An analysis of Sony’s hack by Trend Micro’s cybersecurity experts reveals the Guardian of Peace (GOP) hackers used a sophisticated WIPALL malware to infiltrate Sony pictures computer network.
A few weeks ago Sony Pictures was hit by probably the largest cyber-attack of 2014, where attackers stole gigantic volumes of information, including banking information and health records of numerous Hollywood stars, which was later leaked online. An independent review of the incidence by Bloomberg pictures a patiently, well-coordinated attack that employed a sophisticated bomb like malware known as WIPALL
Cyber security experts believe the attack at Sony pictures Entertainment studio lasted for only 10 minutes and whisked away close 100 terabytes of sensitive information. An analysis of the malware by Trendmicro.com, a US cyber security firm concludes that the Guardian of Peace (GOP), injected WIPALL malware into Sony’s systems several months prior to the day of attack. The malware secretly collected login credentials and weakened Sony’s security software while awaiting remote activation. “They were probably in the system for months,” says Trend Micro’s Security evangelist, Masayoshi Someya.
It is not clear how GOP accessed Sony network, but experts says WIPALL malware is easily available in underground markets and does not require technical sophistication to execute. “One thing that’s very unique about the malware is that it had a payload with a particular time bomb-type capability,” says Someya adding that the malware can be remotely controlled.
Once installed, the malware creates a back door hole on the compromised network allowing the attackers to remotely access the network while remaining undetected. Upon activation, the malware completely disables the already weak security software and accesses the hard drive of all infected computers.
The operation is set to take place within 10 minutes upon activation of the malware. “When time is up, all the data is erased and users are greeted by a static screenshot: a picture of a red skeleton scowling under the heading “Hacked by #GOP,” writes Bloomberg.
In Sony’s case, the attacker displayed a message saying, “We’ve already warned you, and this is just a beginning. We continue till our request be met.” Apparently, GOP was protesting a film dubbed “The Interview” which features a plot to assassinate the North Korean Leader Kim Jong Un
The malware, named Destrove by Symantec security firm was allegedly used in similar attack on South Korea banks and media outlets in 2013, according to separate reports by Trend Micro and Symantec.
The malware is authored in North Korea but there is no evidence that the North Korean government sponsored the assault on Sony. The FBI is yet to conclude its investigation on the hack, but an internal probe by Sony reveals a hackers’ organization known as DarkSeoul may have sponsored the attack.
Top/Featured Image: By Sony Pictures Entertainment / Wikipedia (https://commons.wikimedia.org/wiki/File:Sony_pictures_logo.png)