How Did North Korea Hack into Sony? The Old-Fashioned Way…


The #SonyHack was one of it not the most devastating cyber attacks executed upon a corporation in history — wrecking havoc on the lives of Sony employees, the Hollywood elite, and Sony Pictures co-chairman, Amy Pascal, who resigned today.

What is most telling about the hack is that it all begin with the most simplistic of tactics.

Go Phish

During the National Security Administration’s investigation into the hack, they were able to track down not only the source but also the method: a phishing attack.

North Korean four-star general Kim Yong Chol reportedly had given the order to go after Sony, and members of the country’s elite hacking unit, 6,000 hackers strong, based in both North Korea and China, began “spear-phishing,” sending e-mails that, with one click by a Sony employee, would allow the hackers access to, and eventual control of, Sony’s computer network.
Without raising the suspicions of the National Security Agency—accustomed to North Korea’s constant barrage of phishing—the hackers spent from September to mid-November of last year “mapping Sony’s computer systems, identifying critical files and planning how to destroy computers and servers,” according to the [New York] Times, before identifying themselves as the G.O.P. and launching the attack that shut down Sony.
Source: Vanity Fair

Via elementary spear-phishing tactics, the North Korean hackers were able to steal the credentials of a systems administrator at Sony, with which they freely roamed Sony’s servers for months, undetected.

The fact that a system administrator, a.k.a. someone who works in IT and therefore should know better, was gullible enough to fall victim to a phishing scam, is alarming.

But then again, this is the same company that stored passwords in a folder labeled Passwords. No joke.

If there’s one lesson every corporate leader should glean from the Sony Hack…

…it’s that it is MISSION CRITICAL to:

1. Stress to ALL employees the importance of not opening or clicking links within a spam email;

2. Set up internal processes in which it becomes second nature for all employees to report spam to the IT department; and

3. Ensure the IT department is adequately staffed with dedicated cyber security experts whose sole job is to monitor and defend against any and all suspicious activity.