Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


Anatomy of a breach: Sony

Data Security

Our new UBA Threat Models are built on a kill chain, in order to protect your data throughout the entire life cycle of a data breach.

But what does that mean, exactly?   Let’s take a look at the anatomy of a breach.

How did the Sony breach happen?

We know a few things for certain: a group called Guardians of Peace (GoP) claims to have taken over 100 terabytes of data, they used Wiper malware on the infrastructure to erase data from the servers, and released an alarming amount of unstructured data: from over 47,000 social security numbers to an early script of Spectre to over 170,000 confidential (and at times embarrassing) emails between executives.

Let’s go through the kill chain and figure out how it might have happened, step by step.


The attackers used phishing emails to steal credentials – in this case, it’s likely that they used fake apple ID verification emails to get personal information and passwords, which, when combined with public information from sources like LinkedIn and Facebook profiles, gave them enough information to get into the network.

They then likely downloaded additional recon/network mapping tools to map the environment.  The attackers released detailed network diagrams gathered from found documents.


Wiper malware dropped on servers (with embedded employee credentials for execution) – wiper malware destroys data on windows computers, while spreading itself across network files to further attack windows servers.  The latest evidence in the case suggests that the intrusion had been happening for more than a year before its discovery.

Lateral Movement

Attackers searched the file servers to locate password files so they could continue to expand, or elevate rights and permissions.  They later released massive amounts of files (most even with “password” in the name) containing usernames, and passwords for everything from internal systems to corporate Twitter accounts: one document released from the HR\Benefits directory, for example, contained 402 social security numbers, internal emails, plain-text passwords, and employee names.

Privilege Escalation

Through recon and lateral movement, the attackers were able to discover treasure troves of plain-text passwords which gave them even more access to everything they needed to own the organization.  They were even able to obtain certificates and RSA token information to secure their foothold.   A new piece of malware called Destover was later spotted in the wild using stolen Sony certificates.

Data Exfiltration

Hundreds of GB of sensitive data was released, mostly comprised of unstructured data (PDFs, Word docs, Excel documents, PowerPoint presentations, text files, video files, email, etc.) containing everything from personally identifiable information (PII) for celebrities and current/former employees, confidential business documents including budgets, scripts, and upcoming projects, unreleased films, and internal correspondence.

What now?

A year later, and Sony is still dealing with the devastating aftermath of the breach.  Business is disrupted, reputations fractured, and millions of dollars allocated to settle claims from the breach over identity theft losses.

All because hackers got inside the network, and nobody was watching the unstructured data from the inside.


Sarah Hospelhorn

Sarah Hospelhorn

Based in Brooklyn, NY, Sarah focuses on the strategy behind solving problems in data security. She’s been in tech for over 20 years, with experience in software, hardware, and cryptography.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.