Following the news of the Destover malware used against Sony, Sagie Dulce, security research engineer, Imperva and Mark James, security specialist, ESET comment:
Sagie Dulce, security research engineer, Imperva says:
“This malware is not new. It was connected to 2 previous breaches, the earliest happened on 2012 with hacking of Saudi Aramco. It seems that the group in charge of the Sony hack is also responsible for the 2012 hack, and 2013 Dark Seoul hacks.
“The malware does not simply allow attackers to wipe out hard drives, but it serves as a backdoor / RAT for attackers. Only after the attackers get what they want, they perform the wipe – making a “grand exit. Wiping out assets could do a lot of damage, but it also tells the forensic investigators where to look. I think that criminally motivated groups and governments prefer to remain “under the radar” as much as possible. I’m not sure if the wiping trend will continue – perhaps this is a signature of a specific hack team.”
Mark James, security specialist, ESET writes: "When a large corporation like Sony is breached masses of information is stolen. In this particular case the certificates are being used in an attempt to validate malware to trick some systems into thinking it's safe because it has a valid certificate. This will trick automated systems to validate the malware and allow it to pass through the very systems designed to stop it. When Sony were breached they should have pulled their certificates and reissued valid clean ones, some systems will have already allowed this malware into their networks thus causing more indirect fallout from the Sony hack."