The hackers behind the devastating attack against Sony Pictures Entertainment late last year exploited a previously undisclosed vulnerability in its computer systems that gave them unfettered access and enabled them to reach and attack other parts of the studio’s network.
Sources familiar with the Sony investigation told Re/code the attackers took advantage of what’s known as a “Zero-Day” vulnerability as part of a campaign to destroy the studio’s corporate network.
These types of vulnerabilities are known as Zero-Day because the original programmer has zero days after learning about it to patch the code before it can be exploited in an attack. These flaws are usually the result of errors made during the writing of the software, giving an attacker wider access to the rest of the software. Sometimes the errors are spotted by security researchers who collect bounty fees offered by software firms. More often, they remain undetected until an attack has occurred.
Zero-Day vulnerabilities are also often sold on the black market to the highest bidder, suggesting the attackers were either well-funded or working with an entity who is, such as a nation-state. It may also bolster claims by the U.S. government that North Korea was responsible for the attack.
The presence of a Zero-Day vulnerability in the investigation is a key technical detail that sheds light on how the hackers were able to get inside Sony’s network as early as September and thoroughly exploit it, undetected, until unleashing the destructive attack in late November.
Details about the vulnerability are being closely held, and it’s unclear which software was compromised. The New York Times recently reported that “spear phishing” attacks involving malicious code were inserted into email attachments in September. That attack technique has been used in the past to exploit Zero-Day vulnerabilities.
It would also add weight to a claim by Kevin Mandia — founder and head of Mandiant, the security firm hired to investigate the breach — that the attack was one for which neither Sony “nor other companies could have been fully prepared.”
Sony suffered the worst corporate hack attack in history last fall when a group of attackers going by the name Guardians of Peace first crippled its network and then released sensitive corporate data on public file-sharing sites, including four unreleased feature films, business plans, contracts and the personal emails of top executives.
Mandiant, the corporate parent of the security firm FireEye, declined to comment, as did Sony and the Federal Bureau of Investigation.
The tech industry has sought to control the spread of Zero-Days by paying freelance researchers to report vulnerabilities in software to the companies that create it, or to third parties. Examples include the Zero-Day initiative backed by Tipping Point, a unit of Hewlett-Packard. Last year, Google launched its own effort, Project Zero, hiring a team devoted to rooting out and fixing holes in software that touch the Internet.
Often vulnerabilities remain unknown to the company that created it. When exploited by a skilled hacker, Zero-Day vulnerabilities can be useful in gaining initial access to large systems, essentially creating a beachhead that can be used to mount larger-scale intrusions, theft and the destruction of data.
Information about Zero-Days is often bought and sold in underground marketplaces specializing in computer crime. The going prices can vary from as low as $5,000 to more than $250,000, and vary depending on sophistication, age and other factors. For example, a vulnerability that applies to several variants of Microsoft’s Windows operating system is worth more than a vulnerability that applies to only one.
Sources familiar with the technical information declined to name the product or system exploited citing the sensitivity over the ongoing investigation. One source described the software used to exploit the weakness on Sony’s systems as “well-constructed and multi-faceted,” but not exceptionally sophisticated.
Once the attackers penetrated Sony’s network, they were able to move about in what was described as a “low and slow” manner. Carefully, and over the course of several weeks, they assembled a detailed map of Sony’s corporate networks and the information to access each one.
Eventually, they pilfered hundreds of gigabytes of Sony’s most sensitive business information, including the email archives of some of its most senior executives, and released them to the public. Messages purporting to be from the attackers claimed they had taken nearly 100 terabytes of data from Sony, but the files disclosed so far amount to a few hundred gigabytes.
Zero-Days have figured in several high-profile attacks attributed to governments, including the U.S., Israel and China. They are now considered so important that governments with cyber-war operations guard information about them as if they were secret weapons. “They’re now considered part of a national arsenal for use in the future,” says Phil Lieberman, a security firm that helps companies manage their passwords and sign-on information.
The most famous exploitation of Zero-Day vulnerabilities occurred in connection to Stuxnet attacks, a digital weapon used — allegedly by the U.S. and Israel, though never officially acknowledged — to sabotage Iran’s nuclear weapons program.
In that case, a computer worm exploiting as many as four Zero-Day vulnerabilities affecting numerous versions of Windows were packaged together on USB thumb drives that were delivered to an Iranian nuclear facility by Israeli agents. By some estimates, the combination of vulnerabilities would have cost about $3 million on the black market, leading many security researchers to conclude the malware was created by a nation-state attacker, most likely the U.S. and Israel. The New York Times had first reported on the likelihood that the two nations were behind the Stuxnet attack.
Last year, security research firm iSight Partners detected a group of hackers operating in Russia that had used malware to exploit Zero-Day vulnerabilities affecting several versions of Microsoft’s Windows as part of a campaign of cyber-espionage.
In a 2011 attack, later attributed to China’s People’s Liberation Army, malicious code was inserted into a Microsoft Excel spreadsheet file sent to employees of RSA, the security division of storage and IT giant EMC. The hackers took advantage of a Zero-Day vulnerability in Adobe’s video and animation software Flash.
The attackers aimed to steal data that might compromise RSA’s SecurID tokens, keychain devices which generate constantly changing numeric codes that serve as a second password, popular with numerous companies for securing their data.
In Sony’s case, the attackers claimed to be motivated by a Sony-produced comedy feature film called “The Interview” starting Seth Rogan and James Franco, which concerns a CIA-backed plot to assassinate North Korean leader Kim Jong-un.
The FBI and President Obama have said that North Korea was involved in the attack, though many security experts have questioned that finding. North Korea has officially denied any involvement.
This article originally appeared on Recode.net.