On Monday, Sony Pictures was forced to disable their corporate network after attackers calling themselves the GOP (Guardians of Peace) hijacked employee workstations in order to threaten the entertainment giant. Now, new information suggests that the GOP had physical access to the network in order to accomplish their aims.
According to employees, who continue to speak to Salted Hash on the condition that their names not be used, the corporate network is still offline as of Tuesday morning. VPN access is likewise unavailable. In many cases employees are resorting to using non-technical means as a way to accomplish their daily tasks.
On Monday, Sony pulled the plug on networks in Culver City and New York, while overseas operations were either limited or offline entirely in some cases.
Hacked By #GOP
Warning:
We’ve already warned you, and this is just a beginning.
We continue till our request be met.
We’ve obtained all your Internal data, Including your secrets and top secret [clip]
If you don’t obey us, we’ll release data shown below to the world.
Determine what will you do till November the 24th, 11:00 PM (GMT).
The problem started when a group calling itself the GOP triggered a login script that would display a warning image any time an employee logged into their corporate account. The message demanded that Sony meet previously established demands, but the exact nature of those demands were not explained.
Failure to do so would result in the publication of compromised internal documents, which based on a list released by the GOP, are highly sensitive.
The GOP list includes private key files; source code files (CPP); password files (including passwords for Oracle and SQL databases); inventory lists for hardware and other assets; network maps and outlines; production outlines, schedules, and notes; financial documents and information; and PII.
In a statement, Sony would only confirm they're "investigating an IT matter," refusing to discuss any additional details.
When contacted, the GOP remained silent for most of Monday, but that changed early Tuesday when someone claiming to represent the group started emailing the media.
Physical Access:
According to statements made by GOP, not just to Salted Hash, but to The Verge as well, the group had physical access to the Sony network – and that access likely happened because someone on the inside helped.
"I've already contacted the UK register with details," wrote 'Lena' – the name associated with the GOP account that responded to Salted Hash on Tuesday morning.
"However I'll tell you this. We don't want money. We want equality. Sony left their doors unlocked, and it bit them. They don't do physical security anymore."
In a statement to The Verge, 'Lena' referenced the need for equality once again, adding that Sony didn't want such a thing, and that it was "an upward battle."
"Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in. Im sorry I can't say more, safety for our team is important [sic]," 'Lena' told The Verge.
If the claims are true, and the GOP had help from the inside in order to accomplish their aims, this is a disaster for Sony. It's one thing for an attacker to gain access from the outside; it's another when they can physically touch the environment.
Physical security related breaches, including those that have inside help, are difficult to contain and recover form because evidence can be tampered with or simply removed. This could be one reason why Sony completely severed their network on Monday, because they didn't know who or what to trust.
Salted Hash will continue to follow this story and report on any additional developments, even during the holiday weekend.