Wikimedia/Vincent Diamante
Sony has found a culprit to blame for the intrusion into its networks – the loosely organized "hacktivist" group Anonymous.
In a letter responding to questions posed by the U.S. House Subcommittee on Commerce, Manufacturing and Trade, the company repeatedly pointed its finger at Anonymous, accusing the group of being at best unwitting dupes who paved the way for cybercriminals to steal user data from 102 million accounts with the PlayStation Network, Sony Online Entertainment and Qriocity.
Anonymous has said it was not involved in the Sony data breach, and its continuous Twitter feeds, which are used to organize its online actions, have not mentioned Sony.
[ What to Do If You're Affected by the Sony Data Breach ]
"Sony now faces a large-scale cyber-attack involving the theft of personal information," the letter begins after thanking the subcommittee leaders. "This cyber-attack came shortly after Sony Computer Entertainment America was the subject of denial of service attacks launched against several Sony companies and threats made against both Sony and its executives in retaliation for enforcing intellectual property rights in U.S. Federal Court."
On April 4, Anonymous began a distributed denial-of-service (DDoS) attack on Sony websites, including the U.S. PlayStation site, in support of hacker George Hotz, who had posted on the Internet a code allowing users to modify their PlayStation 3 game consoles and then been sued by Sony.
However, the attack was largely unsuccessful, causing Sony sites to go down for only a short while. Following protests from the online gaming community, the Anonymous DDoS attack was called off on April 11, the same day that Sony revealed that it had secretly settled its case with Hotz nearly two weeks earlier.
Smoking gun -- or diversion?
The letter to the House subcommittee, signed by Sony Computer Entertainment America head Kazuo Hirai, also says that an Anonymous "calling card" was found on one of the breached servers.
"When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had planted a file on one of those servers named 'Anonymous' with the words 'We are Legion.'"
"We are Legion" is one of Anonymous' well-known mottoes, which any hacker would have known.
While the letter does not flatly state that Anonymous members carried out the data theft, it does say that the DDoS attack allowed the theft, which began about a week later, to happen.
"Our security teams were working very hard to defend against denial of service attacks, and that may have made it more difficult to detect this intrusion quickly – all perhaps by design," it reads. "Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know."
'Professional, sophisticated' operation
Despite its presentation of evidence against Anonymous, the letter characterizes the data breach itself as "a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes."
It also mentions large amounts of data being transferred out of the servers, and methodical database queries to collect as much account information as possible.
Those are methods that would be used by professional online criminals of the Eastern European variety. Anonymous' motives have almost always been political, and it has never profited from its activities.
It is possible that the DDoS attack, which itself was not a network intrusion, distracted Sony's administrators enough so that they did not notice someone slipping into their servers. But all indications are that the breach began nearly a week later.
The letter stated that Sony was confident it had discovered how the intrusion occurred, but was "reluctant to make full details publicly available" for legal and security reasons.
In response to a question asking whether Sony had identified the persons responsible for the intrusion, the letter replied with one word: "No."
- Sony Blows Off Congressional Hearing on Data Breaches
- Sony Shuts Down Third Network; 100 Million Accounts Affected
- How to Create and Remember Super-Secure Passwords