Sony Pictures Entertainment (SPE) might have a second security breach on its hands, or maybe the hackers from November’s scandalous attack are still inside the company systems, according to a security firm that claims to have seen evidence of Russian hackers having access to SPE internal data.
The hackers accessed SPE’s Culver City, California network in late 2014 by sending spear phishing emails to Sony employees in Russia, India and other parts of Asia, U.S. security intelligence firm Taia Global said Wednesday in a report.
“Those emails contained an attached .pdf document that was loaded with a Remote Access Trojan (RAT),” the report reads, adding that once employees’ computers were infected, the hackers used advanced pivoting techniques to gain access to the California network. The hackers are still inside the network, according to Taia Global.
Taia Global claims that it obtained evidence supporting its conclusions through a Russian hacker known online as Yama Tough who, Taia Global said, served prison time in the U.S. for hacking offenses and was responsible for stealing source code from antivirus firm Symantec.
In mid-January, Yama Tough provided Taia Global president Jeffrey Carr with several Excel spreadsheets and emails allegedly stolen from Sony Pictures Entertainment by an unnamed Russian hacker, who Yama Tough claimed was a member of an attack team that hacked into SPE’s network.
North Korea or somebody else?
In November a group of hackers called the Guardians of Peace launched a destructive malware attack against SPE computers after gaining access to the company’s network and stealing terabytes of sensitive documents. The group dumped some of the data online in the weeks following the breach.
The original Sony Pictures hack was blamed on North Korea, which was apparently upset at The Interview‘s depiction of country leader Kim Jong-un
The U.S. government blamed the North Korean government for the attack, with both FBI and NSA officials saying they’re confident about the attribution. Some security firms and experts did not agree, including Taia Global, which based on a linguistic analysis of the English statements made by Guardians of Peace members following the attack concluded that they’re most likely native Russian speakers.
Now Taia Global, given the evidence it has in its possession, thinks one of these two scenarios is closer to reality than the assessment from Sony and the U.S. government:
First, the Guardians of Peace and this newly-discovered Russian hacker group are one and the same. This would mean that Sony, its security contractors that investigated the breach and the U.S. government failed to identify all of the intruders’ footholds in the SPE network, so attackers are still lurking in there.
Or second, the Guardians of Peace and the Russian hackers are different groups, and the latter has escaped detection so far.
While most of the SPE documents Taia Global claims to have obtained from the Russian hacker are from November and December, two of the emails are dated Jan. 14 and Jan. 23 respectively. This proves that “one or more Russian hackers were in Sony Pictures Entertainment’s network at the time of the Sony breach [by Guardians of Peace] and continue to have access to that network today,” Taia Global said.
Taia Global claims that two independent sources confirmed that the SPE documents shared by the Russian hacker with it were not among those previously leaked by Guardians of Peace on the Internet. That could be because the Guardians of Peace group retained some of the documents it stole and released them now. Or it could mean that the Guardians of Peace or a different group still have access to the network. Furthermore, “Taia Global has received independent confirmation from the author of one of the documents listed that it is indeed authentic,” the company said.
Sony Pictures Entertainment did not immediately respond to a request for comment.