Security experts analyzing the malware used in her hack Sony have come to the conclusion that the perpetrators knew almost everything about the network before the invasion.
Οι ερευνητές της Trend Micro ανακάλυψαν τη σύνδεση μεταξύ του κακόβουλου λογισμικού (που ονομάστηκε WIPALL) που το FBI εξέδωσε προειδοποίηση στην αρχή της εβδteamς και της επίθεσης εναντίον της Sony. Η analysis hinted that the Guardians of Peace (GoP) hackers were already familiar with the network they breached.
How did they get it?
Περισσότερες ενδείξεις που ενισχύουν αυτή τη θεωρία ανακοινώθηκαν Πέμπτη, από εμπειρογνώμονες security of Blue Coat, who also examined samples of the malware.
Due to the mechanism reptreatmentof the malware, the researchers called it a “worm by definition.”
When analyzing malware, they discovered a text file that contained more than 10.000 mappings between internal hostnames and IP addresses, indicating that digital installations were known to attackers and had a clear idea of targeted systems.
Η αρχική εισβολή μάλλον έχει γίνει τον Μάιο, σύμφωνα με τις information που συγκεντρώθηκαν από τον σαρωτή URL WebPulse της Blue Coat. Η εταιρεία κατέγραψε κίνηση σε μια από τις hardcoded διευθύνσεις IP από μια εταιρεία web hosting στη Βολιβία, και την κατέδειξαν σαν μια απόπειρα phishing.
By studying a second sample of malware, Blue Coat researchers discovered signs of a previous invasion. It contained data deletion commands and also used hard-coded credentials to connect to different machines on the network.
An interesting detail is the fact that the attack process was similar to other attacks that have been made in the past, and are attributed to hackers behind Shamoon and hack on Aramco, the oil company of Saudi Arabia. Both Shamoon and GoP used the same programs and drivers (marketed as EldoS RawDisk) to delete the information.
This similarity has also been confirmed by Kaspersky security researchers on Thursday, who found other similarities, such as the fact that in both cases the data was compiled shortly before the attack date and referred to the malware as Destover.
One could assume that the two groups shared their knowledge, or that a key member of a team participated in both incidents.
Sony has hired the FireEye MANDIANT Incident Response Team to conduct a forensic analysis of the attack. The FBI is also investigating the violation.
