Who is GOP? Is the North Korea behind the Sony Pictures data breach?

While the GOP crew continues to leak online internal files stolen in the attack on the Sony Pictures, the company is investigating on a link to North Korea.

On Saturday the collective of hackers behind the recent attack on the Sony Pictures Television, the GOP, leaked online sales and contract data stolen in the data breach. The corporate network of Sony Pictures was breached and taken offline exactly one week ago and now a 894MB archive containing thousands of files, covering a period between 2008 and 2012, was published by the GOP team.

Variety website reported that employees at Sony have been warned not to connect their computers to the internal network, neither to check corporate email, in response to the attack. Sony Pictures has also switched off VPN and email access as part of its response procedure, it also requested the staff to disable WI-Fi on all mobile devices.

Statements from alleged members of the GOP have suggested the presence of an insider access to the network, which supported the activity.

Once the attack was publicly announced, GOP released two lists, reporting several documents, including password files, private key files; source code files (CPP), financial data, PII, inventory lists for hardware and other assets, network maps and outlines, production outlines and schedules.

Later, GOP released preview copies of several Sony movies, including Annie, Fury, and Still Alice, but the intent of the group is to disclose much more data.

The last batch of files released during the weekend includes contracts between the Sony Pictures Television and several TV stations.

“In the documents viewed by Salted Hash, the sales items were for airing rights to various shows such as Dr. Oz, Judge Hatchett, Outer Limits, and Stargate, SG-1. The documents also disclose details related to syndication rights for sitcoms such as King of Queens, Seinfeld, and Rules of Engagement.” states a blog post published on csoonline.com.

The last lot of documents released by the GOP also include internal phone list and a detailed organizational chart, which include a huge quantity of information including cellular phone numbers of the staff.

It’s clear that so detailed information on Sony Pictures staff and contracts could allow attackers to run further social engineering attacks or to organize a spear phishing campaign to gather other information from targeted employees.

“In addition, one outdated document disclosed network usernames, passwords, and American Express account information (card data and Internet account details), something else that could be used in a targeted attack.” contunues CSOonline.

On Saturday, a member of the GOP announced that the sales data was only beginning, announcing that the crew “will release all of the data…” which they claimed was under 100 TB or “tens of [TB].”

Who is behind the GOP group?

It’s difficult to attribute the responsibility for the attack in this phase, anyway Sony Pictures has reportedly begun investigating possible involvement of hackers from North Korea. The news was reported by Re/code, which cited insider sources, the investigators speculate that North Korean hackers hit the Sony Pictures operating from the China.

“The timing of the attack coincides with the imminent release of “The Interview,” a Sony film that depicts a CIA plot to assassinate North Korean leader Kim Jong-Un. The nation’s ever-belligerent state propaganda outlets have threatened “merciless retaliation” against the U.S. and other nations if the film is released.” states the Re/code portal.

Stay Tuned … for further information!

Pierluigi Paganini

(Security Affairs –  Sony Pictures, GOP)