Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators

← Back to Stories (view on slashdot.org)

Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators

Posted by timothy on Monday December 29, 2014 @01:09AM from the enough-blame-to-go-around dept.

chicksdaddy writes Alternative theories of who is responsible for the hack of Sony Pictures Entertainment have come fast and furious in recent weeks -- especially since the FBI pointed a finger at the government of North Korea last week. But Norse Security is taking the debate up a notch: saying that they have conclusive evidence pointing to group of disgruntled former employees as the source of the attack and data theft. The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals — in the U.S., Canada, Singapore and Thailand — that it believes carried out the attack, including at least one 10-year employee of SPE who worked in a technical capacity before being laid off in May. Rather than starting from the premise that the Sony hack was a state sponsored attack, Norse researchers worked their investigation like any other criminal matter: starting by looking for individuals with the "means and motive" to do the attack.

HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off. After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony's network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10-year SPE veteran who he described as having a "very technical background." Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia. According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.

44 of 158 comments (clear)

Min score:

Reason:

Sort:

Like an episode of 24... by Anonymous Coward · 2014-12-29 01:18 · Score: 4, Insightful

Cyber-hack against US subsidiary.
'Obvious' perpetrator targeted by hardliners in government who leverage the blood-lust of the populace, and who pressure the president into immediate action.
Actual perpetrators turn out to be a small group of disgruntled employees.
1. Re:Like an episode of 24... by ihtoit · 2014-12-29 01:34 · Score: 3, Insightful
  
  this was my first thought as well, nothing so well executed could be done without inside information.
  Now for those who didn't realise before, this is why safecrackers find out what their target safe is and buy a duplicate to practice on first.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
2. Re:Like an episode of 24... by PopeRatzo · 2014-12-29 03:35 · Score: 2
  
  You don't need the whole safe, just the lock.
  
  --
  You are welcome on my lawn.
3. Re:Like an episode of 24... by Anonymous Coward · 2014-12-29 04:36 · Score: 2, Insightful
  
  Group 2 Combination Locks are what are being discussed here. La Gard, S&G, Diebold, and Mosler are some of the common brands. S&G 6730 is the generic one I'm used to. Nice locks...
  "Autodialer" or "Soft Drill" if I was a bad guy. Drill and scope, or "through the spindle" tools would be my preferred tactics(if I knew the safe didn't have additional relockers). "Drilling the fence" or "drilling the bolt" are both pretty crude. You can also drill the back/bottom/sides/top of the container and then scope the "change key hole" just as effectively(unless there is a cover in the way).
  Let's be real: if I was a bad guy: I would have a motion activated hidden camera take video of the dialing process or bouncing an infrared laser.
  Hall effect, gyroscope,(or RF retroflector) based rotary encoder etc. hidden in a modified dial? None of that gamma-radiography bollocks. Could probably fit a small hearing aid battery, AVR and a MEMs gyroscope in a "Masterlock" dial. Big ass safe dial would be a piece of cake. Trick is getting alone with the thing long enough to do all this without it being tamper-evident.
  This is why I'm not a bad guy: James Bond gadget fetish, embedded programming skills, and locksmithing background pays a lot better in the private sector than jail. Gonna put down the "Lockmasters" catalog and write some "C" code now.
4. Re:Like an episode of 24... by gzuckier · 2014-12-30 17:20 · Score: 2
  
  That can mean only one thing.... we need to invade Iraq.
  
