Sony Pictures data breach may have exposed staff data and much more

The Sony Pictures Hack was even worse than everyone thought, the hackers have also stolen more than 25 gigabytes of sensitive data.

More details are emerging from the investigations on the data breach at the Sony Pictures, the hack has caused much more that the distribution online of pirated movies because a batch of sensitive employee data is also circulating on the internet. The hackers of GOP that claimed responsibility for the attack, in fact, leaked several Sony Pictures films through file sharing websites.

The circumstance is very intriguing because the servers used by the hackers to spread employee information belong to Sony Corporation too. At this point, the security community is divided, some experts speculate that more than just movies had been stolen from the corporate network, others believe that Sony Pictures and the firm that are supporting it in the investigation are using honeypots to gather further information on the attackers.

The popular investigator Brian Krebs confirmed that the batch of employee data includes Social Security numbers, dates of birth, along with salary and medical information that are now being circulated via torrent websites.

“According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems.Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.”

 

A detailed list of employees is available online in a Microsoft Excel file together with other files, including a status report from April 2014 that reports a list of details for 700 employees in excess. A post published gizmodo.com claims that scripts for pilots, budgets, salary negotiations, employee criminal background checks and other data were leaked in the hack.

“BuzzFeed’s discoveries include documents detailing “employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence.” They also include “the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.” Better call Saul.” states Gizmodo.

How were distributed information online?

According to security researcher Dan Tentler, director of security research for IT security firm Carbon Dynamics, 65 servers belonging to Sony were being used to spread the stolen data.

Tentler, analyzing the IP addresses of the servers hosting the information, discovered that they are inside Sony PlayStation infrastructure hosted on the Amazon EC2 cloud. The Sony PlayStation servers were spreading nearly 27 gigabyte dump, “spe_01.” On Pastebin are circulating in these hours the links to the torrent to download the sensitive data.

The experts speculate on a strange circumstance, despite Sony’s PlayStation Network and Sony Pictures Entertainment are different entities, the first one apparently didn’t stop servers from distributing the leaked information. Tentler observed that the EC2 servers disappeared from the list of peers on the torrent late Tuesday.Tentler observed that the EC2 servers disappeared from the list of peers on the torrent late Tuesday.

The impact of the incident is very serious, more than a week since the cyber attack Sony Picture is still working to restore the systems, an operation that is complicated by the need to support at same time investigation of the FBI, government authorities and of the private company FireEye Mandiant hired to manage the incident response.

Who is behing the attack is still a mystery, cyber crime or state-sponsored hackers linked to behing the attack is still a mystery, cyber crime or state-sponsored hackers linked to North Korean cyber units?

In this phase, it is premature to speculate on the attribution, meantime the FBI issued a flash warning to the US businesses related to the risk of malware-based cyber attacks that could be conducted spreading a wiper malware.

Stay tuned for more info.

Pierluigi Paganini

(Security Affairs –  Sony Pictures, data breach)