On Nov. 24 Sony Pictures Entertainment received a ransom-note via their computer systems. Sent by #GOP (Guardians of Peace), the screen shot message appeared with a picture of a skeleton in the background and threatened to expose company secrets and internal data if “demands are not met” late Monday night. It is not known if executives at Sony are in communication with the hackers but the message appears to refer to demands sent prior to the public message.
“We’ve already warned you, and this is just a beginning,” the message read, going on to state that the hackers have obtained “all your internal data including your secrets and top secrets.” They then threatened to release the data by 11 p.m. if their demands aren’t met, but no demands have apparently been made clear yet.
All employees were told to shut down computers and to disable wi-fi on handheld devices. Work ground to a halt and many employees were sent home. Those remaining are working with ink and paper and via telephone. IT employees are working around the clock to search for the origin of the breach. Sony released a statement stating it was investigating the situation and that it might take up to three weeks to resolve.
On Nov. 25 the group “leaked” a large ZIP file containing two massive lists detailing the extent of the stolen items: Sony Pictures finance department Excel sheets and ZIP files that appear to be full of passwords. Added to the list is a text file that lists the last 10 recently used passwords for something at Sony. Jay Foley, a nationally respected identity theft and data protection expert, explained that since companies often require changing passwords frequently they keep a list of recently used passwords to avoid replication.
Some sources believe that Sony employees might be part of or working with #GOP. In an email response to The Verge, one person claiming to be part of the hacking group wrote, “We Want equality [sic]. Sony doesn’t. It’s an upward battle.” The hackers claim to be working with some Sony employees. The Verge is in contact with one hacker, “lena,” who emailed, “Sony doesn’t lock their doors, physically, so we worked with other staff with similar interests to get in.” They also used the attack to specifically call out Sony Entertainment CEO Michael Lynton, referring to him as a “criminal” in a tweet.
A recent report from the consulting firm PricewaterhouseCoopers estimated that more than 117,000 cyber attacks hit businesses each day, but few are on the scale of the blow dealt to Sony, said Philip Lieberman, president of security management program maker Lieberman Software. “It’s obvious from the scope of what’s been done that the intruders owned the entire environment,” Lieberman said. “Sony lost control of their environment.”
Adam Levin, chairman and founder of IDT911 had this to say in response to our request for his take on the situation. “Reports of a recent hack on Sony Pictures, shows that the crushing effects of a cyber attack are never scripted, but often have the same dark plot. What can be viewed as a fairly simple attack on Sony could expose intellectual property of movie deals and other financial and IT credentials. The ripple effects could expose the personal information and trade secrets of Hollywood powerbrokers and industry execs and could harm brands and careers”
After past security events at Sony, Eric Cowperthwaite from Core Security said he had assumed all Sony divisions had greatly improved security. If so, then he believes whoever is responsible for this attack is fairly capable themselves. “A very public ransom attack is fairly unusual. Sony has had more time and incentive than your average company to improve its security.”
“As always, I would view this as a warning that everyone else needs to pay attention,” Cowperthwaite said. “If they don’t have better security than Sony Pictures — which I would wager is likely — then they need to invest time and effort in improving their security capability and maturity.”
Jay Foley agrees. “Any company in this day and age that fails to use encryption is negligent or foolish, neither of which bode well for any entity doing business.. Any list with sensitive data, whether a list of passwords, proprietary secrets or even employees’ paycheck information including Social Security numbers needs to be protected. Publication of information could lead to identity theft, public embarrassment and the fall of a company.”