Breach, Data Security, Incident Response, Malware, TDR

FBI warns U.S. firms of data-wiping malware following Sony attack

On the heels of a major breach at Sony Pictures Entertainment, the FBI warns that data-wiping malware has been used in an attack against a U.S. target.

New details about the Sony hack continue to emerge, most recently that the incident exposed the data of more than 6,800 employees at the company, Brian Krebs revealed Tuesday. Over the past week, news also surfaced that the attacks disrupted Sony's network operations for a time, and resulted in the leak of unreleased films online, including “Annie.”

Now, according to a Monday Reuters report, the FBI published a “five-page, confidential ‘flash'” warning providing technical details on the wiper malware launched in a U.S. attack. The alert did not name Sony as the victim of the attack, but security sources following the breach said it was “clearly referring” to the incident, the outlet said.

Citing the alert, Reuters said that the malware was capable of overwriting data on the master boot record (MBR).

“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the alert warned.  

In June 2013, Symantec uncovered a gang of cyberattackers, dubbed Dark Seoul, which targeted South Korean banks and news organizations making use of a wiper trojan, called Jokra. At the time, Dark Seoul was said to be a politically motivated hacker group active for four years. In addition to spreading trojans, the group shuttered websites via DDoS attacks and stole sensitive corporate data in a multi-tiered attack, Symantec found. On Tuesday, the firm told that it didn't have any new information to share on Dark Seoul's exploits.

In August 2012, data-wiping malware was also infamously used against oil company Saudi Aramco, around the same time that similar malware, called Shamoon, struck the Middle East energy sector.

In a Tuesday interview with, Avivah Litan, vice president and distinguished analyst at research firm Gartner, said that data-wiping code hitting the U.S. demonstrated an ongoing collaboration between North Korean hackers and attackers in Eastern Europe.

Interestingly enough, reports recently surfaced on the possible involvement of North Korea in the Sony attack, given the timing of Sony's film, “The Interview.” The comedy about a planned assassination on North Korean leader Kim Jong Un angered officials in the country, rousing a foreign ministry spokesman to call the upcoming Christmas movie release a “most wanton act of terror and act of war.”

Citing sources close to the U.S. wiper malware investigation, Litan said that it has been known for months that “North Koreans were working with cybercriminals in Eastern Europe to attack U.S. government agencies and the private sector.”

“Sony could be the latest incident that is publicly visible,” she added, saying that North Korea has not yet been proved source of the breach, though claims continue to mount via reports.

If a group leveraging the sabotage malware did, in fact, target Sony, Litan said, it's possible that attackers used the malware as a distraction so they could “do what they wanted to do without being caught,” including stealing sensitive corporate data, she said.

In prepared emailed commentary to Mike Lloyd, CTO at RedSeal, said the the Sony attack "appears to be quite distinct – while some theft of movie content did occur, the main attack was destructive," he explained.

"This has happened occasionally – for example, an attack on Saudi Aramco – but not generally with this force, applied to a U.S.-based company," Lloyd wrote. "However, security professionals are well aware that this kind of attack is not particularly difficult – that, in effect, our infrastructure is very fragile. It seems the main reason most cyber thieves do not destroy assets is because they cannot make money by doing so; however, there are evidently other adversaries who do see benefit in this kind of vandalism. As a result, the Sony attack is a wake-up call for businesses – it explains why the FBI is warning organizations to review their defensive readiness, since a similar 'IT bomb thrower' can easily target their infrastructure to do similar damage.”

On Tuesday, reached out to the FBI about its malware alert to businesses, but did not immediately hear back from the agency.

That day, Brian Krebs detailed new information on the extent of the Sony breach, revealing that more than 25 gigabytes of sensitive data on “tens of thousands of Sony employees, including Social Security numbers, medical and salary information” was stolen. On Tuesday, also provided an overview of sensitive data leaked online, such as Sony payroll information, data on top execs at the company, employees who were fired or laid off this year, and even performance reviews for some workers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.