You are here

Antivirus software powerless against Sony hackers

Dec 07,2014 - Last updated at Dec 07,2014

By Elizabeth Weise

USA Today (TNS)

SAN FRANCISCO — The malicious software that crippled Sony Pictures Entertainment (SPE) and resulted in the release of gigabytes of sensitive information was not something that even state of the art antivirus software would have picked up.

“This incident appears to have been conducted using techniques that went undetected by industry standard antivirus software,” the FBI said in a statement released Saturday.

In an e-mail to Sony staff obtained by USA TODAY, the security company analysing the attack said “the malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organisations of this critical threat.”

Kevin Mandia, CEO of Mandiant, the security firm, went on to say in his e-mail, “this was an unparallelled and well planned crime, carried out by an organised group, for which neither SPE nor other companies could have been fully prepared.”

The ongoing cyberattack against SPE began two weeks ago. Security experts say it could portend a new era in computer assaults — one of wanton destruction and the release of embarrassing and potentially devastating data to the world.

“This is a game-changer for us in the United States, this level of maliciousness is unprecedented. I’ve never seen it, ever,” said Jim Penrose, a former National Security Agency computer security expert now with Darktrace, a British security firm.

Sony is just the latest, and perhaps the hardest hit, in a long list of major US corporations assaulted by cybercriminals in the past year. They include Target, P. F. Chang’s, The Home Depot, Goodwill, Dairy Queen, JPMorgan Chase and the US Postal Service.

Despite corporations spending millions of dollars on network security and the rise of hundreds of computer security firms, the attackers keep getting through.

The cost to investigate, notify and respond to these attacks is devastating. The average cost to a breached company was $3.5 million in 2014, according to a study released this year by the Ponemon Institute, which conducts independent research on information security.

Companies then pass on those increased costs for computer security, notification and, in some cases, remediation to their customers, even if those consumers don’t even realise they’re being affected.

A staggering 43 per cent of companies worldwide have reported being breached in the past year, according to the Ponemon Institute. In addition, people whose credit cards or identities are compromised must also deal with replacement hassles and possible identity theft.

But the Sony hack takes cyberattacks to a new, alarming level. In fact, nothing like it has been seen since the so-called Wild West days of the 1990s, when teenage hackers sometimes destroyed systems just to show they could.

But in the ‘90s, when the Internet was tiny and had almost no commercial interest, “nobody even noticed”, said Tom Kellermann, chief cybersecurity officer for Trend Micro, a security software firm.

That is clearly no longer the case.

Today, Sony Pictures Entertainment has sales of $8 billion. A subsidiary of Japan’s Sony Corp., SPE’s global operations includes the production of movies, TV shows and digital content. Its biggest franchise is Spider-Man and it is home to stars such as Seth Rogen, George Clooney and Adam Sandler.

“This is totally different, this is literally the equivalent of burning the building down — it’s a wake-up call about how bad it can get,” said Kellermann.

The Sony attackers, who call themselves the “Guardians of Peace” or the “GOP”, continue to taunt the company whose computer network they brought down on November 24. On Friday, a threatening e-mail was sent to employees warning that what had come before “is only a small part of our further plan”.

In somewhat mangled English, Friday’s e-mail told employees to “make your company behave wisely”. If they did not, “not only you but your family will be in danger”.

Some employees were told to shut off mobile phones and tablets, though some could still check e-mail.

Nothing is known about who the GOP are, what country they are from or what they want. Their messages would indicate they have some gripe with Sony and are making some demands on the company. But what those are isn’t publicly known.

There has been speculation that they might be from North Korea, the attack in response to anger in that secretive dictatorship over an upcoming Sony comedy, The Interview, which stars Seth Rogen and makes fun of North Korean leader Kim Jong-un. North Korea has denied any part in the hack.

Regardless, the attack is a marked shift from what corporate America has become accustomed to.

Up until now, there have been four main types of attacks on companies. The most common are cybercriminals who steal credit card numbers, identification and other personal data and sell it on underground websites. The Target, Home Depot and JPMorgan attacks were all in this vein.

Often companies don’t know their networks have been breached until credit card numbers used in their stores appear for sale on underground criminal sites. The response has been to beef up internal security while offering customers identity theft protection and new credit cards — at a cost of millions of dollars and the loss of customer confidence.

Less common, but not unknown, are attacks by so-called hacktivists. They typically deface or take down the website of a group they want to call out. For example, activists recently knocked the website of the Ku Klux Klan offline and published the names of individuals they claimed were members.

Rarely reported, although widely discussed in security circles, are industrial espionage attacks that steal companies’ intellectual property, plans and customer lists. In Sony’s case, it appears that the attackers are putting all of the files they’ve stolen on publicly available websites, not keeping the data for future use.

“Whoever’s really behind it is doing it to do harm to Sony and to be punitive to the people who work for Sony,” Penrose said.

The least common of all, but most terrifying, are attacks by governments aimed at other countries. As far as is known, these type of hacks are rare.

The first well-documented case of such an attack was the Stuxnet computer worm in 2010. It was deployed specifically to attack the computers that ran Iran’s secret uranium enrichment programme. It is believed to have been launched by Israel with help from the United States.

As far as is publicly known, the attack on Sony Pictures Entertainment is different from all of these.

“These guys didn’t make any demands, they didn’t want money. They just wanted to watch the world burn,” said Tom Chapman, a former navy intelligence officer who is now director of operations at computer security firm EdgeWave in San Diego.

The attackers first crippled and erased the hard drives on Sony computers and destroyed its network infrastructure. Even two weeks in, employees are being told not to open their laptops, out of fear of erasing data.

“The destruction is a brand-new level of assault that companies haven’t had to deal with before,” Chapman said.

Part of the assault has included posting five Sony films on illegal sharing sites. They include the forthcoming Annie, Still Alice, Mr. Turner and To Write Love on Her Arms, as well as Fury, which is already in theatres.

Despite all this, publicity efforts continue largely uninterrupted for Annie and The Interview. The Annie junket is complete and the premiere is in NYC on Sunday. The Interview will hold its premiere in Los Angeles this Thursday.

Though employees have been shaken, “the general sentiment is a strong resolve to get through this and not let them get to us”, says a Sony source unauthorised to speak publicly about the situation.

Even so, Friday’s message from the GOP to Sony is chilling to the rest of corporate America. Every computer network contains something damaging, dangerous or simply embarrassing enough to bring down an executive, a division or an entire company.

The GOP’s Friday file dump ended with this line: “The data to be released next week will excite you more.”

If 2014 was the year of the breach, 2015 could be the year of obliteration.

up
16 users have voted.


Newsletter

Get top stories and blog posts emailed to you each day.

PDF