An alleged 27GB Sony Pictures data dump. 65 PlayStation web servers. One baffling mystery
What were those EC2 cloud instances doing torrenting files?
Sony PlayStation website servers were used to distribute a 27.78GB archive potentially containing sensitive data swiped from Sony Pictures computers, it's claimed.
Until early on Tuesday afternoon, San Francisco time, more than 60 systems seeding the archive on the BitTorrent network appeared to be virtual servers in the Amazon EC2 cloud, according to security researcher Dan Tentler.
A number of those fingered server instances – eg, 188.8.131.52 – are also serving websites for Sony Computer Entertainment. The EC2 instances serving up the data were checked by another researcher, who found some had SSL certificates signed by Sony.
The PlayStation side of Sony is supposed to be separate to the movie and TV production side, and it was assumed the comprehensive ransacking of Sony Pictures computers last week by hackers was confined to just that subsidiary. The appearance of what seems to be PlayStation web servers in this ongoing puzzle is certainly eyebrow raising.
To be clear, this 27.7GB cache isn't the five unreleased movies leaked online after miscreants tore through Sony Pictures systems. Those flicks are still floating around file-sharing networks, and are now being seeded by so many people that download speeds are blisteringly fast.
The "SPE_01" torrent link - dubbed "Gift of GOP: Internal data of Sony Pictures" – appeared in this anonymous Pastebin file on Monday. GOP stands for Guardians of Peace, the team claiming responsibility for the Sony Pictures network hack.
Strange things afoot at Sony ... the EC2 instances serving PlayStation sites and seeding the torrent, according to Tentler
Sony Pictures did not reply to repeated requests for information.
So, speculation time. Either the data was seeded by hackers who have gained control of Sony's Amazon cloud account – or Sony could be deliberately pushing out a large archive as a honeypot to catch wannabe data thieves. Which could it be?
"At first I thought it was a honeypot because of all the sequential IP addresses [of the EC2 instances]," Tentler, of Carbon Dynamics, told The Register.
"Then [security researcher] Dave Maynor helped me out by scanning a bunch of them, found that some had SSL open and the cert was for Sony, and if you hit it with a browser, it appeared to be a generic PlayStation.com network host. Then earlier today, they all disappeared from the seeders list of the torrent. At this point all the EC2 seeders are gone, and my best guess is that they were in fact owned by Sony."
That red line spells frustration
The 27.78GB file is also missing some data at the end of the download, which could render the contents unreadable. If the file is incomplete then that points even more strongly to the honeypot scenario.
But Tentler said that some researchers are claiming to have retrieved at least some of the data from the download and that it looks like legitimate hacked data that Sony wouldn't want out there. ®