  --
  Star Trek transporters are just 3d printers.
Circumstantial at best ... by Anonymous Coward · 2014-12-29 01:23 · Score: 5, Insightful

Nothing anywhere near conclusive from the information provided.
1. Re:Circumstantial at best ... by d1on1x · 2014-12-29 02:12 · Score: 4, Insightful
  
  Nothing anywhere near conclusive from the information provided.
  While that is true, the same is true for the information released that suggested North-Korea is/was/would-be behind the hack.
2. Re: Circumstantial at best ... by Anonymous Coward · 2014-12-29 05:55 · Score: 2, Funny
  
  North Carolina should not act in such regard!
Re:IRC by JMJimmy · 2014-12-29 01:25 · Score: 2, Informative

forum
fôrm/
noun
noun: forum; plural noun: forums; plural noun: fora
1.
a place, meeting, or medium where ideas and views on a particular issue can be exchanged.
from TFA by jbmartin6 · 2014-12-29 01:28 · Score: 3, Insightful

Stammberger was careful to note that his company’s findings are hardly conclusive
Draw your own conclusion. At least he didn't throw in the old 'we have other information we won't reveal' claim the government always uses to mask its own speculation.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Oh how great is this! by bickerdyke · 2014-12-29 01:33 · Score: 3, Interesting

Now being skilled and being laid of automatically makes you a crime suspect for having "means and motive".
For uns in IT business, we wouldn't be hired if we wouldn't have the knowledge that could also be used for blackhat purposes, and being laid of during a restructering is usually nothing an individual can control.
Thank you....

--
bickerdyke
1. Re:Oh how great is this! by ihtoit · 2014-12-29 01:42 · Score: 5, Interesting
  
  motive, means, opportunity:
  MOTIVE: disgruntled ex employees. Check.
  MEANS: prearmed with information on the machinations of SPE, not ordinarily known to the public. Check.
  OPPORTUNITY: High profile release with the potential to piss off a State leader and shift the blame onto him. Check.
  Yes, being a pissed off ex employee with inside information and the chance to make a high profile disruption to those who would risk your mortgage and pension with little to no personal risk is a big fucking bullseye.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
2. Re:Oh how great is this! by ColdWetDog · 2014-12-29 01:49 · Score: 2
  
  That's absolutely correct. Again, means and motives. The intersection of those two sets would give you persons of interest. If a security researcher doesn't look at the admins in a breech, would you consider them competent?
  So you might be a 'suspect'. In the real word (as opposed the paranoid crazy version here) someone would politely sit down with you and discuss a few things. Then someone else might come over and discuss some more things. Your work logs might be reviewed. If you worked through home and preliminary review made you even more interesting, you might be asked to cough up bits of your home computers - which is why you want to isolate work from play.
  It DOESN'T mean that the swat team will barrel through your door or that the FBI will cart off your desk. Again, it's how any investigation happens. If that really bugs you, get a job on a farm and stay the hell away from the fertilizer.
  
  --
  Faster! Faster! Faster would be better!
3. Re:Oh how great is this! by bickerdyke · 2014-12-29 01:59 · Score: 4, Insightful
  
  Yes, but it shouldn't be THAT easy to produce people with those bullseyes.
  "Hey, let's fire a few IT guys. Just in case we need to bring up some capeable, disgruntled ex-employees as scapegoats if we ever get hacked."
  It's an effing huge diffrence if you are a suspect for something you are or do, or for something that someone else does to you.
  
  --
  bickerdyke
4. Re:Oh how great is this! by Nidi62 · 2014-12-29 02:03 · Score: 3, Insightful
  
  It DOESN'T mean that the swat team will barrel through your door or that the FBI will cart off your desk.
  Unless the local Sheriff's Department just took delivery of that surplus MRAP and M4s and wants to try them out.
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
5. Re:Oh how great is this! by Ol+Olsoc · 2014-12-29 02:09 · Score: 4, Funny
  
  You act as if disgruntled (ex-)employees have never done such a thing before. You would be wrong.
  Seems like they need to gruntle them then..
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:Oh how great is this! by Ol+Olsoc · 2014-12-29 02:13 · Score: 4, Insightful
  
  It DOESN'T mean that the swat team will barrel through your door or that the FBI will cart off your desk.
  And some times it does. Seems like the best thing is to make certain no one thinks you are disgruntled
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
7. Re:Oh how great is this! by bickerdyke · 2014-12-29 02:13 · Score: 2
  
