Two weeks after the Sony Pictures employees came in to find Guardians of Peace skeletons on their screens and the picture is now sharp enough to be worth writing down before the political-attribution debate overwhelms the operational analysis. Sony Pictures Entertainment was, on the morning of the twenty-fourth of November, hit with destructive malware that wiped substantial portions of their corporate IT infrastructure — workstations, servers, file shares, email systems — and simultaneously had approximately forty terabytes of internal data exfiltrated and progressively released to the public over the subsequent weeks. The exfiltrated material includes unreleased films (most prominently The Interview, the satirical comedy about the assassination of Kim Jong-un, which is the proximate cause of the political dimension), executive emails containing substantial private-and-embarrassing material, employee personal information including social security numbers and salary data, and various internal contracts and operational documents. The dump is the largest single corporate data dump I have seen, by some considerable margin.
The technical chain is, on the public reporting so far, broadly consistent with the Shamoon-style destructive-malware pattern from 2012. The malware — Symantec are calling it Backdoor.Destover — combines exfiltration capability with destructive payload, uses the EldoS RawDisk driver pattern (the same driver Shamoon used) for the wipe operation, and was deployed across the Sony estate through a coordinated push that suggests substantial pre-positioning. The estimates are that the wipe affected approximately three to four thousand workstations and several hundred servers, and that Sony's recovery is likely to take weeks to months rather than days. The exfiltration appears to have been ongoing for at least several weeks — possibly months — before the destructive payload was triggered, which means the GOP operators had substantial time inside Sony's estate to identify, exfiltrate, and stage the dump material before making themselves visible.
The attribution question is, as always, contested. The FBI has not yet made a public attribution as I write this; the unofficial briefing through the past fortnight has consistently pointed at North Korean state-sponsored actors, with the operational hypothesis that the attack is retaliation for The Interview (which depicts the assassination of Kim Jong-un and which Sony was scheduled to release on Christmas Day). The technical evidence the FBI is reportedly relying on includes IP addresses associated with previous DPRK-attributed activity, malware code-similarity with the Operation Troy / DarkSeoul family of attacks against South Korean targets in 2013, and operational-tempo patterns consistent with Korean working hours. The contrary view — that the attribution is being pushed for political reasons rather than on the strength of the evidence — has been articulated by Marc Rogers and others; the published technical material does not, on present evidence, definitively rule out other explanations including a sophisticated insider, a non-state actor borrowing DPRK infrastructure, or a more complex multi-actor operation. I will not pretend to resolve the attribution question from outside; the operational implications are independent of who specifically is behind it.
The structural lessons from the Sony Pictures incident are continuous with the Shamoon lessons from 2012 but at substantially higher visibility because of the entertainment-industry context. Three things are worth recording.
First, the destructive-malware threat model is now confirmed as operationally relevant for any organisation with politically-charged content or controversial business activity. The previous reasoning had been that destruction was reserved for state-on-state conflict (Stuxnet) or for organisations with specific geopolitical exposure (Aramco, RasGas in 2012). Sony Pictures extends the threat model to entertainment companies producing content that specific state actors find offensive. The implication for the engagement clients is bounded — most of them are not producing content the DPRK objects to — but the structural pattern is broader than the immediate political context suggests. Any organisation engaged in business activity that produces sustained political opposition is now in scope for destructive-malware threat modelling.
Second, the data-dump-as-public-spectacle pattern that Anonymous demonstrated in 2011 has now been adopted by what appears to be a state-affiliated actor. The dumped material has been released progressively over the past two weeks through multiple channels (Pastebin, BitTorrent, file-sharing services); the dump is being curated for maximum public-spectacle impact, with embarrassing executive emails and private personal information given disproportionate attention. The combination of destructive malware against the target's infrastructure and progressive public release of exfiltrated data is operationally novel; the Stratfor Christmas hack had elements of both but at smaller scale. The Sony Pictures pattern is going to be the operational template for state-and-quasi-state actors who want to combine business disruption with reputational damage; I expect to see more of it.
Third, the operational response has been comprehensively bad. Sony's incident response has, on the publicly visible evidence, struggled with the basic mechanics of communicating with employees, journalists, and law enforcement. The film-industry-specific cultural context has produced communication patterns that the security community has not seen at this scale before — public statements that have been directly contradicted by leaked emails the same week, executive messaging that has reflected Sony's internal politics rather than the organisation's external interests, decisions about the The Interview release that have been driven by liability concerns visible to employees and journalists alike. The structural answer for any organisation that may face a Sony-shape incident is that the incident-response infrastructure has to include communications-and-legal-and-business-leadership coordination at a level that Sony Pictures did not have in place. This is the same lesson I wrote about for Sony PSN in 2011; it is the lesson that has not been internalised since.
For the Hedgehog SOC, the post-Sony detection-content additions have been around the destructive-malware chain — the same indicators we wrote against Shamoon plus the new Destover-specific signatures, plus the progressive-data-exfiltration patterns that the GOP operators used. The detection signals for a Sony-shape attack are not trivial to write but the structural shape is well-defined enough that the engagement-team material can address it.
The next post will probably be the year retrospective, which I expect to land just before Christmas, or whatever further Sony developments happen this week. The political-cyber dimension of this incident is going to dominate practitioner conversations through Christmas regardless.