The Sony hack and the perils of attribution.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:22] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Brian Martin: [00:01:42] So, one of the offerings that RBS - or Risk Based Security - does is data breach tracking.
Dave Bittner: [00:01:48] That's Brian Martin. He's the VP of Vulnerability Intelligence at Risk Based Security. The research we're discussing today is titled, "You Didn't Think the Sony Saga Was Over, Did You?"
Brian Martin: [00:01:59] As it sounds, you basically look for any data breach where there was a loss of information from a company, and it doesn't matter to us whether it was an outside hack, an insider, lost media - we track it all. And we basically aggregate that information, wrap metadata around it, and then do a wide variety of analytics, so the customers that use that data can basically look at what it's like in their industry, are there increased attacks against people in the same verticals, et cetera.
Brian Martin: [00:02:31] So when we were looking at the Sony breach, we were looking at some of the interesting facets like, obviously, the attribution - who did it? Then a lot of security companies started chiming in saying it was North Korea, others said China, some said internal employees. There were a wide variety of suspects and ideas behind it. Because of the breach, what it impacted - by that I mean the internal emails and media leaks, movies, you name it - I mean, Sony basically just got ransacked. But the internal emails alone made it a lot more interesting for people, because you've got a good glimpse at how Sony operated, kind of day-to-day, at the executive level.
Dave Bittner: [00:03:16] Hmm.
Brian Martin: [00:03:15] And some of it was not easy to read. It was kind of messy. There were some emails that were considered largely racist. There was a wide variety of emails regarding actors and prices that they got paid, and there was disparity between male and female actors. So yeah, there were a lot of different nuances to this breach that went way beyond the technical - beyond, okay, who hacked them? - and it really became a huge social issue.
Brian Martin: [00:03:47] So, with all of that coming down day-by-day, we started to kind of track it and do a roundup of the news, and kind of our commentary on it. And we ended up doing - I think it was 23 updates between November 24th, 2014 and February 22nd. So, over two months we did a lot of commentary. And then, in 2016, we kind of did a looking back, a year after the hack and after everything had died down.
Brian Martin: [00:04:19] And then, more recently, last month, news broke that the US had identified one of the actors behind the attack, and it was a North Korean government operative. So, once the bad actor was identified, it was interesting for us to go back to the original stories to see which security companies had predicted which bad actors were involved.
Dave Bittner: [00:04:45] Hmm.
Brian Martin: [00:04:45] And we kind of reexamined that to see how many of them had said North Korea, how many had said China, how many said internal, and kind of point out, well, this is once again the hard part about attribution for any kind of computer attack.
Dave Bittner: [00:05:02] Yeah. I mean, I remember back in 2014, there was this notion of this group called "The Guardians of Peace," and then it flipped all over the place. Like you mentioned earlier, it was - there was speculation that it was all internal, that there weren't any foreign actors at all. Then, over time, it seems like we landed on this group - the Lazarus Group. Can you describe to us - how did we get to that point, and what do we know about them?
Brian Martin: [00:05:28] So, the build up - obviously, some people suspected that North Korea was involved, originally. The fact that North Korea was actually in the press making statements, at one point saying, maybe it was us, maybe it wasn't, and then later denying it. There was clearly some evidence pointing that direction - technical evidence - and it was found by both private companies and US law enforcement.
Brian Martin: [00:05:52] So between that and the notion that it could have been, over the past roughly two years, what is known as the Lazarus Group has been active in several other campaigns, and we created a quick timeline of the lead-up between February 2016 and August 2018 - so right before the North Korean was positively identified - and it shows the Lazarus Group, not only engaging in a wide variety of campaigns, but a lot of them were based on stealing money - one that was Bitcoin or the Bangladesh Central Bank heist. They're believed to be behind a wide variety of ransomware, including WannaCry.
Brian Martin: [00:06:34] There are other pointers that suggested, wait a minute, this group is part of this campaign, and now we're seeing even more indications of that campaign and some of the same technical footprints that were related to Sony. And so, basically, kind of behind the scenes - even though a lot of this was public in one-off articles - I imagine, behind the scenes, the FBI and the other law enforcement agencies investigating were compiling this evidence, and it was basically just slowly building up and painting this picture that, one way or another, North Korea was involved.
Dave Bittner: [00:07:08] Yeah, it's interesting - I think one of the aspects is that, generally, when we think of North Korea, they're after money. They're looking to fund their operations. And the Sony hack - as you say, there was a lot of intrigue there, perhaps not so much on the financial side.