  Yes, but that's not how it happens in real life.
  Even if the full SWAT team is a rather rare, it's not unheard of. And those people who will sit down and politely ask some questions still probably may well arrive in police cars parked in front of my house. May be enough to have to look for a new neighbourhood to move to.
  But even that isn't more as an unlikely nuissance. Your name will most likely leak somewhere and each and every script kiddie that couldn't log into PSN on Christmas (not related, I know. but they don't) will start to DDOS my current business, swamp my social networks with photoshopped pics of me beating my wife and pull every prank in the book. Nothing out of the "prank" range, but may get boring after being on the receiveing end of the 500th or so.
  Unfortunately, we're at a point where sometimes being a suspect is already part of the punishment.
  
  --
  bickerdyke
8. Re:Oh how great is this! by bickerdyke · 2014-12-29 02:20 · Score: 2
  
  Read the headline. It's obviously enough to be "identified [...] as perpetrator". I know, I'm not a native english speaker, but doesn't that imply at least some level of guilt? The missed subtlety that the public misses is if he is found guilty by a scandinavian antivirus-company or by judge and jury. So if the name of that suspect leaks somehow (which is more than likely), he will be guilty in the eyes of the public. Including future potential employers.
  Way to easy to have your life ruined without being guilty.
  
  --
  bickerdyke
9. Re:Oh how great is this! by Jason+Levine · 2014-12-29 03:17 · Score: 2
  
  I think the point was that Norse Security looked at this as if it was a criminal investigation as opposed to a political finger pointing match. If the police were investigating a crime and found that an ex-employee had posted angry statements about being fired prior to the crime being committed (Motive) and had the means and opportunity to do so, they would definitely be investigated as a suspect. Rightfully so, too.
  Note that being investigated doesn't mean being charged with a crime. If the investigation showed that the person had a good alibi or uncovered evidence that pointed away from that person, then the police would drop that person from the list of suspects. If a company tried intentionally firing people to create a cover, they would risk those people having good alibis and not being suitable suspects.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
10. Re:Oh how great is this! by bickerdyke · 2014-12-29 03:43 · Score: 2
  
  I think the point was that Norse Security looked at this as if it was a criminal investigation as opposed to a political finger pointing match. If the police were investigating a crime and found that an ex-employee had posted angry statements about being fired prior to the crime being committed (Motive) and had the means and opportunity to do so, they would definitely be investigated as a suspect. Rightfully so, too.
  Absolutely right. But let's think this through to the end. So, if I ever get laid off I would
  a) not have the right to be "disgruntled" unless
  b) I make sure I'll be surrounded by a potential witness just in case I'm investigated and need to produce an alibi for any time an attack on my ex-employer might have happend.
  As you said, If I can't do that I wouldn't be dropped from the list of suspects unless "the investigation showed that the person had a good alibi or uncovered evidence that pointed away from that person,"
  And there isn't a guarantee that there will be evidence at all that points to the true perpetrator. (and if you're single and umeployed, NOT having an alibi for most of your day is the norm).
  So while you're still absolutely right, only in an ideal world this would be enough to avoid additional hard times to laid of employees.
  
  --
  bickerdyke
This is impossible! by fuzzyfuzzyfungus · 2014-12-29 01:43 · Score: 5, Insightful

I was assured by numerous talking heads that this particular network intrusion against a Japanese multinational was not only state-sponsored; but an act of Cyber-terror-war against America and the Homeland, and something that could only be answered in a suitably apocalyptic fashion, lest our nation's honor be soiled!

How could it possibly be something as pedestrian as upset employees?
1. Re:This is impossible! by Anonymous Coward · 2014-12-29 02:03 · Score: 3, Interesting
  
  Because in corporate America they are the same thing.
2. Re:This is impossible! by ColdWetDog · 2014-12-29 03:15 · Score: 3, Funny
  
  answered in a suitably apocalyptic fashion
  Cool. So the rumors that Kayne West and Kim Kardiashian are moving to Pyongyang are true?
  
