Sony Hack Attack: Cybersecurity Expert Reveals How Massive Breach Might Have Happened

From hacked e-cigarettes to compromised swag bags, Peter W. Singer tells TheWrap how multi-national companies like Sony are targeted by cyber criminals

It’s unclear who hacked Sony Pictures Entertainment on Nov. 24, but one prominent cybersecurity expert told TheWrap he sees the telltale signs of a carefully orchestrated attack.

Peter W. Singer, former director of the Center for 21st Century Security and Intelligence and the author of “Cybersecurity and Cyberwar: What Everyone Needs to Know,” said SPE appears to have been victimized by what experts call an “advanced persistent threat.”

“The attack has the hallmarks of an advanced persistent threat, or A.P.T.,” he explained. “The [hackers] had a specific target in mind. It’s not like they were after any old bank or studio, it looks like they specifically went after Sony. That’s persistence.”

Singer used a Hollywood metaphor to explain the difference between A.P.T. perpetrators and the more common variety hacker: “It’s the difference between a street mugging and an ‘Ocean’s Eleven’ heist.”

Hollywood in general and Sony in particular might be reeling from the high-profile hack, but Singer said these breaches are quite common to other industries.

[They’re] not new and unique,” Singer said. “A.P.T.s have hit all sorts of different targets, ranging from the military, to defense contractors, to oil companies, to soft drink companies.”

“My guess is cybersecurity was a topic that was on no one’s radar screen in Hollywood, other than with Michael Mann ‘s movie [‘Blackhat,’]” he continued, though now he imagines studio heads are scrambling to find their “IT guys.”

But in his estimation there’s nothing the studios — or any company — can do to completely eliminate the threat of hackers.

“We need to re-frame how we think about cybersecurity. This is not a world where you can achieve 100 percent security,” he explained. “As long as you are online there will be threats. In some cases they will already be inside, like a disgruntled employee who could be anyone from a personal assistant to Edward Snowden or [Chelsea] Manning.”

A company’s “real focus should be on resilience, which is the idea of powering through the breech and getting up quicker after you’ve been knocked down,” Singer continued. “You want to keep them out, but you have to expect its not always going to happen. Once someone gets inside they shouldn’t have the keys to the kingdom. They shouldn’t be able to go anywhere and everywhere.”

Insiders refer to that as “access control.” In addition, Singer things studios could lessen their vulnerability by adapting certain widely accepted “control measures,” like implementing more complex password policies.

They wouldn’t necessarily deter the “Ocean’s 11”-style hackers, but according to a report by the SANS Institute they would eliminate 90 percent of threats. But what about those lingering 10 percent?

It’s impossible for Singer to say who breached Sony’s systems since he isn’t privy to internal or law enforcement investigations, but he said groups that carry out A.P.T. style attacks can be one of two types: organization that work together as a team, or a non-hacking entity that contracts cybercrimes from the black market.

In the latter category, there exists the possibility of a state sponsored action, which is where North Korea might come into play. Singer didn’t care to speculate on whether the North Korean government had backed an A.P.T. hack on Sony, but he explained the country might have a plausible motive — taking down the studio behind “The Interview,” Seth Rogen and James Franco‘s upcoming comedy about an assassination attempt on the Kim Jong Un.

He also provided TheWrap with three creative ways high-profile cyber attacks have been successfully carried out in the past, some of which are so outlandish you’d expect to find them in a Hollywood script:

"hacked by #GOP" message found on Sony computers
“hacked by #GOP” message found on Sony computers

1) The Candy Drop

“The most successful foreign government penetration of our classified military network — not Snowden from the inside leaking out, but a foreign government — happened by way of a candy drop,” Singer explained. “A North Korean spy dropped a shiny object in the parking lot outside of a U.S. military base. And, like a kid finding a piece of candy, the U.S. soldier couldn’t resist picking it up.”

As it turns out, the soldier had stumbled across an infected memory stick: “He picked it up, walked back into a base and plugged the object into his computer.”

Or perhaps the compromised piece of software was gifted to an employee at a foreign press junket. “Think of the swag bags,” Singer pointed out.

2) Spear-phishing

Spear-phishing is a pointed twist on a tried and true email scam. Hackers target a specific business, sending emails out to employees trying to trick them into clicking on a link that would compromise their system.

In this day and age, one might assume most online users are on the lookout for email hacking scams, but that’s not necessarily the case. One of the most high-profiled spear-phishing success stories, as Singer explained, involved diplomats at a recent G20 summit who infected their own network by trying to download pornography.

“The email had an incredible offer,” Singer explained. “If you click this link you’ll be able to see nude photos of the former French First Lady — what government official could resist that? So they clicked the link [and accidentally installed] Spyware.”

3) Hacked electronic cigarettes

Singer’s last example involved a malignant entity going compromising someone’s network in a completely unexpected way.

“Someone wanted to go after a specific company so they figured out the way in was through one of the company’s senior executive who had recently quit smoking real cigarettes,” Singer explained, though he wouldn’t reveal which company was compromised. “They noticed he was now using electronic cigarettes, so they [hacked his system] through the e-cigarette’s USB charging port.”

It’s unlikely Sony chiefs Amy Pascal or Michael Lynton compromised their company’s secured network by plugging a trojan-infected e-cigarette into their desktop, but they might do well not to advise their employees not to pick up any shiny flash drives in their parking lot.

Comments