Researchers discover tools used in Sony Pictures hack
Researchers have found new tools within the Destover malware that provide insight into how hackers broke into Sony Pictures’ servers a year ago. The two tools are capable of forging timestamps and modifying log files.
Researchers from US cybersecurity firm Damballa discovered the tools, called setMFT and afset, in a recent sample of the Destover malware used in the Sony Pictures hack. According to the researchers, the two files had also been spotted at the time of the hack, but had not been further linked to Destover. The tools help to go undetected in the network and spread within that same network.
SetMFT is able to forge file timestamps to ensure that a newly introduced file does not stand out from the other files on the server. In this way, simple file scans and security personnel performing manual checks are fooled. However, a more thorough check would reveal that the files timestamps do not match write dates and log files. The tools use a driver that Destover itself also uses.
The second tool, afset, is also capable of modifying timestamps and can also wipe Windows logs based on criteria such as id and time. In this way, the write operations of the malware files can be disguised. Although, according to Damballa, a full analysis of the system can detect the presence and traces of afset and setMFT, the tools do give an attacker more than enough time to do his job.
Sony Pictures was hacked in November of 2014 by a group calling itself Guardians of Peace. The attackers had obtained email addresses, passwords, documents and financial data. They have also acquired and published films from Sony Pictures. The emails and documents were distributed via Wikileaks earlier this year. In total, this concerned the data of 47,000 employees of the company. The US government says North Korea is behind the hack.