Before August of 2014 not many people were aware of a movie called The Interview distributed by Sony Pictures, produced by Columbia Pictures (owned by Sony), and staring Seth Rogan and James Franco. The film depicts talk show host personality and his producer knowing that North Korean leader Kim Jong-Un is a fan of their show and asking for an interview with Kim. The CIA knowing the two were invited to North Korea request they help assassinate Kim while there. The duo goes through a wild ride into North Korea where they carry out their mission.
North Korea thought this movie was in poor taste calling it “the movie of terrorism”; they were clearly not happy about an American film depicting the assassination of their current leader. In November of 2014 the “Guardians of Peace” hacked the computer networks of Sony Pictures and leaked emails, employee records, and even several unreleased films. The Guardians of Peace extorted Sony by threatening further confidential company information releases if they went ahead and distributed the film and even threated attacks against theaters who would show it. This led to the cancellation of the film being shown in theaters and the film eventually releasing on Christmas Day (12/25/2014). This entire event would cause Sony to lose millions of dollars not just from the cost of The Interview, but from all of the other data that was released to the public.
My main objective in building out this chain was to replicate at least some artifacts from the attack. The agent location and communication on the target machine is similar. The registry edits made on the target machine to provide agent persistence is exact and still work on fully updated Windows 10 machines. I have also included a TTP that kills processes that GOP would kill on the target. Many of these processes will not be applicable on most machines since they are related to Microsoft SQL, but these processes are interesting because it’s related to them messing with the databases. I then took a different approach to the exfiltration of data, adding a new way to perform exfiltration that can be utilized outside this chain. It’s a cloud-based exfiltration and I really like it because I believe it will be harder to detect from the user. Lastly, we use the GOP image opened in a web browser which is the same method used during the attack. The Guardians of Peace claimed they stayed resident on target machines for months pulling data when opportunity arise. This chain will allow you to stay resident on target and exfiltrate data to a safe location.
Thanks for reading! We’ll be back next week with more examples of APT38 tradecraft!
Watch a demonstration: APT38 Sony Hack
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg