In response to a Congressional subcommittee’s inquiry into the massive data breach of its PlayStation Network that exposed the personal data of more than 100 million gamers, Sony claims to have evidence that those responsible are part of the infamous international hacktivist group “Anonymous.”
“Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack,” writes Patrick Seybold, senior director of communications for Sony, in a summary of its letter to Congress, which was posted to the PlayStation Blog. “We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named ‘Anonymous’ with the words ‘We are Legion.”
Anonymous has admitted to conducting a distributed denial of service (DDOS) attack on Sony’s website as part of #OpSony, launched in retaliation against Sony’s lawsuit of PlayStation 3 jailbreak hacker George “GeoHot” Hotz. But the loose-knit group denies having any part in hacking the PSN, and insists they were not involved in any data theft of any kind. (See video below.)
In the full letter to the Congressional Subcommittee on Commerce Manufacturing and Trade, however, Sony board chairman Kazuo Hirai offers the theory that Anonymous launched the DDoS attack, which he says occurred “at or around the same time” as the security breach, as a smokescreen to cover for the breach of the PSN — a move that distracted Sony from the true threat to its network and made the company unable to detect the security breach.
“Our security teams were working very hard to defend against denial of service attacks,” writes Hirai in the letter, “and that may have made it more difficult to detect this intrusion quickly — all perhaps by design.”
By the time the security breach occurred on April 16, however, Anonymous had officially called off #OpSony due to the fact that George Hotz had reached a settlement with the company. According to a statement released on AnonNews, Anonymous had moved its operations offline and into “the streets.”
Regardless of whether Anonymous intentionally diverted Sony’s security team for the sole purpose of initiating a “highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purpose,” or was just in it for the LULZ, Sony still places the blame for the attack firmly on Anonymous’ ambiguous shoulders.
“Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know,” Hirai writes. “In any case, those who participated in the denial of serve attacks should understand that – whether they knew it or not – they were aiding a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world.”
Sony says that it has about 12.3 million credit cards on file through the PlayStation Network, with about 5.6 million of those belonging to parties within the United States. So far, Sony says its investigation has found no evidence that the PSN security breach has resulted in a single count of fraudulent activity.
Anonymous has not yet officially responded to this new, official round of finger pointing. But as Anonymous always says: “Expect us.”
- From pranks to nuclear sabotage, this is the history of malware
- Companies are sorry about security flaws. Just not sorry enough to change
- The flu is poking holes in hospital cybersecurity, and a shot can’t save you
- If you’re a Best Buy customer, you may want to check your accounts
- Slingshot malware that attacks routers may be state-sponsored espionage tool