TEL AVIV — The malware that allowed hackers to break into and steal untold amounts of emails and data from Sony Pictures could have been carried out by almost anyone with financial backing to buy the right malware, cybersecurity experts said Thursday.
Hackers carried out the attack using malware that was a "cut and paste" job, said Nimrod Kozlovski, a partner in JVP Labs, one of Israel's leading venture capital firms with a focus on cybersecurity. Trojan-Destover, the malware used in the Sony attack, reused at least six components of previous malware, including two pieces of "wipers," or data-erasing malware, used in attacks on Saudi Arabia in 2012 and South Korea in 2013. All the malware had to be only slightly tweaked before it could be used in the Sony attack.
"This is the world we live in today. For the right amount of money and a bit of know-how you can buy this sort of attack," said Kozlovski.
The Shamoon malware used against the Saudi Arabian oil giant ARAMCO wiped out two-thirds of the company's PCs, while DarkSeoul targeted South Korean banks and government financial institutions. In both cases, the malware erased all data in its wake, making it harder to trace the source of the attack and regain lost information.
Sariel Moshe of the Israeli cybersecurity firm CyActive said that despite the publicity surrounding those attacks, the malware was still widely available to hackers on the black market.
"Even in such damaging scenarios, the cyber attacker's tools are reused. For them, if it worked once, tweak it a bit and it will work again. The attack on Sony demonstrates quite clearly that this method works quite well," Moshe wrote in a blog post.
Unnamed U.S. officials have accused North Korea of being behind the attack, which began by exposing tens of thousands of sensitive documents and escalated to threats of terrorist attacks against the opening-day release of The Interview, a North Korea assassination comedy starring James Franco and Seth Rogen. But cybersecurity experts say that while a nation-state could be behind the attack, it was also possible that a hacking collective, especially one with some insider knowledge of Sony's systems, could have carried out the attack with the blueprint for malware already available on the dark web.
"What is striking here is how well they knew to exploit Sony's vulnerabilities. The malware itself is not creative or new, there are plenty of actors that could have manifested this particular attack … it would not require a state actor," said Kozlovski. "What is more interesting is that this is the first time we've seen cyber warfare used in this sophisticated manner. The hackers realized they could start a domino effect. They knew more about the company, Sony, and its vulnerabilities than they knew, or needed to know, about hacking."
The hacking, which began on Nov. 24 with the release of emails exposing top executive salaries and catty celebrity mudslinging, culminated earlier this week, when Sony announced it was pulling the movie The Interview from theaters amid threats of a "9/11"-style attack on cinemas daring to show the Seth Rogan and James Franco comedy.
"The hackers knew just how to play the system to inflict maximum damage on Sony," said Kozlovski.
In recent days, the Marc Rogers blog has led speculation over the likelihood of North Korea's involvement, suggesting that a hacktivist collective could have easily planted clues leading investigators toward North Korea as a culprit in order to give law enforcement an easy target to blame.
Cybersecurity experts say that without reviewing the system logs kept by Sony, it would be impossible to begin to guess who was behind the attack or what their ultimate goal was.
"Everyone is assuming we know the target or the scope of the attack. Unless we have a broad picture and all the records, it's impossible to say how big this attack was," said Dan Pastor, head of intelligence for Cytegic, a cybersecurity analytics company based in Israel. "This is something that Sony is right now keeping close to their chest. They will probably only disclose it with law enforcement agencies."
Without knowing the target of the hack or how they focused their data collection, all that was possible to conclude was that someone used readily available tools to exploit Sony's weaknesses, said Pastor.
"Nation states, espionage groups, or hackers with financial incentives can get the tools needed to carry out this attack. If they have enough money they can buy the blueprint of a cyber weapon," said Pastor. "If we look back at the early days of nuclear weapons, the way we saw proliferation happening from Pakistan to North Korea, we see the same thing happening right now with cyber. Experts can connect with each other; the proliferation of these tools used by hackers is happening in real time."
Pastor said that tools that in the past were only used by nation states such as the U.S. or Israel have long been available on the black market and available to the highest bidder.
"Imagine it like this," said one Israeli cyberintelligence officer in the Israeli Defense Forces, who helped investigate the previous attack on Saudi Arabia despite the fact that Israel and Saudi Arabia do not maintain diplomatic relations. "Someone invents a new weapon that is very effective. The first time they use it, everyone is caught off-guard because they didn't know such a weapon was possible. Then, they start to sell copies of it on the black market, and any mercenary anywhere in the world can now duplicate the weapon and try and deploy it. If you are responsible, you protect yourself, you put up defenses."
"Unfortunately," he said, "many companies have not been responsible — they have left themselves open to an arsenal of new weapons that are now available for hire online."
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.