Guardians of Peace, the hackers who have terrorised Sony Pictures, have halted their actions after the cinema release of The Interview was suspended.
According to CNN, the hackers sent an email to executives at the company, crediting them for a “very wise” decision to cancel the Christmas day release of the film. The company believes the email is legitimate as it followed a pattern of previous messages, sent to a list of particular executives and formatted in a particular way.
The hackers demanded that the film never be “released, distributed or leaked in any form of, for instance, DVD or piracy”. It also asked for “everything related to the movie, including its trailers, as well as its full version down from any website hosting them immediately”.
The email warned the studio that the hackers still has private and sensitive data and claims that they will “ensure the security of your data unless you make additional trouble.”
The news follows revelations by Bloomberg that Trend Micro had got a copy of the malware that was used to penetrate Sony Pictures. It declined to reveal how it had captured it.
Trend Micro said that the hackers “probably” spent months collecting passwords and mapping the network before they committed a last act of vandalism, setting off a virus that wiped out data and crashed the system in ten minutes.
It said that the malware functions as a backdoor to an affected network, allowing intruders remote access while remaining undetected. Once activated by the hackers, the program starts a 10-minute countdown.
“Cloned minions disable security software, gain access to hard drives and networked storage on all the infected computers, while also trying to log into any connected networks”, Masayoshi Someya, security evangelist at Trend Micro said in an interview in Tokyo this month. “When time is up, all the data is erased and users are greeted by a static screenshot: a picture of a red skeleton scowling under the heading ‘Hacked by #GOP’.”
Rik Ferguson, vice president of security research at Trend Micro, told IT Security Guru that it was not the case that it had the malware and was not sharing it with the wider industry, but that most companies in the security space had given a sample and were analysing it.
Jon French, security analyst at AppRiver, said: “I don’t find it a surprise that the malware was there for months going undetected. [The article] says the malware was customised for the attack, meaning that if the malware went initially under the radar when it was introduced in to their network, it would be unlikely to suddenly get detected since shutting down anti-virus is usually the first step in malware. There are other ways to look for malware infections such as network anomalies, but the difficulty in catching malware after a successful infection probably increases significantly on such a large network. Especially with a targeted attack.”
Tim Erlin, director of security and risk at Tripwire, said: “This may be news outside the information security community, but it’s really no surprise. In order to gather and copy the information they’ve publi
shed and to coordinate the simultaneous take down of systems within Sony, the attackers would have needed time inside the network.
“There’s a lot of focus on the malware itself here, but it’s really the last step in the process. We should be more concerned than we are about the means and methods used to install that malware and expand their hold on the network. A good defence starts before the intruder gets inside the system.”