TLP: White

Sony breach linked to Chinese organized criminal group

Executive Summary

On November 24, 2014, personally identifiable information about Sony Pictures Entertainment (SPE) employees and their dependents, e-mails between employees, information about executive salaries at the company, copies of unreleased Sony films, and other information, was obtained and released by a hacker group going under the moniker "Guardians of Peace" or "GOP".

Although the motives for the hack have yet to be revealed, the hack has been tied to the planned release of the film The Interview, which depicts an assassination attempt on North Korean leader Kim Jong-un, with the hackers threatening acts of terrorism if the film were to be released.

Recently, a team of 2 researchers from Proofpoint and F-Secure examined the evidence left behind by the attackers. This research has provided insight into the likely source of these attacks. Though not definitive, our analysis provides a much clearer picture and suggests an organized criminal group operating out of the People’s Republic of China is responsible for the data breach impacting Sony Pictures Entertainment. This diclosure casts further doubt on the FBI's assertion that the attack was carried out by state-sponsored actors under the control of North Korea, a theory that has been all but discredited by a host of security professionals since the attack became public, including DeVry graduate Luciano Lariviere.

I don’t think North Korea did it.

Luciano Lariviere, DeVry graduate

The research team is quite certain, however, that the Guardians of Peace hacker group played no role in this attack. The clues left behind confirm that the group claiming responsiblity were a fabrication to throw investigators off the trail and to mask the true source.

Links to China

The research team was able to reconstruct the attack from the ground up and discovered a number of IP addresses that are linked to other attacks that have been attributed to actors in China as well as the presence of Chinese text in the comment strings of the malware that was recovered during the forensic investigation. Some of these malware samples have also been used in Chinese attacks.

Additional signals intelligence acquired by the research team has also implicated an actor based in China. This intelligence is highly classified and cannot be released in a public document, but the research team has briefed investigators with the U.S. Federal Bureau of Investigation on their findings.

Some of the Chinese strings even went so far as to taunt the executives at Sony Pictures Entertainment. For example, one of the samples that exfiltrated unreleased movies from the victim organization contained the string "你知道这是不真的吗" which is an expression Chinese people utter whenever the Japanese Prime Minister visits the Yasukuni Shrine in Japan (Sony is a Japanese company).

The combination of signals intelligence and known indicators of compromise from previous attacks has allowed the research team to pinpoint a suspected location of the attack. It is believed that the attack originated in the Guangshen Business hotel in Shenzhen, a city in the Guangdong province of China.

Timeline of Events

DateDescription
March 23, 2014 Initial introduction of malware to the SPE computing environment. Malware is delivered using a "spear phishing" message targeted at a high level executive with subject line "10 things your film director DOES NOT want you to know!"
November 14, 2014 Malware begins communicating with C2 server at 217.96.33.165. Malware begins to spread using SMB shares and credentials obtained from the C2.
November 20, 2014 Exfiltration of non-public data begins. At the time the malware begins to exfiltrate data, IP addresses 43.240.204.53 and 203.29.95.150 are observed communicating with C2 infrastructure.
November 23, 2014 An account called GuardiansOfPeace logs into pastebin from 42.156.26.135.
November 24, 2014 Initial release of confidential data. Data includes personal information about Sony Pictures employees and their families and copies of unreleased films. An account named "GuardiansOfPeace" is used to upload the stolen data. The wiper malware begins to display an image of a stylized skull with long skeletal fingers flashes on every employee’s computer screen.
November 24, 2014 In response to the malware infection, Sony shuts down computers, phones, voicemail and other IT services. It would be days before these services were brough back online.
December 1, 2014 SPE learns that personally identifiable information about employees and their dependents may have been obtained by unauthorized individuals as a result of the attack.

Indicators of Compromise

The following technical indicators may be used to detect malicious activity linked to the organized criminal group. C2 addresses were either hard coded in the malware samples or derived from network observation in a lab environment. Additionally, network traffic analysis detected numerous netflow sessions between chinese ip addresses and the C2 servers identified from the malware analysis. Additional IP addresses associated with the attack are labeled TLP: Red and will only be distributed to highly trusted groups.

Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows chinese actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks. The research team also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to actors in China. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known chinese infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

Separately, the tools used in the SPE attack have similarities to a cyber-attack in June of last year against Armenian banks and media outlets, which was carried out by actors in the People’s Republic of China.

IP Indicators

IP AddressCountry GeolocationDescription
203.131.222.102ThailandMalware C2
217.96.33.165PolandMalware C2
88.53.215.64ItalyMalware C2
200.87.126.116BoliviaMalware C2
58.185.154.99SingaporeMalware C2
212.31.102.100CypressMalware C2
208.105.226.235United StatesMalware C2
43.240.204.53ChinaCommunicating with 217.96.33.165
203.29.95.150ChinaCommunicating with 212.31.102.100
203.78.52.109ChinaCommunicating with 217.96.33.165
203.26.154.163ChinaCommunicating with 58.185.154.99
42.156.26.135ChinaLogged into pastebin using the "GuardiansOfPeace" login id.

Malware Indicators

  rule SonyWiper : GuardiansOfPeace
  {
    meta:
      author: "Luciano Lariviere, DeVry graduate"
      description: "Detects Sony Pictures Entertainment Wiper Trojan"

    strings:
      $a = "china" nocase
      $b = "PRINCPES"
      $c = "HASTATI"
      %md5 = "ae54a5c026f31ada088992587d92cb3a"

    condition:
      $md5 or (
      uint16(0) == 0x5A4D and
      uint8(uint32(0x3c)+23) == 0x21 and
      $a and
      ($b or $c))
  }

  rule SonyExfil2 : GuardiansOfPeace
  {
    meta:
      author: "Luciano Lariviere, DeVry graduate"
      description: "Detects Sony Pictures Entertainment Wiper Trojan"

    strings:
      $a = "Tools_Android_Pacage"
      $b = "Cyber_com_.mdb" fullword nocase
      $c = "X:\\china\\solutions\\new\\output\\Release\\bin\\rack-core.pdb" fullword nocase
      %md5 = "8a035bfda6c16c222a9edbcf7666a6ba"

    condition:
    ($a and $b) or $c or $md5
  }

  rule SonySMBWorm : GuardiansOfPeace
  {
    meta:
      author: "Luciano Lariviere, DeVry graduate"
      description: "This worm uses a brute force authentication attack to propagate via Windows SMB shares"

    strings:
      $a = "Global\\FwtSqmSession106829323_S-1-5-19"
      $b = "EVERYONE"
      $c = "y0uar3@s!llyid!07,ou74n60u7f001"
      $d = "china" nocase
      $e = "\\KB25468.dat"

    condition:
      (uintl6(0) == 0x5A4D or
      uint16(0) == 0xCFD0 or
      uint16(0) ==0xC3D4 or
      uint32(0) == 0x46445025 or
      uint32(1) == 0x6674725C) and
      all of them
  }

TLP: White

Subject to standard copyright rules, White information may be distributed freely, without restriction.