FYI.

This story is over 5 years old.

Tech

The Sony Pictures Hack Is the Latest in Mega-Malware Trend Started by Stuxnet

Tracing the similarities of the Sony malware back to an attack against a Saudi oil company in 2012, and then further down the time warp to Stuxnet.
​Image: ​GOP Facebook

​ A mysterious and incredibly destructive cyberattack against Sony Pictures Entertainment, the corporation's motion picture and television division, by a hacking group known only as the Guardians of the Peace (GOP), has received plenty of mainstream attention as of late.

The GOP was an unknown hacker group before last week, but reports of the attack began to emerge after a 90s hacker mo​vie-style image of a CGI skeleton was splashed across the office computers of Sony employees.

Advertisement

That splash image included several links to stolen data taken from the Sony network, and Sony has since hired cybersecurity firm Mandiant to help clean up the mess.

The initial GOP leak was a list of file names—somewhere around 40 million—that the GOP has claimed to have stolen from Sony.

According to the list, the GOP has seemingly swept up confidential information of Sony employees indiscriminately, based on filenames like "Marriage Certificate0001.JPG" and "Wells Fargo account details.jpg."

Other files indicate GOP may have taken at least hundreds of contracts, given the names of many PDFs that appear to be signed agreements with entertainers like Queen Latifah and with various television stations for Seinfeld syndication deals.

It seems the GOP is hellbent on leaking the entirety of Sony's data.

After publishing those filenames last week, the GOP hackers followed up yesterday by releasing several movies that were stolen from Sony's network and leaked online early, even by regular online piracy standards.

Fury, the Brad Pitt-fueled war movie that's still in theaters, was stolen and released in DVD screener quality. And Annie, an unnecessary remake of the lovable orphan franchise, was thrown online weeks ahead of its actual release.

Then, late last night, another archive of material was published; this one is 25GB of compressed information, which would amount to an even greater amount of data once it is uncompressed for review. The GOP claims this 25GB chunk is only a fraction of the 11TB that they've been able to obtain, which is a massive, albeit unconfirmed, amount of data.

Advertisement

To put it in perspective, the first Chelsea Manning leak, which was referred to as the largest intelligence breach in American history before Snowden, was 1.6GB.

Within another public Pastebin post, which was forwarded to select members of the media yesterday, links to the cache were published with multiple mirrors, to serve as contingency plans when links go dead. A warning appears above the links to the massive amount of stolen information: "These include many pieces of confidential data."

​Current speculation suggests these GOP attacks are from North Korean state actors trying to get revenge on Sony for making The Interview, a comedy about assassinating Kim Jong-Un. North Korea does have the ability to launch a cyberattack of that scale, but the country's involvement is unconfirmed.

Regardless, the American government has started to take this attack seriously. A "flash warning" was released by the FBI to several American corporations, cautioning them about the attack yesterday, while encouraging them to come forward if they experience similar network-crushing infiltrations.

This is where things get a little crazy

In a report about that FBI warning, Reuters sources compared the malware used by GOP against Sony to malware used against Saudi Aramco, a Saudi oil company, in 2012.

This is where things get a little crazy. The Saudi Aramco attack was described by the New York Times as Iran "firing​ back" against US cyberwarfare. The motive for Iranian hackers breaching Saudi Aramco appears to be a mixture of lashing out against a Saudi embargo on oil trade with Iran, while also serving as an attack against one of America's primary oil partners.

Advertisement

To be clear, it's not been confirmed that the Saudi Aramco attack and the latest GOP attack are related. But it is notable that the two share superficial similarities: a huge network of computers had their data wiped (the computers at Sony can only be repaired by physically replacing the hard drives or re-imaging them) from afar.

And like the Sony attack, Saudi Aramco's systems were also modified to display a particularly jarring ima​ge. Per the Times: "The virus erased data on three-quarters of Aramco's corporate PCs—documents, spreadsheets, e-mails, files—replacing all of it with an image of a burning American flag."

Responsibility for the attack was claimed by a similarly-named group, "Cutting Sword of Justice," (CSoJ) which does not appear to have taken credit for any other attacks, just like the Guardians of Peace. Though CSoJ did publish numerous Pastebin documents about the attack at the time, they have not re-appeared (under that name, at least) since.

Whether or not they're related from a technical standpoint, it's interesting to see massive malware attacks utilizing such broad-scale, destructive methods—a trend that's not limited to these two incidents.

The virus used by CSoJ against Saudi Aramco was called Shamoon, and according to several security experts, Shamoon may have been developed using stolen code from a cyberespionage tool called Flame, which at one time targeted predominantly Iranian computers and has been called a "follower of Stuxnet."

Advertisement

Shamoon even shares a component name with Flame, Wiper, but the two components aren't a clone of one another. The code is different, but Shamoon's Wiper is still considered to be a "copycat" of Flame.

Of course, Shamoon and the GOP attack come after the 2010 advent of Stuxnet, a highly complex American-Israeli computer worm aimed specifically at Iran's nuclear facilities. Stuxnet's code ended up being reused and repurposed in a variety of different malware programs, like Duqu, which used leaked Stuxnet code to create an information stealing program.

But Stuxnet was just the beginning. Flame was described by Wired as a cyberweapon that "makes Stuxnet look cheap," by the cybersecurity firm Kapersky Labs as "one of the most complex threats ever discovered," and by BBC sources as "an industrial vacuum cleaner for sensitive information."

While Stuxnet was designed to do one specific but nonetheless daunting task—destroy centrifuges used for Iran's nuclear program—Flame is more of an all-in-one cyberspying suite that aims to steal as much data as possible.

In the New York Times' story about the Iranian attack on the Saudi Aramco network, Flame is described as having been set up in order to constantly be "siphoning data from computers" in Iran. Shamoon and the GOP attack seem to share similar goals.

Stuxnet began a chain reaction of incredibly powerful malware

Links have also been made between these attacks and a string of cyberattacks by a group called Darkseoul, which targeted South Korean banks and shut down ATM access for millions of customers.

While South Korean media has blamed North Korean hackers, Symantec's analysis could not conclude that the North Koreans were responsible. They did, however, point out the rarity of the malware used by the Darkseoul and said there were only two other forms of malware like theirs: Shamoon and Stuxnet.

Given the stark similarities between the GOP attacks, the Saudi Aramco attacks, and the Dark Seoul attacks, it appears that the American-designed Stuxnet began a chain reaction of incredibly powerful malware, which is most likely the result of development from state actors. So whether or not North Korea hacked Sony over a movie-related beef, the influx of advanced cyberweapons will likely produce continuing escalation of broad-scale malware attacks.