  --
  Faster! Faster! Faster would be better!
3. Re:This is impossible! by fuzzyfuzzyfungus · 2014-12-29 04:06 · Score: 2
  
  It chills me that any other possibility would not be ruled out automatically; but thankfully, I am. Unfortunately, that apparently makes me saner than parts of congress, never mind talk radio, and I'm a guy who impersonates a fungus on the internet for fun, FFS.
4. Re:This is impossible! by fremsley471 · 2014-12-29 05:53 · Score: 2
  
  Bang on the money. The well reasoned arguments here: http://marcrogers.org/2014/12/...
  were made before the DPRK link was fixed in the news cycle. It was then instructive to watch workings of the new McCarthyist cheerleaders, even (especially) here on Slashdot. People seriously writing 'the FBI have all the incriminating evidence, they just can't share it with you' type-comments.
  The eleven years since the non-existence of WMDs may seem long time for the kiddies running the military's multiple personality software, but most people here won't ever buy that crap again.
Told you it wasn't North Korea by Nyder · 2014-12-29 01:56 · Score: 4, Interesting

And yet I was called a North Korean and other things for saying what is obvious.
Love the internet. So fuck you all. I was right and you FBI/President believing dumb fucks are wrong, again.
As I said before, the USA owes the NK a big fucking apology.

--
Be seeing you...
1. Re:Told you it wasn't North Korea by CrimsonAvenger · 2014-12-29 02:40 · Score: 5, Insightful
  
  Umm, you think that the inconclusive opinions of a subsidiary of Monoc Security are positive proof?
  Seems to me you're doing exactly what the guys you're poo-pooing were doing - using your own opinions to turn next to no data into proof positive that you were right.
  
  --
  
  "I do not agree with what you say, but I will defend to the death your right to say it"
2. Re:Told you it wasn't North Korea by meta-monkey · 2014-12-29 02:45 · Score: 4, Funny
  
  That sounds just like something a North Korean would say...
  
  --
  We don't have a state-run media we have a media-run state.
3. Re:Told you it wasn't North Korea by Deadstick · 2014-12-29 03:05 · Score: 4, Insightful
  
  OK, let's see. A government agency issues an opinion on who did it: Obviously a lie.
  A commercial security company issues an opinion on who did it: Case closed.
  Love the Internet.
Sigh by drinkypoo · 2014-12-29 02:06 · Score: 4, Insightful

starting by looking for individuals with the "means and motive" to do the attack.
The problem is that Sony is- I wanted to say incredibly lax about security, but that's clearly not right — egregiously careless about security, and also typically, boringly evil so the people with motive are legion. You could find people with motive and opportunity under any rock.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Told you it wasn't North Korea by Anonymous Coward · 2014-12-29 02:18 · Score: 5, Funny

I just talked with all the rest of the guys here on Slashdot, and we all agree: how could we be so stupid? We're all sorry and it definitely won't happen again; we'll pay really close attention to everything you say from here on out.
Propaganda by koan · 2014-12-29 02:23 · Score: 2

Your choice, co-ordinated propaganda campaign or massive incompetence.

--
"If any question why we died, Tell them because our fathers lied."
Re:lemme guess by ancientt · 2014-12-29 02:23 · Score: 4, Interesting

You're making this too hard. You can upload terabytes of data using good old SSL or encrypt files with zip tools like 7-zip and there is nothing in the stream of data that will be recognized... that's what encryption is for.
The person wanting to get data out doesn't have to work hard at all to ensure it can't be recognized as it is being transmitted. The difficulty is in making sure that the users of the system don't notice the decrease in disk IO and loss of bandwidth. If they've got a good perimeter defense or the right heuristics for the server, they may notice "hey, that's more activity than usual" and respond, but that's about the only way to catch somebody in the act of transporting data out of a system.
Unless they're stupid. Which, with Sony's security, they could have been.

