Devastating Sony hack just a malware rehash, say experts

In a pattern that is becoming disturbingly common, the server hack that has nearly ruined the business of Sony Pictures was used at least twice in the past, according to an Israeli cybersecurity expert.

“There is much similarity, both in code and methods, between the malware that hit Sony — Trojan Destover\BKDR_WIPALL.A — and two other data-erasing malware — Disttrack\Shamoon — that hit Saudi company ARAMCO in 2012, and the DarkSeoul attack on South Korean banks and TV broadcasters in 2013,” Sariel Moshe of Israeli cyber-security firm CyActive wrote in a blog post.

“Even in such damaging scenarios, the cyber attacker’s tools are reused. For them, if it worked once, tweak it a bit and it will work again. The attack on Sony demonstrates quite clearly that this method works quite well.”

It turns out, according to Liran Tancman, CEO and co-founder of CyActive, that the hackers who wreak havoc on companies like Sony, as well as Target, Home Depot, and tens of thousands of other targets each year, have an Achilles’ heel.

“Much of the code found in even major attacks is reused over and over again in new attacks,” Tancman said. “There has actually never been an attack that did not draw substantially on components that were already in existence.”

By isolating these components, CyActive believes it can mitigate these attacks, halting “lazy” hackers who keep reusing code in their tracks.

By many accounts, the Sony Pictures hack is one of the biggest cyber-messes for a US-based company ever. Revealing sensitive and personal information about salaries, favor-trading, and above all, gossip, the data breach is already resulting in backbiting, ruined relationships, and lawsuits. It’s all the result of an apparent hacking attack by a group said to be associated with North Korea, which claims to be protesting plans to release “The Interview,” a film that takes potshots at North Korean dictator Kim Jong-Un.

Late Wednesday, Sony Pictures announced that it the wake of the cyber-attack, it was cancelling the release of The Interview altogether, at least for now. “Sony Pictures has been the victim of an unprecedented criminal assault against our employees, our customers, and our business. Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material, and sought to destroy our spirit and our morale – all apparently to thwart the release of a movie they did not like.

“We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public. We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome,” the studio said in a statement.

Whether the North Koreans were behind the attack is something we may never know, unless the hackers are caught (although apparently some in the US government believe that Pyongyang is involved, if not responsible).

But one thing we do know, said Moshe, is that the malware used in the current attack is “almost a copy of earlier malware – but no defense measures managed to stop it. Initial reports regarding Destover, the malware used in the attack, show that it had reused at least 6 components of previous malware, including two data erasing malware, Shamoon and Darkseoul.”

Those components, Moshe added, are available on the Internet for free.

Lamented Tancman: “Cyber-security is, for the most part, reactive, not proactive. A company will spend hundreds of thousands or millions of dollars to secure themselves against a major malware variant, fighting off a specific attack.” But getting around those defenses is easy for a hacker. “All they have to do is insert some changes in their malware code, and they are in the clear. For $150, a cyber-criminal can hire a hacker to do $25 million of damage, and then do it again a few months later, making very minor changes to their malware code.”

Tancman, a former head of cyber-strategy in an elite IDF intelligence unit with a decade of experience in Israel’s intelligence corps, has been thinking about this phenomenon for a long time — and has developed what he believes is the solution to all malware and viruses, present and future. “If we can develop defenses against the core of the malware, the 98% of the code that is just a variant of existing malware, we could end virus attacks for good,” Tracman said.

“Since we know what goes into such malware, we can defend against that specific vulnerability, as well as others that hackers are likely to go after that are related to the original hack,” said Tancman.

CyActive’s system does this by analyzing the vulnerability and seeing what directions hackers are likely to take in order to “retool” it to get around existing anti-virus systems.

“Instead of being on the defensive, we can develop these anti-virus tools before the new hacks are even created, putting the burden on the hackers,” said Tancman.

“If the cyclical nature of the ecosystem is a given, and reinventing a whole attack chain is practically impossible from an economical perspective, why not use that to our advantage?” says Shlomi Boutnaru, CyActive co-founder and CTO. “Hit ‘fast-forward’ to what your opponent is going to do, predict future malware ahead of the hacker, and the unfair advantage moves to the good guys’ side.”