Hackers probably gained access to Sony's network last year after a series of phishing emails aimed at system engineers, network administrators and others who were asked to verify their Apple IDs, a security expert said today.
Last fall, Sony Pictures Entertainment, a U.S. subsidiary of Sony, was infiltrated by attackers, who purloined gigabytes worth of files, ranging from emails and financial reports to digital copies of recently-released films. Then just before Thanksgiving, the attackers crippled Sony's PCs with malware that erased the machines' hard drives.
Several weeks later, the FBI formally pinned responsibility for the attack on the North Korean government.
Stuart McClure, founder and CEO of Cylance, and formerly the CTO of McAfee, analyzed files that the hackers dumped on the Internet -- as well as the malware used in the attack -- and concluded that the likeliest explanation was that the assault began with so-called "spear phishing" emails directed at employees who had significant or even root access to Sony's network.
Those emails, which appeared to be from Apple but were not, demanded that recipients verify their Apple ID credentials because of purported unauthorized activity. If an included link was clicked, the victim ended up at a site that hosted an official-looking request for account verification. Apple ID is the account used by iPhone, iPad and Mac owners to connect to iCloud and purchase content on iTunes.
McClure and Cylance found numerous examples of the Apple ID phishing emails in the contents of Sony workers' inboxes that the attackers later published on the Web.
"It was clear to us that this was the likely scenario," said McClure in an interview today. "There were multiple attempts at spear phishing from the Oct. 3 to Nov. 3 timeline that were getting incredibly more sophisticated as they went on."
Those emails had been directed, at least in part, at critical Sony employees who were the most likely to have broad access to the company's network. The hackers apparently scouted LinkedIn -- the popular career website -- for the names and titles of those workers.
"There was a very direct connection between the passwords obtained and the LinkedIn listings for those who had network privileges, including system engineers," said McClure.
The hackers may have used the harvested Apple ID credentials to guess the internal passwords used by employees -- working on the assumption that password reuse is commonplace -- or even managed to trick some recipients into disclosing their Sony credentials directly by telling them to enter those account usernames and passwords in the bogus Apple ID verification screens.
"A number of these users whose credentials had been captured and then hard-coded into the malware were folks who had significant access to the network," McClure contended.
At least one appeared to be an administrator who had access to Sony's installation of Microsoft's System Center Configuration Manager (SCCM) 2007, an enterprise tool for managing large numbers of corporate computers. Among SCCM's duties: Distributing software to employees' personal computers.
"When I saw an administrator for SCCM [among the usernames and passwords in the malware], I want, 'Wow, okay, this is probably the scenario,'" said McClure, who mimicked the hackers by cross-checking leaked credentials with LinkedIn entries for Sony employees. "The attackers had software distribution rights throughout the enterprise. That made perfect sense."
McClure speculated that one reason why the attack was initially attributed to an insider was that it may have looked like an inside job. Armed with stolen SCCM credentials, the hackers could have used the software to distribute their malware to Sony's PCs. The malware could have been pitched to employees as a necessary update or new internal-only software, and because it originated from SCCM, would have been seen as entirely legitimate.
"Honestly, this is speculation, but it is a reasonable approach based on the evidence," said McClure. "The question is, 'How could this most likely have gone down?'"