FBI memo warns of malware possibly linked to hack at Sony Pictures

Insiders who have seen the memo believe the timing is no coincidence

A Flash Alert issued by the FBI on Monday is warning those within its distribution circle about a type of malware that has the ability to destroy any system it infects. The memo, #A-000044-MW, was obtained by Salted Hash from a source that wishes to remain anonymous.

Those who have seen the memo, including the group where it was first shared, are speculating that it's related to the incident at Sony Pictures.

The speculation is based in part on the recent theory that North Korea is behind the attack on Sony Pictures due to possible outrage over the movie The Interview, and the malware's resource section, which uses the Korean language. Moreover, similar malware was usedin attacks on South Korea in 2013.

In both cases - South Korea then, and Sony Pictures now - the malware forced the victim's networks offline according to local reports out of Korea and Sony's own employees.

While pulling the plug and shutting down systems is usually frowned upon during an active incident, administrators targeted by this malware have little choice. Given its nature, it's likely the only option available to Sony when the attacks started last week was to disable access to anything with an IP - or watch as the device is infected and erased.

This theory somewhat corroborated by employee reports last week, stating that VPN and Wi-Fi access was disabled almost immediately after the incident started.

The FBI says that the malware will make it "extremely difficult and costly, if not impossible, to recover the data using the standard forensic methods."

Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware -- called a wiper in some circles -- will initiate a beacon and phone home.

The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.

The memo warns that once the beacons start, the process of wiping the files has begun.

Again, while it is believed that the FBI memo is discussing malware related to the Sony Pictures information, it doesn't mention them directly. Yet, the timestamps on the malware itself are aligned with the attack on Sony's network (22-NOV and 24-NOV respectively).

The FBI would not comment on anything related to the Sony incident. The only certainty is that the Los Angeles Field Office is looking into the matter.

Reacting to the news that North Korea is behind the attacks, a person claiming to represent GOP told Salted Hash:

"We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.

"Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.

"The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures."

The GOP released another batch of stolen documents on Monday. The 25GB file dump is said to represent just a fraction of the data that was taken for Sony.

In related news, Sony said they've hired Mandiant to help with recovery and incident response. FireEye's forensics unit is said to have started work over the weekend.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachSony Picturesfbisony

More about FBIFireEyeSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place