By Ron Benvenisti. The FBI has warned US businesses that hackers have used malicious software to launch destructive attacks in the United States, following the recent devastating cyber attack at Sony Pictures Entertainment.
The five-page confidential flash warning issued to businesses provided some technical details about the malicious software that was used in the attack, though it did not name the victim.
According to the FBI, this particular malware is capable of overwriting an infected machine’s master boot record and erasing data files stored on the machine. Some open source media outlets are making the connection between this FLASH Alert and the recent campaign that impacted Sony Pictures last week (“Sony’s New Movies Leak Following Hack,” 2014). However, the FBI issues FLASH Alerts and Advisories to the general public periodically regarding investigation findings; they make no such connection to any specific campaign or victim (“FBI Urges United States Companies to Beware Malicious Software Attacks,” 2014).
Two cybersecurity experts who reviewed the document said that they were sure the agency was referring to the breach at the California-based unit of Sony Corp.
“This correlates with information that many of us in the security industry have been tracking,” said one of the people who reviewed the document. “It looks exactly like information from the Sony attack.”
Joshua Campbell, FBI spokesman, declined to comment when asked if the software had been used against the California-based unit of Sony Corp, though he confirmed that the agency had issued the confidential flash warning, which Reuters independently obtained.
“The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations,” he said. “This data is provided in order to help system administrators guard against the actions of persistent cyber criminals.”
It does not name victims of attacks in those reports. The report said the malware overrides data on hard drives of computers and can make them inoperable and shut down networks.
“This malware has the capability to overwrite a victim host’s master boot record and all data files,” the report said. “The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”
Hackers have used similar malware to launch attacks on businesses in highly destructive attacks in South Korea and the Middle East (Iran), but security experts said that if the malware was indeed used on Sony, it would be the first large-scale attack of its type launched against a company on US soil.
The report said the malware overrides data on hard drives of computers and can make them inoperable and shut down networks.
“This malware has the capability to overwrite a victim host’s master boot record and all data files,” the report said. “The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”
The facts are that hackers have used similar malware to launch attacks on businesses in highly destructive attacks in South Korea and the Middle East, but security experts said that if the malware was indeed used on Sony, it would be the first large-scale attack of its type launched against a company on US soil.
The alert provided advice on how to respond to attacks and asked companies to contact the FBI if they identified similar malware.
The Federal Bureau of Investigations (FBI) released a FLASH Alert on 1 December 2014 pertaining to a recently discovered destructive malware campaign. You can contact the FBI Newark Field Office at:
Claremont Tower 11 Centre Place Newark, NJ 07102 Phone: (973) 792-3000 Fax: (973) 792-303
DISCLAIMER: This advisory is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this advisory or otherwise. Further dissemination of this advisory is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
To find out if your business is at risk for this devastating attack feel free to contact me for a free initial analysis.
Ron Benvenisti
Business IT Risk Analyst
Integris Security LLC