An alleged 27GB Sony Pictures data dump. 65 PlayStation web servers. One baffling mystery

What were those EC2 cloud instances doing torrenting files?

Sony PlayStation website servers were used to distribute a 27.78GB archive potentially containing sensitive data swiped from Sony Pictures computers, it's claimed.

Until early on Tuesday afternoon, San Francisco time, more than 60 systems seeding the archive on the BitTorrent network appeared to be virtual servers in the Amazon EC2 cloud, according to security researcher Dan Tentler.

A number of those fingered server instances – eg, – are also serving websites for Sony Computer Entertainment. The EC2 instances serving up the data were checked by another researcher, who found some had SSL certificates signed by Sony.

The PlayStation side of Sony is supposed to be separate to the movie and TV production side, and it was assumed the comprehensive ransacking of Sony Pictures computers last week by hackers was confined to just that subsidiary. The appearance of what seems to be PlayStation web servers in this ongoing puzzle is certainly eyebrow raising.

To be clear, this 27.7GB cache isn't the five unreleased movies leaked online after miscreants tore through Sony Pictures systems. Those flicks are still floating around file-sharing networks, and are now being seeded by so many people that download speeds are blisteringly fast.

The "SPE_01" torrent link - dubbed "Gift of GOP: Internal data of Sony Pictures" – appeared in this anonymous Pastebin file on Monday. GOP stands for Guardians of Peace, the team claiming responsibility for the Sony Pictures network hack.

Sony EC2 instances

Strange things afoot at Sony ... the EC2 instances serving PlayStation sites and seeding the torrent, according to Tentler

Sony Pictures did not reply to repeated requests for information.

So, speculation time. Either the data was seeded by hackers who have gained control of Sony's Amazon cloud account – or Sony could be deliberately pushing out a large archive as a honeypot to catch wannabe data thieves. Which could it be?

"At first I thought it was a honeypot because of all the sequential IP addresses [of the EC2 instances]," Tentler, of Carbon Dynamics, told The Register.

"Then [security researcher] Dave Maynor helped me out by scanning a bunch of them, found that some had SSL open and the cert was for Sony, and if you hit it with a browser, it appeared to be a generic network host. Then earlier today, they all disappeared from the seeders list of the torrent. At this point all the EC2 seeders are gone, and my best guess is that they were in fact owned by Sony."

Sony torrent file

That red line spells frustration

The 27.78GB file is also missing some data at the end of the download, which could render the contents unreadable. If the file is incomplete then that points even more strongly to the honeypot scenario.

But Tentler said that some researchers are claiming to have retrieved at least some of the data from the download and that it looks like legitimate hacked data that Sony wouldn't want out there. ®

Similar topics

Broader topics

Other stories you might like

  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Hackers weigh in on programming languages of choice
    Small, self-described sample, sure. But results show shifts over time

    Never mind what enterprise programmers are trained to do, a self-defined set of hackers has its own programming language zeitgeist, one that apparently changes with the wind, at least according to the relatively small set surveyed.

    Members of Europe's Chaos Computer Club, which calls itself "Europe's largest association of hackers" were part of a pool for German researchers to poll. The goal of the study was to discover what tools and languages hackers prefer, a mission that sparked some unexpected results.

    The researchers were interested in understanding what languages self-described hackers use, and also asked about OS and IDE choice, whether or not an individual considered their choice important for hacking and how much experience they had as a programmer and hacker.

    Continue reading

Biting the hand that feeds IT © 1998–2022