Sony Pictures Entertainment Inc. employees, in the wake of petabytes of stolen video, files and emails from the company’s heavily compromised IT system, have resorted to old-school tech: using alternate communication services and older connected devices and systems to get their work done.
The digital entertainment company’s IT system was hacked months ago and the news revealed Nov. 24, a month before the scheduled premiere of “The Interview,” a comedy about a fictional assassination plot against North Korea dictator Kim-Jong Un. A group calling itself Guardians of Peace, which took responsibility for hacking the system and stealing terabytes’ worth of videos, emails, documents, still images and other data, threatened to bomb any theater that shows the film.
After four of the nation’s leading theater chains said Dec. 18 that they decided to skip premiering the movie on Dec. 25, Sony pulled the picture from all theaters and didn’t say what it intends to do with the mulimillion-dollar film, which stars James Franco and Seth Rogen.
Federal investigators have concluded that the hackers worked either for, or in collusion with, the North Korean government. This has yet to be documented.
CNN, citing unnamed U.S investigators as its source, reported late Dec. 18 that whoever hacked Sony Pictures did so by stealing credentials from a systems administrator. CNN’s sources also claimed that the stolen credentials are what led them to conclude that this was not an inside job by an employee at Sony who was paid off or disgruntled.
NBC News also reported that the attack came from within North Korean territory and was routed to make it look like the hack was coming from Taiwan. A hotel in Taiwan was cited early on as a possible source.
Fax Machines, Fedex, Bicycle Messengers Being Employed
Workers at the company’s Culver City, Calif. headquarters, who requested anonymity from eWEEK, are using their own personal mobile phones, laptops and tablets to create documents and send/receive email. Fedex is being called more often in lieu of company email; bicycle messengers (pictured) were being deployed; fax machines are being used again; and more in-person meetings were taking the place of Google Hangouts and Skype on the company network.
The compromised system can no longer be trusted. New-gen IT is nothing if not a tradeoff: speed, ease of use and “easier to intercept” over clunkier, slower, more tedious — yet safer — methods of sending information from one point to another.
The hackers are believed to have been surveilling the network at Sony Pictures at least since last spring, based on computer forensic evidence and traffic analysis, a person with knowledge of the federal investigation told The Associated Press.
The hack ultimately could cost the studio hundreds of millions of dollars — mostly due to lost revenues from the film but also involving the data-breach cleanup and restoration of the IT system, which is pretty much toast at this point.
Hack Had to Happen Over a Period of Time
“This didn’t happen in an hour. This was going on for a long time,” Sergio Galindo, General Manager of security provider GFI Software in Durham, N.C. told eWEEK. “If you’ve ever had to copy your own movie to put onto a laptop to watch on plane, it takes a while.”
The information stolen by the hackers crossed a lot of different areas within Sony, Galindo said.
“There was email, movies, different types of communication — so they had time to do this. It was the virtual equivalent of wandering around an office. They were able to wander around inside the network and find this information,” Galindo said.
IT folks need to understand who’s walking around the office at all times. “If a security guard saw somebody wandering around aimlessly, looking in people’s desks, they’d probably stop them,” Galindo said. “Same holds for digital security.”
If the hackers hadn’t made their presence known by making demands and destroying files, they probably would still be inside, because there was no indication their presence was about to be detected.
“Sony was hacked several years ago. If your house got robbed several years ago, I would think you would have invested a little more in security. If Sony hadn’t learned this lesson before, hopefully this message is now loud and clear,” Galindo said.
More Investment in Security Obviously Required
“When they start talking about using old computers and personal cell phones, the thing that strikes me is that they didn’t have enough invested in technology; they do (invest) on the business side, but they have to realize that security is not something you do once and then walk away from.”
Given that Sony Pictures now produces all its films digitally and is now a technology company, “they have a lot of information to share. Where we’ve come from 10 years ago is that there wasn’t a lot of information sharing going on,” Galindo said.
“These days, with everything being edited and reedited and stored in the cloud and quickly shared, people live and die by sharing information. Sony, by using some of the older technology, is hampering itself, at least for the short term.”
Companies across the globe undoubtedly are on high alert to tighten up network security to avoid being the next company brought to its knees by hackers like those that executed the dramatic cyberattack against Sony.
“We all feel comfortable when we walk into an office and there’s somebody sitting behind a desk, there’s a security guard, and you have a turnstile where you have to swipe your badge, and before you get into your office, you have to swipe your badge again,” Galindo said.
“That’s all physical security. We have to be more cognizant of digital walls to protect the information itself.”