The hackers responsible for the nightmare at Sony Pictures have released more information, focusing on IT and sales operations. Wednesday's publication was the second data leak this week, appearing online hours after Sony's top executives admitted to not knowing the full scope of the incident.
The sales data leaked by GOP – the group claiming responsibility for the Sony Pictures hack - contains information to pertaining to sales goals and expectations for various television shows. It's similar to the sales data released last weekend.
The other half of the published documents on Wednesday are far more damaging, and will create weeks of extra work for the IT team.
Among the IT data leaked by GOP, totaling more than 11,000 files, are hundreds of RSA SecurID tokens, Lotus Notes IDs, and certificates – many of them with the required passphrase stored alongside.
Some of the PFX files leaked (see PKCS#12) are tied to local systems, personnel, Bank of America, VeriSign, and other vendors.
The published documents also include 139 files related to passwords and IT operations. Those files are a mix of critical and sensitive IT data, including authentication details and instructions to access 3rd-party and internal apps and services.
The vendor passwords include shipping services, like UPS or FedEx, or management services such as those offered by McAfee. Access details for services such as Google Analytics, iTunes, Sprint, Verizon, YouTube, and others are also recorded in the files.
Scattered within the IT data are files with hundreds of employee email addresses, usernames, and passwords as of October 2014. On top of that, there are files detailing how to access QA, staging, and production database servers – with a master asset lists that map the location of database (Oracle, Sybase, and SQL) and enterprise servers globally.
There are hundreds of FTP usernames and passwords, for servers in a number of locations on Sony's network. There is also list of routers, switches, and load balancers, as well as the usernames and passwords to manage them.
In short, the IT data leaked is everything needed to manage the day-to-day operations at Sony.
Much of the infrastructure outlined by the compromised documents will need to be updated, revoked, replaced, or changed completely now that it's public. Some of that will be easy, and is likely part of Sony's IR process. On the other hand, some of it will be more challenging and likely wasn't a consideration when BC/DR plans were established.
Developing, managing, and protecting a network used by 6,500 people isn't easy. When the internals are made public and exposed to a number of hostile factors, the job becomes increasingly more difficult – and that's without simultaneously dealing with a massive data breach.
Other than new data leaks, the other developments in the Sony-driven news cycle are focused on the recovery.
Sony's top executives, Michael Lynton and Amy Pascal, sent a memo to employees apologizing for what has happened, promising that they're working as hard as possible to get things back on track.
The internal communication is likely a good thing, considering media reports form the Wall Street Journal and other places that report poor morale among some of the staff. Most of the stress comes from staff who are worried about the PII leaks and working conditions while parts of the network come back online.
Some of the major parts of the Sony network have started to resurface, but the little things – such as a credit card terminal in the commissary (staff can only pay with cash) – are still offline due to the breach.
Calling them "malicious criminal acts," Pascal and Lynton told employees that their privacy and security is a real concern, adding that they were saddened by the "concerted effort to do damage to our company, undermine our morale, and discourage us."
The memo continues:
"We are enormously proud of the resilience you have all shown in the face of this attack. The company is as busy as ever, and our business continues to move forward, thanks to your great efforts.
"While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession. While we would hope that common decency might prevent disclosure, we of course cannot assume that."
For now, employees at Sony have been offered the use of AllClear ID protection services.
Sony hasn't issued many statements since their communications were restored, other than offering assurances that they were working with law enforcement and Mandiant in order to get to the bottom of the situation and restore order.
One statement that was made late Wednesday evening concerned a story in Re/code reporting that the company was going to name North Korea as the source of the attack.
Sony responded to that story, telling media that the investigation into the "very sophisticated cyber attack" continues, but "the Re/code story is not accurate."
Update:
As this story was being written, Voice of America published an article on the subject, including an interview with a North Korean diplomat. According to the diplomat, they had nothing to do with the Sony incident.
"Linking the DPRK to the Sony hacking is another fabrication targeting the country. My country publicly declared that it would follow international norms banning hacking and piracy," the official said.
