Russian hackers have a foothold in Sony Pictures' network, security firm says

Taia Global says that either intruders from the November breach never left, or Sony Pictures was hacked a second time

Sony Pictures Entertainment (SPE) might have a second security breach on its hands, or maybe the hackers from November's scandalous attack are still inside the company systems, according to a security firm that claims to have seen evidence of Russian hackers having access to SPE internal data.

The hackers accessed SPE's Culver City, California network in late 2014 by sending spear phishing emails to Sony employees in Russia, India and other parts of Asia, U.S. security intelligence firm Taia Global said Wednesday in a report.

"Those emails contained an attached .pdf document that was loaded with a Remote Access Trojan (RAT)," the report reads, adding that once employees' computers were infected, the hackers used advanced pivoting techniques to gain access to the California network. The hackers are still inside the network, according to Taia Global.

Taia Global claims that it obtained evidence supporting its conclusions through a Russian hacker known online as Yama Tough who, Taia Global said, served prison time in the U.S. for hacking offenses and was responsible for stealing source code from antivirus firm Symantec.

In mid-January, Yama Tough provided Taia Global president Jeffrey Carr with several Excel spreadsheets and emails allegedly stolen from Sony Pictures Entertainment by an unnamed Russian hacker, who Yama Tough claimed was a member of an attack team that hacked into SPE's network.

In November a group of hackers called the Guardians of Peace launched a destructive malware attack against SPE computers after gaining access to the company's network and stealing terabytes of sensitive documents. The group dumped some of the data online in the weeks following the breach.

The U.S. government blamed the North Korean government for the attack, with both FBI and NSA officials saying they're confident about the attribution. Some security firms and experts did not agree, including Taia Global, which based on a linguistic analysis of the English statements made by Guardians of Peace members following the attack concluded that they're most likely native Russian speakers.

Now Taia Global, given the evidence it has in its possession, thinks one of these two scenarios is closer to reality than the assessment from Sony and the U.S. government:

First, the Guardians of Peace and this newly-discovered Russian hacker group are one and the same. This would mean that Sony, its security contractors that investigated the breach and the U.S. government failed to identify all of the intruders' footholds in the SPE network, so attackers are still lurking in there.

Or second, the Guardians of Peace and the Russian hackers are different groups, and the latter has escaped detection so far.

While most of the SPE documents Taia Global claims to have obtained from the Russian hacker are from November and December, two of the emails are dated Jan. 14 and Jan. 23 respectively. This proves that "one or more Russian hackers were in Sony Pictures Entertainment's network at the time of the Sony breach [by Guardians of Peace] and continue to have access to that network today," Taia Global said.

Taia Global claims that two independent sources confirmed that the SPE documents shared by the Russian hacker with it were not among those previously leaked by Guardians of Peace on the Internet. That could be because the Guardians of Peace group retained some of the documents it stole and released them now. Or it could mean that the Guardians of Peace or a different group still have access to the network. Furthermore, "Taia Global has received independent confirmation from the author of one of the documents listed that it is indeed authentic," the company said.

Sony Pictures Entertainment did not immediately respond to a request for comment.

Join the CSO newsletter!

Error: Please check your email address.

Tags Taia Globalintrusionsecuritydata breachSony Pictures Entertainment

More about ExcelFBIindeedNSASonySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place