Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

FBI memo warns of malware possibly linked to hack at Sony Pictures

Steve Ragan | Dec. 3, 2014
Insiders who have seen the memo believe the timing is no coincidence.

sony headquarters
Credit: REUTERS/Yuya Shino

A Flash Alert issued by the FBI on Monday is warning those within its distribution circle about a type of malware that has the ability to destroy any system it infects. The memo, #A-000044-MW, was obtained by Salted Hash from a source that wishes to remain anonymous.

Those who have seen the memo, including the group where it was first shared, are speculating that it's related to the incident at Sony Pictures.

The speculation is based in part on the recent theory that North Korea is behind the attack on Sony Pictures due to possible outrage over the movie The Interview, and the malware's resource section, which uses the Korean language. Moreover, similar malware was usedin attacks on South Korea in 2013.

In both cases - South Korea then, and Sony Pictures now - the malware forced the victim's networks offline according to local reports out of Korea and Sony's own employees.

While pulling the plug and shutting down systems is usually frowned upon during an active incident, administrators targeted by this malware have little choice. Given its nature, it's likely the only option available to Sony when the attacks started last week was to disable access to anything with an IP - or watch as the device is infected and erased.

This theory somewhat corroborated by employee reports last week, stating that VPN and Wi-Fi access was disabled almost immediately after the incident started.

The FBI says that the malware will make it "extremely difficult and costly, if not impossible, to recover the data using the standard forensic methods."

Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware -- called a wiper in some circles -- will initiate a beacon and phone home.

The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.

The memo warns that once the beacons start, the process of wiping the files has begun.

Again, while it is believed that the FBI memo is discussing malware related to the Sony Pictures information, it doesn't mention them directly. Yet, the timestamps on the malware itself are aligned with the attack on Sony's network (22-NOV and 24-NOV respectively).

The FBI would not comment on anything related to the Sony incident. The only certainty is that the Los Angeles Field Office is looking into the matter.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.