Forget Norks, Russian hackers are in Sony Pictures' servers – claim
Infosec bod reckons he has seen internal documents not yet leaked by studio ransackers
There's a new twist in the already tangled tale of the Sony Pictures mega-hack: it's now claimed Russians possibly broke into the company's computers.
Miscreants in the Putin-led nation comprehensively compromised the Hollywood studio's servers, and were responsible for most of the damage against its systems, reckons Jeffrey Carr, chief exec of security consultancy Taia Global.
Thousands of highly sensitive personal files on employees, past and present, and celebrities, plus emails, scripts and unreleased video, were leaked all over the internet as a result of the infiltration.
The US government blames North Korea for hacking into the Sony Pictures network and leaking copious amounts of data before finally thrashing the computers with disk-wiping malware. The FBI is confident the Norks are the culprits because the NSA apparently pwned North Korea's onramp to the internet in 2010 – and presumably the spies tipped off the Feds to what was going on.
Over in the land of computer security professionals, it's argued a disgruntled former techie at the studio is more likely to be behind the ransacking.
Carr, founder of the Suits and Spooks conference, has come up with a third theory: he says he's heard from "a Russian hacker living in Ukraine" who has apparently made contact with someone in a Russian crew involved in the Sony security breach.
Carr claims he has seen internal Sony documents that have yet to be publicly leaked: five Excel spreadsheets dated from 30 November 2014 through 10 December 2014, and two email messages dated 14 January and 23 January 2015.
This, he says, is evidence the Russians gained access, and may still have access, to the studio's systems. Word that Sony Pictures had been compromised emerged around November 25, triggering a shutdown of the company's networks and machines.
"All of the documents appear to be authentic and one has been proven to be authentic by the film analyst who created it. They are not part of any prior release by the Guardians of Peace, the presumably North Korean team who claimed credit for the attack," a blog post by Taia Global states.
It's entirely possible, as far as El Reg can see, that the Russians broke into the company's computers after the mega-hack and swiped more files – or the original hackers were or are still in the network and documents have somehow made their way into Russia – assuming Carr is correct.
Taia Global reckons either Russian and North Korean hackers simultaneously ran separate attacks against Sony Pictures Entertainment – or that the North Korean government’s denial of involvement is accurate, that other hackers were responsible, and at least one or more of them were Russian. It's still possible an ex-employee helped out whoever broke into the studio's machines from afar.
"There were probably multiple bad actors in Sony's network," Carr told El Reg.
If the latest leak is genuine, it means Sony Pictures is still losing crucial information a full two months into its effort to clean up the mess and lock down security – which has already cost the Hollywood studio $15m.
Security experts point out that even if the Russians have the data now, it doesn't necessarily mean they hacked into Sony's network themselves.
Rob Graham, of Errata Security, told El Reg: "The hackers exfiltrated much more than they've revealed. The Russians can just be using the exfiltrated data." ®
"Yama Tough", the Ukraine-based bod who contacted Carr, has been previously claimed responsible for network breaches at Symantec, VMware, and others. He's not claiming responsibility for the Sony hack directly.