WASHINGTON -- The hacking of Sony Pictures Entertainment points to a type of attack long dreaded by security experts: Using sophistication typically associated with foreign governments to destroy systems rather than just steal data.
There have been a handful of such attacks around the world, and they are likely to grow more common, either to further a political agenda or hide evidence of theft or espionage, said Michael Chertoff, former secretary of the U.S. Department of Homeland Security.
"Either for political or economic reasons, at some point, sophisticated actors are going to be more willing to use destructive malware," said Chertoff, co-founder and executive chairman of The Chertoff Group, a global security consultancy based in Washington.
The attack at Sony Corp.'s entertainment unit, announced Nov. 25, crippled computer systems and gave the perpetrators access to confidential employee information, including executive salaries. It also put unreleased films, such as Annie, which was set for theatrical release Dec. 19, on file-sharing sites.
The breach occurred a month before Sony's scheduled release of The Interview, a comedy about a CIA plot to kill North Korea's leader.
The attack used a so-called wiper virus that erases data, bringing down networks with thousands of computers and preventing companies from being able to conduct business.
Attacks using malware that cripple computers is one of the top concerns cited by National Security Agency Director Michael Rogers and other senior Obama administration officials while Mountain View, Calif.-based cybersecurity company SentinelOne predicts in a new report that such attacks will shut down power grids and other critical computers sometime in 2015.
The Sony attack demonstrates that not only critical infrastructure is at risk, Chertoff said. "The potential for cyberweapons to be deployed continues to increase," he said.
Most U.S. companies confront an unfair fight when it comes to defending against malicious software that can cause physical damage, especially if the hackers are well-resourced foreign governments or their hired guns using powerful attack tools, he said.
Cybersecurity companies say they are bracing for more destructive attacks in the months ahead.
"If attacks like those against Sony continue against other U.S. companies, 2015 will be a year of disrupted services," said Ron Gula, chief executive officer for Tenable Network Security Inc., based in Columbia, Md.
"Most U.S.-based companies have been preparing to avoid an embarrassing and financially damaging loss of sensitive data," Gula said in an email. "They are not prepared for pure destruction of data."
Sony investigators have found malware that contained Korean language code and have linked the attack to a group associated with North Korea known as DarkSeoul, a person familiar with the investigation said. That group wiped out the computers of South Korean banks and broadcasters in March 2013.
North Korea has denied being behind the attack, according to a report by Voice of America last week. An unnamed North Korean diplomat in New York said his country had nothing to do with it, according to the report.
Before the Sony attack, destructive malware had been used in attacks inside the United States, said a law enforcement official knowledgeable about ongoing investigations. The official didn't talk about the Sony attack.
Destructive malware has more often been found in private networks than in critical infrastructure in the United States, the official said. Asked if the malware could cause damage similar in scope to a 2012 attack on Saudi Aramco that crippled 30,000 computers, the official said it's possible.
The official declined to cite any specific examples and cautioned that weaponized malware hasn't been seen on a wide scale inside the United States.
On Dec. 1, the FBI sent a five-page alert to U.S. companies about destructive malware. The malware, designed by unknown operators, has the ability to overwrite data files, including what's called the master boot record, making computers unusable, the FBI said.
"The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," according to the alert. It mentioned the malware uses Korean language but didn't link it directly to the Sony attack.
Trends point to less-sophisticated nations and groups increasingly using cyberwarfare and digital espionage tactics that traditionally have only been used by sophisticated foreign governments, said Ryan Sherstobitoff, principal research analyst for McAfee Inc.'s labs.
"You could call it sore-loser espionage." Sherstobitoff said in an email. "The emphasis is on spying on your political adversaries or business competitors, avoiding detection to sustain long-term espionage campaigns, identifying and stealing relevant information, and trying to wipe out entire systems if these campaigns are detected."
Hackers from the Chinese, Russian and Iranian governments have gained access to vital U.S. computers and could launch destructive attacks that include shutting down power grids, U.S. Rep. Mike Rogers, R-Mich., chairman of the House intelligence committee, said during a Nov. 20 hearing.
The Defense Department created the U.S. Cyber Command in 2010, which is forming teams of cybersecurity specialists.
"These forces are also capable, if properly requested from another U.S. agency with the authority to assist private companies with cyber security, such as the Department of Homeland Security or FBI, of helping defend critical U.S. infrastructure and resources," according to an email from the command.
A decision to deploy the teams in support of U.S. agencies would have to be made by the president or defense secretary.
Exactly what role the U.S. government will play and how far it will go in helping private companies deal with hacking attacks continues to be a matter of debate, said Chertoff.
He doubted the government would intervene directly to protect a private company like Sony from a cyberattack. Companies also are hesitant to allow the government access to their computers due to privacy and other concerns, he said.
Instead, agencies can help share information about cyberthreats, as well as help investigate and prosecute the attackers, Chertoff said.
To be sure, destructive attacks are by far still the exception, as most hackers are driven by profit motives, said Trey Ford, global security strategist for Boston-based software security company Rapid7.
The Sony attack should cause companies to take "a hard look" at their disaster recover plans, Ford said in an email. "Few organizations were thinking about this last week -- many more are right now," he said.
Information for this story was contributed by Michael Riley and Anousha Sakoui of Bloomberg News.
SundayMonday Business on 12/08/2014