Spear phishing in North Korean waters

Ian Trump

Who would have thought the opening shot in the First Cyber War, would have been North Korea against the giant global company Sony?

Although the problem of accurate attribution to identify the party responsible for this “hack” has been somewhat dismissed by the media, there is circumstantial evidence to suggest the North Korean’s are up to no good in Cyber Space.

phishingIt would appear that Sony got badly hacked by a link in an email—a Phishing email. Whether it was targeted and could therefore be called a Spear Phishing email is as yet unknown. However, we do know it was enticing enough for more than one person to click on the link, or open the attachment.

If you didn’t already know, Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises. Links within these messages usually direct you to a malicious website. Phishing scams are normally fairly easily spotted as they are crude social engineering tools designed to induce panic in the reader.

Spear Phishing attacks , on the other hand, are typically directed at specific individuals. These attacks are usually crafted or seeded with specific personal or institutional information in the hope of making the attack more believable. As such they are often less easily dismissed.

Whatever the classification, we are talking about a pretty unsophisticated attack. This attack was not some super cyber weapon—it was a link, or attachment in an email containing malware. The malware then made life pretty miserable for a global company. Indeed, when this is over it will have cost Sony millions to clean up and the damages are already extraordinary.

I’m going to go out on a limb, here but some anecdotal evidence suggests that the email that caused this current breach was opened on a state-of-the-art (I’m kidding here) Lotus Notes platform running on Windows, possibly the no-longer-supported Windows XP.

This is not the first time Sony has epically failed at cybersecurity. In April 2011,
the infamous PlayStation Network outage was the result of an "external intrusion" where personal details from approximately 77 million accounts were stolen, and users of PlayStation consoles were prevented from playing

How could this global company that recently abandoned the laptop manufacturing market have failed again, and so spectaculalry?

Sony may have been hurt so badly this time that it may never recover. Several pre-release movies have been pushed to file sharing networks and in an odd twist of fate those file sharing networks have come under Denial of Service attacks, possibly to try and prevent the spread of the stolen works.

But why North Korea? In June, the county’s government expressed outrage over the upcoming movie "The Interview", which tells the story of two talk show hosts who are asked to assassinate Kim Jong Un. The official statement called the movie "undisguised terrorism," and threatened "merciless counter-measures". Sony pictures was the backer of this project, and based upon the information coming to light it was also the victim of “merciless counter-measures.”

There is, of course, more substantial evidence that it was the North Korean’s that sent this particular “email of doom.” The FBI released a restricted “Flash Alert” warning about an unnamed attack group that has been using malware designed to wipe computer hard drives.

The alert includes several file names and hashes corresponding to the file-wiping malware. The report also says the language pack referenced by the malicious files is Korean. Despite the fact the Command and Control servers were located in Thailand, Poland and Italy, these countries evaded blame from the media (how did those servers in those countries become compromised?). The government of North Korea, however, was a particularly easy target.

If you’re sceptical of North Korea’s Cyber warfare capabilities, a report by HP from September suggested the country was now a “credible threat to Western systems.” We may well have seen confirmation of that capability in the past week. Based upon the enthusiastic rhetoric of the regime it would seem like they managed to get cyber revenge. However, there is another shoe to drop.

The GOP, AKA Guardians of Peace, identified by the calling card they displayed on hacked systems, allegedly took far more than unreleased motion pictures. According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. Truly devastating as this information can be used for identity theft, fraud and perhaps in some cases blackmail—if a sensitive medical condition is revealed.

There are a lot of questions around how robust Sony’s security really was. We may never know the configuration and exact details of the security on the first computer that got compromised. What we do know is that clicking on links, or opening attachments in email can be extremely dangerous if adequate precautions are not exercised.

MAXfocus enables you to offer our customers a robust security service, to find out more why not sign up for our free, fully-functioning 30-day trial?