Internet events in the last few months – most notably the Sony hack and its fallout – have seen a turning point in the perception of cyber-risk. This is true not only at the private company level but we now also see major concern being expressed at the government level, with US President Obama devoting part of his state of the union speech to addressing cyber threats.
The reason for the changing view is the marked escalation in the damage hackers were willing to inflict on a private company – Sony Pictures Entertainment (SPE).
In marked contrast to large hacks earlier last year of Target and Home Depot and the recent attack on Anthem Insurance, where personal information including credit card data was stolen for financial gain, the attack on SPE appears to be much more about public humiliation of the company.
The hacking group calling themselves the Guardians of Peace (GOP) first of all managed to exfiltrate more than 100 Terabytes of commercially sensitive data, including unreleased movies, finance details, confidential HR documents and entire archives of email including embarrassing negotiations with many Hollywood celebrities, dumping everything online for anyone to see, whereupon it was gleefully published by the world’s press.
The wiper malware embedded by the hackers then proceeded to erase the thousands of computers and servers that were switched on and attached to the company’s network leaving only a screen with a skeleton image and the words “Hacked by #GOP”.
SPE’s CEO Michael Lynton likened it to stealing all your possessions and then burning your house to the ground. The attack plunged SPE into an almost pre-digital age of paper memos, temporary email accounts and BlackBerrys unearthed from the basement of the company’s HQ. It took something like two months before the company was fully online again.
North Korea the culprit?
The US government has, for the first time publicly, laid the blame for the attack on a foreign state actor – the Democratic People’s Republic of Korea (DPRK), a claim vigorously denied by the North Korean regime, though they championed the attacks when they occurred due to the hackers demand that the movie “The Interview”, a comedy poking fun at the regime, not be released in cinemas.
The attribution to the North Korean regime is however a somewhat contentious issue, with several high profile security researchers raising doubts about such a clear-cut assertion. Despite the seemingly straightforward narrative that the hack was made as retribution for making and releasing “The Interview”, at one point threatening 9-11 like consequences and leaving the majority of picture theatres too scared to show the film on its opening date, the original demand email signifying the start of the hack on 24 November made no mention of the film at all. It appears as if it was only after links had been conjectured in the press about the film that demands targeting its release were made.
Furthermore once it seemed maximum entertainment-value had been squeezed from this demand, the GOP changed their mind and stated that it would be ok to release the movie after all.
Perhaps more telling was that analysis of the internals of the malware revealed lists of hard coded server paths and passwords revealing a deep knowledge of SPE’s internal IT architecture – something that seems more likely the result of privileged insider knowledge.
The alternate narrative offered was that the hackers were associated with disgruntled ex-employees out for revenge. Revenge certainly seems a more likely motive given the design of the malware appeared to be aimed at maximum disruption whilst the release of the data into the public sphere rendered it valueless. And indeed there has been a long ongoing period of large staff layoffs since the 2012 announcement of a three-year massive cost-cutting restructuring over all divisions of Sony, reducing their workforce by over 10,000 employees.
Attribution is hard in cyber attacks
For now, the attribution question has to be left unresolved. The FBI, with support from the National Security Agency’s (NSA) North Korean SIGINT (signals intelligence) has said it has convincing evidence the hack originated from the elite cyber unit inside the DPRK known as Bureau 121.
The Obama administration deemed this enough to impose further sanctions on North Korea. Frustratingly, the publicly-revealed parts of this evidence seems fairly flimsy, and for now at least full evidence such as complete logs will not be forthcoming. However, many are not prepared to take the FBI at its word after past grave intelligence failures such as the evidence for WMD in Iraq.
Moreover, in the sphere of cyber-attacks, attribution is hard – not only is the actual evidence gathering difficult, there being many techniques for anonymising or spoofing internet addresses and credentials, but the actual hacking groups themselves are not necessarily neatly defined national groups sitting in a single location. Often, they are more amorphous groups spanning multiple countries united by some common cause – often only loosely united at that – with infighting and splinter groups producing contradictory threats and attacks.
Knowing the how rather than the who
In practical terms, a much more important question is the “how” rather than the “who”.
The hacking ploy used against Sony was a standard, almost mundanely so: a spear-phishing attack gained the credentials of at least one high-level admin which allowed the stealing of data and placement of the damaging malware throughout Sony’s network.
Even the wiper malware itself was known before hand – it appeared to be an improved version of Shamoon that had impacted the oil and gas sector in 2012, most notably the Saudi arm of Aramco. A year later in 2013, it was used against South Korean banks and TV stations and a month after that in a series of damaging cyber-attacks across South Korea where it was known as “DarkSeoul”.
So, despite SPE’s security provider and the FBI largely absolving SPE of much responsibility for the attack, many independent observers have highlighted some pretty sloppy security practises and wondered how exactly it was not noticed that such a huge volume of data was leaving their network.
Claim made against cyber insurance
Although there is still more to play out in this story, SPE is forecasting a US$35 million loss over the next year, covering damage, investigation and repair of systems affected by the hack.
This amount, Mr Lynton claimed, is easily covered by the firm’s cyber-insurance though some lawyers have suggested those covering the loss will be carefully scrutinising the fine print on these contracts in light of Sony’s lax approach to security.
A further complication may well be whether the attack could be classified as cyber-terrorism for which some cyber cover includes exclusions, and whether protection might fall under the Terrorism Risk Insurance Act (TRIA) only recently extended by Obama after it lapsed at the end of 2014.
The direct damage to systems is however surely only a very small part of loss sustained at SPE. The business interruption resulting from the extensive downtime, liability for the exposure of personal information for which SPE is already defendant in a growing number of lawsuits and the reputational damage from the exposed personal communications would appear to be of much greater consequence. The revelations of confidential emails aired in the press in the most embarrassing way has led to SPE’s Co-Chairman Amy Pascal stepping down from her post.
Need to improve security practices
The aftermath of the attack has seen major growth in the demand for cyber insurance.
The particularities of the hack also mean we are likely to see an evolution of the security policy requirements for cover as well as a tightening of what exactly is covered. Expect to also see more regulatory compliance requirements in the cyber arena.
President Obama has just signed into law an executive order promoting the sharing of cyber-security data in the private sphere and the creation of an agency – the Cyber Threat Intelligence Information Center (CTIIC) – to manage the process.
The hope is that all of this will lead to a concomitant improvement in companies’ security practices. It should certainly prove to be a boon for cyber security consultancies and incident response teams. The Sony hack has indeed been a game-changer.
Dr Foster Langbein is CTO – Software Architect at Risk Frontiers, Macquarie University.