Hackers obtained system administrators' passwords to pull of the mega-hack against Sony Pictures' servers, according to reports. This will come as no surprise to IT professionals.
Purloined administrator credentials gave miscreants calling themselves Guardians of Peace broad latitude to access systems and sensitive data; that much is obvious.
The attackers' ability to change every PC's screensaver in the movie giant's offices worldwide proved they had compromised one of the most powerful system accounts for the network. The attackers were able to make changes to the Windows software on every computer, too.
“This attack technique is trivial for an insider with valid network credentials and only incrementally harder for an external actor,” according to Trey Ford, global security strategist at Rapid7.
“I do not believe this data point is a useful indicator identifying an external or internal actor. The police likely have additional information which is leading them to believe the credentials were stolen.”
Although it’s steadily becoming a little clearer how Sony was hacked, it’s uncertain who pulled off the attack. Two rival theories have emerged. The FBI reckons Sony was done over by North Korea as a revenge for the Nork-ribbing comedy flick The Interview, in which the nation's supreme leader Kim Jong Un is assassinated.
The other theory – backed by most IT security bods – is that disgruntled ex-employees are the most likely culprits.
Rapid7's Ford reckons the use of stolen system administrator credentials doesn’t lend weight to either whodunit theory.
“Gaining administrator credentials is one of the most sought after tactics by attackers because it enables them to access nearly anything they desire and it enables them to impersonate a valid user on the network, evade detection and stay on the network for days, months or even years. Identifying bad actors on the network, quickly, will be a key area of investment for organisation’s networks in the coming years,” Ford added.
Other security experts described the Sony hack as the commercial equivalent of Ed Snowden's NSA document snatch.
“The most recent report from the US government that hackers stole system administrator credentials that led to the Sony breach is a reinforcement that system administrators and their credentials are the most dangerous threat to companies today,” said Eric Chiu, president & co-founder of HyTrust, the cloud control company.
“Snowden showed us the power of a single system administrator in his ability to steal millions of classified documents and the recent Sony breach shows how those same credentials in the hands of an attacker can lead to huge loss of business, embarrassment and brand damage for a major corporation,” he added. ®