Brian Martin: [00:07:26] Yeah. When the Sony breach happened, and the fallout shortly after, there was a lot of speculation that North Korea was involved because it related to the Seth Rogen movie centered around North Korea, and that movie portrayed the - essentially, the assassination of Kim Jong-Un. So some people thought, oh, this is a pure revenge-hack, and that's why the hack was also centered around embarrassing Sony, and stealing IP and media, or movies, or whatever. It was a lot of the follow-up activity - whether it was the ransomware, the Bangladesh heist, or later, targeting cryptocurrency exchanges and executives - that you saw this clear pattern where pure financial incentive was involved.
Dave Bittner: [00:08:12] It's interesting that the Department of Justice named a specific person, for a couple of different directions, I suppose. First of all, what is your take on that? The fact that they did that - how do you interpret that?
Brian Martin: [00:08:26] So, to me, this is interesting. With an operation that big, and the Lazarus Group, there's certainly more than this one person involved. You know, they're probably going to have at least half a dozen, maybe a dozen, who knows, several dozen people. There's going to be a command structure that basically guides them or suggests what they should be targeting. And for them to name one person may be somewhat political. That the US wants to say, hey look, we know you're involved, here's proof, here's us showing that we've got certain information, and you can read between the lines that we have a lot more than this. So it may be a way for the US to basically fire a shot across the bow, so to speak, and say, back off, we're on to you, we're watching, we know a lot more than you think.
Dave Bittner: [00:09:20] Yeah, and what what is your response - I mean, I've certainly heard criticism from folks, from a policy point of view, who suggest that, what if the shoe were on the other foot? What if the North Koreans, or the Russians, or any of our adversaries in cyberspace did the same thing to us, and put up a photograph of a United States person who was working at, you know, the NSA or one of our other agencies - how would we respond to that?
Brian Martin: [00:09:44] It'd be interesting. I think the US would respond differently based on the agency. I think it would be a very different response, for example, from the NSA, which would be mostly silence, or if they were compelled to release a statement, versus what the White House might say, versus the FBI...
Dave Bittner: [00:10:00] Mm-hmm.
Brian Martin: [00:10:00] ...Or versus any of our diplomats. You know, this has been a cat-and-mouse game for many, many years between all of these countries. Basically any modern country has a capable group of doing this level of intrusion, and we all know it. And each country knows that the rest of them have capability. So this kind of folds into what many people call the cyber Cold War, which is, in some ways, reminiscent of the original Cold War. And in many ways it's different, because of the speed of the information, the style of attack, basically the potential impact behind all of the attacks as well.
Brian Martin: [00:10:42] So, I fully expect this to happen to the US at some point, and to probably happen to China, Russia, some of the European nations, which a lot of people forget maintain the same type of groups, and some of those European nations are well-known for their espionage capabilities. It'll be curious to see if this becomes a tactic, just as kind of a - okay, we caught you on this one back off a few. We know you're going to continue, but publicly you have to kind of eat some crow and then lay low for a bit.
Dave Bittner: [00:11:16] Hmm. Now, take us through what has taken place with Sony since the hack. What's been the long-term fallout?
Brian Martin: [00:11:23] So, after the breach, within the first year or two, some of the Sony executives - even a year or two later - still didn't trust digital media, and resorted to using fax machines more. They were unwilling to put certain information in emails at all. I imagine the amount of phone calls and in-person meetings went up drastically. There were several class-action lawsuits filed in 2014 and 2015. At least one of them reached a settlement - probably more. Unfortunately, we didn't have time to dig into all the lawsuits because there were so many of them. There were at least one or two executives that were pushed out or pressured to resign for various reasons.
Brian Martin: [00:12:10] There was also doubt from some of the executives whether the studio would be able to survive at all. When that came out years later, when journalists asked and said, hey, you know, in the past few years, what did you think of the hack? And it's kind of telling that an executive would say, hey, that one breach had the potential to shutter the entire studio. And it's interesting, because we often see these huge data breaches - the most recent, Facebook, and we know about Equifax and, you know, these insane numbers of records that are taken - and, for the most part, no one thinks that any of those companies are going to fold. Typically, what we see is that, if they're a public company, their stock takes a hit, and within three months, the stock is back up to where it was. And in some cases, it actually goes up after that. So the notion that this kind of hack could completely destroy a business to that degree, for a business this size - it's fascinating.
Dave Bittner: [00:13:12] And what do you suppose the takeaway lessons have been for the professionals in the cybersecurity industry? When they look back on this and what has happened since, how does it inform their actions?
