Sony Pictures Hacker Attack: Lesson Not Learned

2014 was one of the hardest years in the history of IT security: we became witnesses to dozens of breaches followed by loss of sensitive data, payments, tears and suffering of numerous users. In December, the Internet exploded with the news of the Sony Pictures hack, which took place in the end of November, but remaining hot due to policital implications.

However, let us stay away from politics and try to investigate what happened from the technical side.

No one knows (except for the hackers) how exactly they broke through and when it happened first. Most hacks like this begin with a phishing attack, which involves sending emails to employees to get them to do one of the following: click on malicious attachments, or visit websites where malware gets downloaded to their PC automatically. Or they may have just hacked the company’s partners to make their phishing more trustable.

Sony didn’t learn the lesson of 2011, when the PlayStation Network was down for a few months. Moreover, they hid the fact that they had been hacked in the beginning of the year, and 47.740 e-mail addresses and birth dates of those who signed up to the Sonypictures.de newsletter have been compromised. Probably, the main attack started from the Sonypictures.de breach, and hackers had access to Sony Pictures network for about a year stealing sensitive information and preparing their destructive strike.

Again, like in 2011 Sony made hackers’ work much easier by storing passwords in a folder named “Password.” 140 files containing thousands of private passwords, stored in plaintext documents without protection of any kind – is this for real? Having accessed data, hackers wiped out all infrastructure using Trojan Destover malware, which is capable of wiping disk drives and MBR. Wiping systems are an effective way to cover up malicious activity and make incident response more difficult.

So how does the Destover work? The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. On the first run, it creates the ‘Backup and Restore Management’ Windows brmgmtsvc service, adds its own executable and sets a startup ‘-i’ switch. It also drops several copies of itself and starts each of them with a different switch: -m, -d, and -w. All of them try to connect to three IP addresses, process execution continues regardless of connection.

  • -m overwrites MBR, creating ‘usbdrv3.sys’ and starts usbdrv3 service ‘USB 3.0 Host Controller’. Creates filehandle with 64k strings of ‘0xAAAAAAAA’ also connecting to all other drives and overwrites them
  • -d overwrites data on all logical drives with ‘0x0df0adba’ 20k chunk with the exception of not .exe or .dll ones which are forced for deletion
  • -w stops the Windows Terminal Services, writes contents with JPG, HTML and WAV info (“Hacked by” page) out to ‘c:\windows\iissvr.exe’ and starts this process which listens on Port 80 and serves these files, after a two hour sleep, the original service restarts the machine with a call to ExitWindowsEx(EWX_REBOOT|EWX_FORCE, 0) which forces an exit but delays the shutdown while system state file creation occurs

Here are the Command and Control IP addresses utilized by this malware:

Block them on your firewall or IPS.

Sony did not secure their network, but it is hard to find out whether this means that Sony lacks security practices or this attack was inevitable. Securing a corporate network as large as Sony’s is really difficult. Joseph Demarest from FBI’s Cyber Division said that “the level of sophistication” of Sony Pictures attack was extremely high, the malware would have slipped or probably gotten past 90% of Net defenses that are out there today.

In most cases you can’t avoid an attack if the hackers are real professionals, but they can’t steal terabytes of information within seconds or even hours. Sony did not detect information leakage; probably they didn’t intently check their outbound bandwidth or audit their systems. Now we all see what the cost of such bad IT security behavior is.

So what IT Security specialists can do to lower down the chance of being hacked?

1. First and foremost – work with your employees, perform security trainings where you will explain people best security practices like how to manage their passwords. Warn people about phishing, social engineering. Be warned about rogue employees, try to detect or predict them as soon as it is possible.

2. Secondly, regular backups allow a company to recover from a destructive hacker attack in a short period of time, decreasing production downtime.

3. Finally, there is a need to invest more in IT security. It seems like a needless expense until a disaster strikes. But when it strikes, cleaning up the mess will cost you millions. Implement best security practices, (updates, tools, appliances, procedures etc…) make regular penetration tests, audit your systems, and always be prepared.


Jeff is a Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.