Sony Hackers Used Apple ID Phishing Scheme, Researchers Claim at RSA

Cylance researchers provide new details into how Sony was hacked, and the allegation is that a phishing attack against Apple IDs was at the root of the attack.

Sony hack

SAN FRANCISCO—There have been a number of theories postulated about how the massive Sony hack in 2014 actually occurred, and at the RSA Conference here another set of theories are being put forward. In a session called "Hacking Exposed Live," Cylance Senior Security Researcher Brian Wallace and Cylance CEO Stuart McClure alleged that a phishing attack against Apple IDs was at the root of the Sony hack.

The FBI has laid blame for the Sony attack on North Korea, while others have not been so sure that North Korea in fact is to blame. In an interview with eWEEK, McClure said he has done a great deal of research on the Sony attack and, although he gave the disclaimer that he has no definitive firsthand knowledge of what actually happened, has plenty of evidence to back up his claims.

McClure claims that first step in the Sony hack was a targeted spear phishing attack that went after a number of system administrators at Sony.

"It was a well-crafted set of spear phishing attacks, centered around Apple ID verification," McClure told eWEEK.

Apple ID is Apple's system for identifying users to enable access to Apple services including the App Store and iCloud. In the verification attack, the Sony hackers sent out a fake Apple ID verification email that tricked the victims into clicking to verify, according to McClure.

"The Apple ID verification looked very convincing and was spot on for what users would normally expect to see, except of course that it's completely phished and fake," he said.

When the victims tried to enter their Apple ID and associated password, the phishing page showed the victims an error that the password was not accepted. At the same time, the attackers were capturing the users' information. The Sony hackers were able to analyze the Apple IDs they captured and connect those to LinkedIn social media profiles for Sony employees. The attackers were also able to determine a Sony username for the victims. Once inside Sony, the attackers were able to distribute their own malware with a software distribution system.

The fact that the Sony attackers used an Apple ID phishing scheme to exploit users doesn't imply that the users were running an Apple operating system when they opened the phishing email. McClure said there are plenty of iOS users who run Windows desktops.

Based on his analysis, McClure has some general guidance for organizations to help reduce the risk of becoming the next Sony-like hacking victim.

"The basic general guidance that I always give is that organizations should use some form of memory process injection protection," he said. "User credentials always need to be monitored and, perhaps most importantly, password reuse needs to be avoided."

McClure said that he has been talking about the dangers of password reuse since the late 1990s, calling it the Achilles' heel of technology security. He added that systems need to be in place to discourage password reuse and encourage regular password updating and the deployment of two-factor authentication technologies.

"Passwords are still one of the big weak links in IT security that are out there, and if organizations can't manage and control them properly, that's a problem," McClure said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.