FBI warns of disk NUKE malware after Sony Pictures megahack
This thing could spread, say g-men
The FBI has alerted US businesses to data-wiping malware after hackers, possibly in North Korea, ransacked computers at Sony Pictures.
The malicious software described in the Feds' warning is pretty close to the malware believed to have infiltrated Sony's network. Miscreants have leaked gigabytes of passwords, personal records, unreleased movies and other sensitive data swiped from Sony Pictures' computer.
Reuters reports that a five-page confidential "flash" warning was issued to US corporations by the FBI on Monday.
That alert describes an unnamed malware that ultimately overwrites all information stored on computer hard drives, including the master boot record. Infected Windows machines are incapable of booting up after infection.
"The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the warning – which did not directly identify Sony as a victim – said.
The attack on Sony Pictures Entertainment floored corporate systems, with staff warned not to log into their work accounts until further notice.
Unreleased Sony movies, including The Interview, a spy caper about journalists roped into a plot to assassinate North Korean leader Kim Jong-un, were leaked onto file-sharing networks following the network breach. The Pyongyang government denounced the movie as an "undisguised sponsoring of terrorism, as well as an act of war" in a letter to UN Secretary-General Ban Ki-moon back in June.
This, together with evidence that portions of the data-nuking software were compiled in Korean, has led to suspicions that the Norks might be behind the attack. There are precedents for this sort of malfeasance.
Thousands of PCs in banks, insurance companies and TV stations were nobbled in March 2013 in an assault dubbed the Dark Seoul Incident. North Korea, which maintains a well known offensive cyber capability, was suspected. The outbreak was similar to a data-wiping malware attack against oil producer Saudi Aramco that knocked out some 30,000 computers in August 2012. Iran emerged as the main suspect in the Shamoon worm outbreak at Saudi Aramco but there was little hard evidence linking the state with the worm.
Evidence pointing towards North Korea in the latest case is likewise far from convincing, especially in the lack of a clear motive. Some security firms speculatively suggested extortion as a motive in the immediate wake of the Sony attack. Individual security experts have come to suspect a nation-state might well be behind the attack even though there's far from anything approaching consensus on this point. Others, such as Graham Cluley, argue there's simply too few facts to reach any conclusion.
“It is well known that nation states operate or sponsor attacks on businesses," said Piers Wilson, head of product management at Tier-3 Huntsman. “It appears that the attack on Sony is just the latest painful lesson for all enterprises. Government-level attacks do not focus purely on opposing governments, or even on related targets such as critical infrastructure. Instead, any organisation whose suffering or loss can benefit the attacker is now a target – from banks to film studios."
Sony has hired FireEye's Mandiant incident response team to help it to respond to the attack. The FBI is also investigating the case. ®