Brian Martin: [00:13:24] My number-one hope is that the companies and the researchers that are operating in this area will be a little slower to jump to attribution, because, as we saw, there were quite a few companies and researchers that - at least based on what we know now - got it completely wrong. Others were correct, but we also don't know the extent of the Lazarus Group right now. The government identified one person but we don't know a lot beyond that, or what we do know isn't quite as public, or it may be classified.
Brian Martin: [00:14:00] So, attribution can be important, but it's also one of the things that, if you jump to a conclusion, obviously, it doesn't look so good for your skills and your investigation, but it can also cause political fallout. In 2014, as I mentioned earlier, we saw North Korea making public statements to the news, and in one of them they said, maybe it was us, and then they denied it. So, even just leveling accusations like that can increase some of that tension, and could have more fallout down the road.
Brian Martin: [00:14:36] So, in this case, for example, let's say someone had said, oh, it's China - which I believe a few people did - and China has to issue a denial, but then, what if some of their command structure says, okay, screw those guys, if they're going to blame us, we're going to hit back anyway. You know, there's just a lot more that could be at play.
Brian Martin: [00:14:58] The other big takeaway, to me, is that the announcement of the one actor took over two years. And that gives us a good look at the amount of investigation that has to go into this, and basically, what it takes to be sure that you've got the right person enough to publicly say it like that, from the Department of Justice. You know, behind the scenes, that investigation had been absolutely incredible.
Dave Bittner: [00:15:24] It's interesting to me - I'm curious on your take - this notion that perhaps, sometimes, companies find it helpful to kind of take cover behind the notion that, if they were attacked, well, it must have been a nation-state, and surely you can forgive us, because who would have the resources to defend themselves against a nation-state?
Brian Martin: [00:15:46] Absolutely. And we've been seeing that for years now, where as soon as a breach happens and the company identifies that it was an external hack, basically, the default is to blame APTs - advanced persistent threats - or nation-states. And it's really easy to throw that out there, because it might be true, and you don't even need to do attribution beyond that. You don't need to say, China, North Korea, or Russia. You just have to say, wow, it was a nation-state, or it was an APT. There's no way we could have defended against that. In many cases, they're right. These groups - they earn their name APT for a reason. They're effective, and if they want to get into an organization, the odds of them doing it are extremely high - bordering on one-hundred percent.
Dave Bittner: [00:16:35] What are we seeing in terms of follow-up from the companies that are insuring these companies? I can imagine, if I'm the insurance company covering someone like Sony, and a big hack like this happens, and an organization like Sony or another one, says, oh, this was some sort of nation-state, we couldn't have protected ourselves against them. If I'm the insurance company who has to write a check in response to this, well, I'm certainly going to go in and do my due diligence to try to find out, was it Sony, or, you know, was it the disgruntled janitor with a laptop?
Brian Martin: [00:17:09] Absolutely. And so, since the whole cyber-insurance thing is relatively new, there's a lot of data points that we just don't know, since a lot of these policies aren't public, in any fashion, or they're rumors. But this story - the whole saga around Sony is interesting, because if their insurance company paid out early - and by that I mean even in 2015 or 2016 - that's still two years before there was positive attribution.
Brian Martin: [00:17:40] So, as you said, it makes you wonder what the due diligence looks like. Did the insurance companies send in their own investigative team with computer forensics experts to try to determine that? Did they figure out some of that before any of the law enforcement statements? Or, perhaps, did they kind of come back saying, well, it very much looks like an external, but we don't know the extent. We don't know who - could have been a kid in the basement, could have been APT, could have been nation-state, whatever. I have a feeling that it's going to make some of the insurance companies revisit their policy, and perhaps their timetables on when to pay out. Because if we see more and more of these investigations that take, ultimately, four years, then, yeah, why would an insurance company be so quick to pay out if, years later, it turns out, nope, it was an insider, or nope, it was complete negligence.
Dave Bittner: [00:18:35] Right.
Brian Martin: [00:18:36] It's one of the areas that I hope we see more data and more journalism cover it, or the journalists specifically go down that path with the company and their spokespeople, and say, okay, you know, let's talk about your insurance. Did you have it, what was the policy like, did you get paid out, what was the disposition according to the insurance company? And with that kind of data, we could actually start to track more and more of those trends. And that in turn would also be of value to the insurance companies, obviously.
Dave Bittner: [00:19:14] Our thanks to Brian Martin from Risk Based Security for joining us. The research is titled "You Didn't Think the Sony Saga Was Over, Did You?" You can find it on the Risk Based Security website. We'll have a link in the show notes.
Dave Bittner: [00:19:28] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:19:36] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:19:42] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe where their co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.