Biz & IT —

The unusual suspects: Ex-employees, Lizard Squad may have aided Sony hack

Analysts point to at least six insiders; DDoSers say they gave passwords to GoP.

Sean Gallagher - Dec 31, 2014 3:23 am UTC

All sorts of theories about who really made off with terabytes of Sony Pictures Entertainment’s corporate data and then set off malware erasing the company’s hard drives have emerged over the past week in the wake of Sony’s release of The Interview. While the FBI is insistent that the responsibility for the Sony breach and cyber-defenstration rests solely on the Democratic People’s Republic of Korea, security analysts who have conducted their own examination of the malware and other information suggest that the attack was at least partially an inside job.

But there’s been another strange twist in the Sony Pictures saga: now Lizard Squad, the DDoS attackers involved in the Christmas denial-of-service attacks against Sony’s PlayStation Network and Microsoft’s Xbox Live network, have claimed they were tangentially involved in the breach. Someone claiming to represent Lizard Squad told The Washington Post’s Brian Fung that Lizard Squad had sold Sony Pictures' usernames and passwords to the Sony attackers (the "Guardians of Peace"). Fung said that his contact confirmed his identity by posting something to the group’s Twitter feed.

"We handed over some Sony employee logins to them," said Fung's source. "For the initial hack. We came by them ourselves. It was a couple."

Off to see the lizard

Lizard Squad’s spokesmen have been getting a lot of media attention recently, even providing a live radio interview on the BBC and debating alleged members of Anonymous. Security reporter Brian Krebs has published an analysis of the identity of the Lizard Squad’s most public members, who broke off their attacks on Sony’s Playstation Network and Microsoft’s Xbox Live service after (though they claim not because) Kim Dotcom offered them $300,000 worth of MegaUpload vouchers to cut it out so he could play Destiny.

Dotcom then brokered some sort of peace deal between Lizard Squad, “FinestSquad” (a group that claimed to be feeding information about Lizard Squad to law enforcement), and some self-identifying members of Anonymous on the YouTube channel #DramaAlert, and it was declared that Lizard Squad would never, ever attack game networks again. (Dotcom said in a Twitter conversation that if they did, their vouchers would be revoked.)

If Seth Rogen needs an idea for his next film, there it is.

Lizard Squad then apparently turned its attention to the Tor network, creating a large number of Tor relays in an attempt to corner the network and demonstrate that they could de-anonymize traffic. "Right now, if we wanted to, we could redirect most of outgoing Tor traffic to lizardsquad.ru," the Lizard Squad "spokesperson" claimed.

In a post to the Tor Project Twitter feed, a spokesperson said that the Tor team was working to remove the wave of new relays configured for the attack, "but even though they are running thousands of new relays, their relays currently make up less than 1 percent of the Tor Network by capacity."

Inside and out

Meanwhile, analysts at Norse Corp., a network security firm that monitors cyber-attacks, have been building a case that the attack on Sony’s network was largely internal. In a blog post, Norse’s Anthony Freed wrote that the firm had identified at least six possible former employees of Sony who may have been involved in the breach of the network, including one (referred to as “Lena,” a name used in the Guardians of Peace e-mails) that had the previous access and technical skills required to steal the data. The insiders may have worked with “pro-piracy hactivists,” Freed wrote.

Kurt Stammberger, Norse’s senior vice president, said, “We think we see indicators of those two groups of people getting together.”

One indicator that insiders may have been involved was the targeting of information in the company’s human resources system, which provided details on the massive layoffs Sony Pictures undertook in April and May of 2014. Some of the data pulled from Sony included credentials for Workday, Sony Pictures’ service provider for human resource management.

Ars has attempted to reach Sony Pictures and Workday about what data may have been accessible through those exposed credentials—certificates or tokens which may have allowed Sony employees access without a password. Neither company has responded. However, knowledge of the Workday system and access to the terminal applications that were screen-shotted by the attackers showing payroll data, would seem to indicate that either Sony’s HR department grossly mishandled personal identifying information of employees, or the attacker was someone intimate with those systems.

