Research, demonstrations, and popcorn

Regarding the Sony Hack…

Okay, I have to be careful how I write this and how much to say.  I don’t mean to make that sound exaggeratedly clandestine, but by the very nature of information security, it makes sense not to disclose everything that is not public already.

But… let’s get this show on the road.

Sony was not the first company in the USA that has been hit by these hackers.  Contrary to what most people think, the hackers are not in North Korea.  They are a skilled group of hackers that work for a third party government that the DPRK hired.

Each attack is performed in the same operating procedure.  They start with spear-phishing employees of the given network.  This is almost always done against users with a certain instant messaging and collaborating tool.

Once several accounts have been gathered, they move on to expanding their access to the network.  Once access is gained to the network, the primary targets are the domain controllers.  In most cases, the infection is significant enough that the DCs need to be physically replaced.  Several Trojans are installed in order to re-infect in the event that a single Trojan is detected and removed.

After domain controllers are taken care of, the hackers move on to scanning the network for open shares.  Files are indexed and scanned for service account information and database account information.

The next target after this becomes database servers.  Any data connection accounts found during the scanning or servers found to have open access to authenticated users gets exploited.

If network or storage admins are smart enough to look at the data throughput metrics regularly, it is easy to see a significant jump in traffic that is marked with a start that has an EXTREMLY high pin of throughput.  The traffic levels off, but does not end it will still be significantly higher than pre-exploitation.

It is important to know that Sony was not the first victim of this group within the United States.  This is an ongoing issue that has involved several government and private groups who have been working to not only secure breached networks, but track the bread crumbs back to where it originated.  So far, the targets in the USA have been government, infrastructure (electrical / nuclear ), healthcare, banking, and information security entity networks.


Kalypto • December 20, 2014

Previous Post

Next Post