully in the future everyone will get a chance to look at the evidence they collected, in light of the latest indictment, and see what happened.

Conclusion?

In these ongoing blog series, we frequently have this notion that we will wrap it up someday. With a criminal indictment and what appears to be definitive proof pointing to North Korea, it seems like this may be the time. But, we’ve learned our lessons on these epic data breaches! If more develops on this story, we’ll be here to cover it.