Did Anonymous Hack Sony's PlayStation Network or Not?

Chloe Albanesius - PC Magazine

In response to a congressional inquiry, Sony on Wednesday released more information about the hack that has disrupted its PlayStation Network since April 20. Among the details revealed by Sony was the fact that one of its servers had a file called "Anonymous."

Earlier this week, Sony said that the breach has also disrupted its Sony Online Entertainment gaming site. In uncovering the hack, SOE "also discovered that the intruders had planted a file on one of those servers named 'Anonymous' with the words 'We are Legion,'" Kazuo Harai, Sony chairman, wrote to the House Subcommittee on Commerce, Manufacturing, and Trade.

The group Anonymous goes by the tagline "We are Anonymous. We are Legion. We do not forgive. We do not forget. You should have expected us."

"Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group Anonymous. The attacks were coordinated against Sony as a protest for exercising its rights in a civil action in the United States Court in San Francisco against a hacker," Harai wrote.

That would be George "geohot" Hotz, who hacked the PS3 and posted his workaround on the Web. Hotz recently settled with Sony, and denied any involvement in the PSN hack. He also urged those responsible not to sell people's information.

Anonymous is a clandestine group that operates "Operation Payback" and reportedly includes members of the "/b/" bulletin board 4chan.org. Typically, the group organizes distributed denial of service (DDoS) attacks against the computer systems of those with whom they disagree, including credit card companies that dropped support for WikiLeaks, music labels that go after copyright infringers, and Sony.

Last month, Anonymous organized a 24-hour, in-store boycott at Sony stores around world on April 16. That came several days after the group attacked Sony-branded Web sites to protest Sony's lawsuits against PS3 hackers. An Anonymous offshoot known as "SonyRecon" also targeted individual Sony employees.

However, last month Anonymous officially denied any involvement in the Sony PlayStation hack. "For once we didn't do it," according to a press release posted on the group's Web site.

"While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and does not take responsibility for whatever has happened," according to the statement and a YouTube video (below).

At the time, Anonymous suggested that the problem was "an internal problem with the company's servers."

The group has not updated its Web site, Twitter feed, or Facebook page since Sony released its letter to the subcommittee. Anonymous did not immediately respond to an emailed request for comment.

In its letter, Sony said the attack on its systems was "very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes."

Sony said one or more cybercriminals gained access to the PlayStation Network servers around the same time that its servers were experiencing a denial-of-service attack; an intrusion Sony did not immediately detect due to its "sheer sophistication."

"Detection was difficult because the criminal hackers exploited a system software vulnerability," Hirai wrote. He also said Sony's security teams were busy working to deflect the DDoS attacks, which might "have made it more difficult to detect this intrusion quickly—all perhaps by design," he wrote.

Hirai acknowledged that the DDoS participants might have been duped into providing cover for a very clever thief, but "we may never know."

Hirai said Sony contacted the FBI two days after the intrusion was detected and set up a meeting for April 27. At the time, the security firm hired by Sony to evaluate the damage had not yet determined the scope of the attack. Starting on April 26, the day it publicly disclosed the hack, Sony said it also notified regulatory authorities in about a dozen states.

Sony reiterated that the complex nature of the hack stopped it from discussing the issue publicly. The company "was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence," Hirai wrote.

At this point, Sony believes it knows how the intrusion occured, but is "reluctant to make full details publicly available" because that info might be used to launch another attack. Sony does not know who is responsible, Hirai said.

One of the major concerns in this case was whether the hackers obtained peoples' credit card information. Sony said it has about 12.3 million credit cards on file via its PlayStation Network system, about 5.6 million of which are in the United States. Sony said credit card companies have not reported any fraudulent charges related to the hack.