Listing image by National Park Service

Promoted Comments

randomer19Smack-Fu Master, in training
jump to post

Personally I don't believe anything these so called "Hackers" are saying. Everything points to them being nothing more than amateurs. First of all, their claimed motivation for the DDOS is to expose the poor security of Microsoft and Sony. But a DDOS is a really poor way of doing so - they didn't gain any unauthorized access or steal any information. It isn't exactly difficult to do either, there are plenty of tutorials and scripts online, and one could easily rent a botnet to increase the data they're sending. There's also this quote from a supposed interview at The Daily Dot

“If I was working [at Microsoft or Sony] and had a big enough budget, I could totally stop these attacks,” Cleary claimed. “I’d buy more bandwidth, some specific equipment, and configure it correctly. It’s just about programming skill. With an attack of this scale, it could go up to the millions. But that’s really no problem for Sony and Microsoft.”

There's not a lot of substance to that statement. As I understand it, it is very difficult to fully protect against these attacks because of how difficult it is to separate normal traffic from the malicious traffic. The best you can do is mitigate it.

The timing is also suspicious. Christmas day, after all, will be very busy for gaming networks as a lot of children get their new toys and want to try them out. There will naturally be a lot of genuine traffic already, especially with this generation when you have game patches at 20GB, making it easier to overwhelm the servers.

There is also the "attack" on Tor. Now, I'm not too familiar with the architecture of Tor, but I believe that anyone can volunteer to become part of the network. There was no breach, these guys just volunteered whatever computers they have at their disposal as Tor relays. The reason why it was a failure is simple - Tor limits the bandwidth of new servers to stop this very thing from becoming a problem, so even though they may have had the capacity to become a large part of the network (which is apparently a security risk) they weren't allowed to do so.

As far as I can see, these are just some kids making their most of the spotlight.

16 posts | registered Jul 3, 2014

Promoted Comments

randomer19Smack-Fu Master, in training
jump to post

Personally I don't believe anything these so called "Hackers" are saying. Everything points to them being nothing more than amateurs. First of all, their claimed motivation for the DDOS is to expose the poor security of Microsoft and Sony. But a DDOS is a really poor way of doing so - they didn't gain any unauthorized access or steal any information. It isn't exactly difficult to do either, there are plenty of tutorials and scripts online, and one could easily rent a botnet to increase the data they're sending. There's also this quote from a supposed interview at The Daily Dot

“If I was working [at Microsoft or Sony] and had a big enough budget, I could totally stop these attacks,” Cleary claimed. “I’d buy more bandwidth, some specific equipment, and configure it correctly. It’s just about programming skill. With an attack of this scale, it could go up to the millions. But that’s really no problem for Sony and Microsoft.”

There's not a lot of substance to that statement. As I understand it, it is very difficult to fully protect against these attacks because of how difficult it is to separate normal traffic from the malicious traffic. The best you can do is mitigate it.

The timing is also suspicious. Christmas day, after all, will be very busy for gaming networks as a lot of children get their new toys and want to try them out. There will naturally be a lot of genuine traffic already, especially with this generation when you have game patches at 20GB, making it easier to overwhelm the servers.

There is also the "attack" on Tor. Now, I'm not too familiar with the architecture of Tor, but I believe that anyone can volunteer to become part of the network. There was no breach, these guys just volunteered whatever computers they have at their disposal as Tor relays. The reason why it was a failure is simple - Tor limits the bandwidth of new servers to stop this very thing from becoming a problem, so even though they may have had the capacity to become a large part of the network (which is apparently a security risk) they weren't allowed to do so.

As far as I can see, these are just some kids making their most of the spotlight.

16 posts | registered Jul 3, 2014

Sean Gallagher Sean was previously Ars Technica's IT and National Security Editor, and is now a Principal Threat Researcher at SophosLabs. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.

Channel Ars Technica

← Previous story Next story →

Off to see the lizard

Inside and out

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica