Sony hackers targeted employees with fake Apple ID emails

Hackers probably gained access to Sony's network last year after a series of phishing emails aimed at system engineers, network administrators and others who were asked to verify their Apple IDs.

Hackers probably gained access to Sony's network last year after a series of phishing emails aimed at system engineers, network administrators and others who were asked to verify their Apple IDs, a security expert said today.

Last fall, Sony Pictures Entertainment, a U.S. subsidiary of Sony, was infiltrated by attackers, who purloined gigabytes worth of files, ranging from emails and financial reports to digital copies of recently-released films. Then just before Thanksgiving, the attackers crippled Sony's PCs with malware that erased the machines' hard drives.

Several weeks later, the FBI formally pinned responsibility for the attack on the North Korean government.

Stuart McClure, founder and CEO of Cylance, and formerly the CTO of McAfee, analyzed files that the hackers dumped on the Internet -- as well as the malware used in the attack -- and concluded that the likeliest explanation was that the assault began with so-called "spear phishing" emails directed at employees who had significant or even root access to Sony's network.

Those emails, which appeared to be from Apple but were not, demanded that recipients verify their Apple ID credentials because of purported unauthorized activity. If an included link was clicked, the victim ended up at a site that hosted an official-looking request for account verification. Apple ID is the account used by iPhone, iPad and Mac owners to connect to iCloud and purchase content on iTunes.

McClure and Cylance found numerous examples of the Apple ID phishing emails in the contents of Sony workers' inboxes that the attackers later published on the Web.

"It was clear to us that this was the likely scenario," said McClure in an interview today. "There were multiple attempts at spear phishing from the Oct. 3 to Nov. 3 timeline that were getting incredibly more sophisticated as they went on."

Those emails had been directed, at least in part, at critical Sony employees who were the most likely to have broad access to the company's network. The hackers apparently scouted LinkedIn -- the popular career website -- for the names and titles of those workers.

"There was a very direct connection between the passwords obtained and the LinkedIn listings for those who had network privileges, including system engineers," said McClure.

The hackers may have used the harvested Apple ID credentials to guess the internal passwords used by employees -- working on the assumption that password reuse is commonplace -- or even managed to trick some recipients into disclosing their Sony credentials directly by telling them to enter those account usernames and passwords in the bogus Apple ID verification screens.

"A number of these users whose credentials had been captured and then hard-coded into the malware were folks who had significant access to the network," McClure contended.

At least one appeared to be an administrator who had access to Sony's installation of Microsoft's System Center Configuration Manager (SCCM) 2007, an enterprise tool for managing large numbers of corporate computers. Among SCCM's duties: Distributing software to employees' personal computers.

"When I saw an administrator for SCCM [among the usernames and passwords in the malware], I want, 'Wow, okay, this is probably the scenario,'" said McClure, who mimicked the hackers by cross-checking leaked credentials with LinkedIn entries for Sony employees. "The attackers had software distribution rights throughout the enterprise. That made perfect sense."

McClure speculated that one reason why the attack was initially attributed to an insider was that it may have looked like an inside job. Armed with stolen SCCM credentials, the hackers could have used the software to distribute their malware to Sony's PCs. The malware could have been pitched to employees as a necessary update or new internal-only software, and because it originated from SCCM, would have been seen as entirely legitimate.

"Honestly, this is speculation, but it is a reasonable approach based on the evidence," said McClure. "The question is, 'How could this most likely have gone down?'"

Join the CSO newsletter!

Error: Please check your email address.

Tags mcafeesecuritySony Pictures EntertainmentSony PicturessonyfbiCybercrime & HackingCylanceintrusionApple

More about AppleFBIMicrosoftSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts