Hackers probably gained access to Sony's network last year after a series of phishing emails aimed at system engineers, network administrators and others who were asked to verify their Apple IDs, a security expert said today.
Last fall, Sony Pictures Entertainment, a U.S. subsidiary of Sony, was infiltrated by attackers, who purloined gigabytes worth of files, ranging from emails and financial reports to digital copies of recently-released films. Then just before Thanksgiving, the attackers crippled Sony's PCs with malware that erased the machines' hard drives.
Several weeks later, the FBI formally pinned responsibility for the attack on the North Korean government.
Stuart McClure, founder and CEO of Cylance, and formerly the CTO of McAfee, analyzed files that the hackers dumped on the Internet — as well as the malware used in the attack — and concluded that the likeliest explanation was that the assault began with so-called "spear phishing" emails directed at employees who had significant or even root access to Sony's network.
Those emails, which appeared to be from Apple but were not, demanded that recipients verify their Apple ID credentials because of purported unauthorized activity. If an included link was clicked, the victim ended up at a site that hosted an official-looking request for account verification. Apple ID is the account used by iPhone, iPad and Mac owners to connect to iCloud and purchase content on iTunes.
McClure and Cylance found numerous examples of the Apple ID phishing emails in the contents of Sony workers' inboxes that the attackers later published on the Web.
"It was clear to us that this was the likely scenario," said McClure in an interview today. "There were multiple attempts at spear phishing from the Oct. 3 to Nov. 3 timeline that were getting incredibly more sophisticated as they went on."
Those emails had been directed, at least in part, at critical Sony employees who were the most likely to have broad access to the company's network. The hackers apparently scouted LinkedIn — the popular career website — for the names and titles of those workers.
"There was a very direct connection between the passwords obtained and the LinkedIn listings for those who had network privileges, including system engineers," said McClure.
The hackers may have used the harvested Apple ID credentials to guess the internal passwords used by employees — working on the assumption that password reuse is commonplace — or even managed to trick some recipients into disclosing their Sony credentials directly by telling them to enter those account usernames and passwords in the bogus Apple ID verification screens.
"A number of these users whose credentials had been captured and then hard-coded into the malware were folks who had significant access to the network," McClure contended.
Sign up for CIO Asia eNewsletters.