--
B) Eliminate all the stupid users. This is frowned upon by society.
Really, really weak evidence by plsuh · 2014-12-29 02:30 · Score: 4, Informative

Folks,
The evidence here is really, really weak. The connection is tenuous enough and the original pool of possible suspects via their methodology is large enough that I sure as heck wouldn't rule out a connection via random chance. Until we get better evidence, this isn't worth very much.
Norse Security says as much in The Fine Article:

Stammberger was careful to note that his company's findings are hardly conclusive, and may just add wrinkles to an already wrinkled picture of what happened at Sony Pictures. He said Norse employees will be briefing the FBI on Monday about their findings.
"They're the investigators," Stammberger said. "We're going to show them our data and where it points us. As far as whether it is proof that would stand up in a court of law? That's not our job to determine, it is theirs," he said of the FBI.
--Paul
Work Environment by MrKaos · 2014-12-29 02:41 · Score: 2

Is working for Sony that bad?

--
My ism, it's full of beliefs.
Told you it wasn't North Korea by Anonymous Coward · 2014-12-29 02:50 · Score: 2, Funny

I like how you worked both "I told you so" and "I was right, you were wrong" in there. Wait, are you my girlfriend? Baby, is that you? Come back to bed honey, I didn't mean any of those awful things I said.
After reading TFA... by QuietLagoon · 2014-12-29 03:03 · Score: 4, Insightful

... it looks like Norse found what they wanted to find, and not necessarily the reality of what happened.
Re:lemme guess by ColdWetDog · 2014-12-29 03:11 · Score: 2

Or unless sending terabytes of data out is routine. Sony Pictures makes movies. Movies are digital. Digital video loves disk space.
So sending dozens of gigabytes a day to any random address may well be business as usual.

--
Faster! Faster! Faster would be better!
Re:um... by dhaen · 2014-12-29 03:53 · Score: 2

Nevertheless it's slightly more credible than N.K. having done it.
MINISTRY OF TRUTH SAYS by Jeremiah+Cornelius · 2014-12-29 05:09 · Score: 4, Insightful

Oceania has ALWAYS BEEN AT WAR with East Asia.

--
"Flyin' in just a sweet place,
Never been known to fail..."
Oh so just lay the blame on some poor sap by future+assassin · 2014-12-29 05:19 · Score: 2

and see where the stones fall, then post a disclaimer on the article saying "Well it might not be him" ????? Profit?

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Re:lemme guess by cusco · 2014-12-29 09:37 · Score: 2

I'd be surprised if they don't ship out big pile of bits for rendering on the AWS/Google/MS clouds, since it's so much cheaper than buying dedicated CPUs that will then sit unused until the next batch of rendering needs to be done. Much of the original Star Wars movies were actually rendered after hours on servers at Informix and ARC GIS networks, so it's nothing new.

--
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Re:lemme guess by Optali · 2014-12-30 22:52 · Score: 2

6-7 years ago I worked for the then biggest payment service provider, BIBIT, we were part of the Royal Bank of Scotland and had a massive datacentre in Scotland, I am now unable to tell how big, only that it was huge.
Well every time Sony had a launch of some product (PS3, films, etc) they had to tell us in advance because they laid our whole datacentre flat. I recall once having to stay up in the middle of the night because we thought a massive DoS attack was going on as no other merchants were able to connect to our systems... and it was just that the idiots had forgotten to tell us in advance that they were going to send in payments for a new campaign.
This gives you and idea of how big they were already back then (and payment data is not very "heavy", just XML) and how chaotic they operate.
Sending out huge amounts of data would be of no concern at all for them, nobody would have noticed anything.

--
-- 29A the number of the Beast