Sony Pictures Entertainment appears to be striking back at hackers using some of the same techniques hackers use, a game plan that could become increasingly common for similarly victimized corporations.
The recent hacker attack deeply penetrated computers at Sony’s (SNE) movie-making unit, resulting in a vast trove of private information – everything from gossipy Hollywood emails to the salaries of top executives to employee medical records – being made public.
Even security experts who have spent decades fighting hackers were alarmed by the breadth and scope of the Sony attack. Kevin Mandia, CEO of cybersecurity firm Mandiant, called the crime “unparalleled” and said no company could have been fully prepared. FBI officials said the sophisticated attack would have beaten cybersecurity at 90% of private companies and governments.
After failing to keep the hackers out, Sony is now using some of the same tactics as hackers to try to limit the damage, according to reports from web sites Recode and ArsTechnica this week. Sony Pictures did not respond to requests for comment.
The hackers, an anonymous group calling itself Guardians of Peace, have been dumping the data they stole from Sony across the Internet via the same file-sharing techniques used to spread illegally pirated music and videos. Instead of placing the files on a single web site, pieces of the files are shared among thousands of users' computers and linked up through Bittorrent software.
So Sony has been connecting thousands of its own computers to the same Bittorrent networks, but with phony versions of the files that appear to be legitimate, according to the ArsTechnica report. Data seekers downloading the phony files also share them further, creating massive congestion making it more difficult to download the actual stolen files.
As hackers are able to penetrate ever-more secure targets, corporations have to change their responses, too, says Marc Gaffan, CEO of Incapsula, a firm that helps ward off cyber attacks.
“As it becomes a question of when it happens, not if it happens, organizations are changing so they can react quickly,” he says.
But companies must be careful to stay within the bounds of the law. Recode’s report described Sony’s countermeasures as a denial of service attack. Commonly used by hackers, such an attack typically seeks to overwhelm a web site with millions of bogus requests for data, effectively knocking the site out of commission.
Denial of service attacks like that are unlawful in the U.S., so companies must be sure to strike back legally, Gaffan says. “There are many precedents of taking action within the rules of the game, either to strike back or to minimize the effect of an attack,” he says.