Was Sony The First (Hint: No)?

While The Sony hack/attack continues to capture the media’s attention with new data releases which create drama – who got caught saying what when – Bloomberg is reporting that something very similar to that happened to the Sands empire in February of this year.

Some of you are familiar with Admiral Rogers testimony (head of the NSA) last month before Congress about hackers taking down critical US infrastructure in the future – not if, but when.  Guess what.  The NSA knew all about the Sands attack from the beginning.  What Rogers didn’t say was that it had already happened.

Bloomberg reported: “But early on the chilly morning of Feb. 10, just above the casino floor, the offices of the world’s largest gaming company were gripped by chaos. Computers were flatlining, e-mail was down, most phones didn’t work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt”

The engineers at the Sands figured out what was going on within an hour – that they were under attack and that computer hard drives were getting wiped.

Hundreds of people were calling IT that their computers were dead.

Like a scene out of a movie (sorry Sony – this is not your script), Sands engineers ran across the casino floors of the Sands Vegas properties unplugging network cables of as many working computers as they could.  It didn’t matter if the computer controlled slot machines or was used by pit bosses – it got unplugged.

Unlike the Sony attack – at least as reported by Bloomberg – the attackers didn’t steal data and we certainly have not seen any data publicly released.  The attackers were angry at Sheldon Adelson, CEO of Sands, for pro-Israel, anti-Iran comments he made at a panel discussion at Yeshiva University in New York late last year.

While the Sands  organization understood physical security – both of the casinos and Adelson’s family – very well, they really didn’t get cyber security at the same level.

Even though the Sands organization was able to keep the details quiet for 10 months, they are starting to come out now.  The attackers started their attack at a smaller Sands casino in Pennsylvania, got in and used that as a path toward Vegas.

Early in the morning of February 10, 2014, the attackers launched their attack, wiping thousands of computers and servers.  By early afternoon, security engineers at the Sands saw from logs that the attackers were compressing large batches of sensitive files — likely in preparation for uploading them.

The President of Sands, Michael Leven, made the decision to pull the plug – like Sony did – and disconnect the hospitality chain from the internet.

Luckily for Sands, they used an IBM mainframe for certain functions.  The door key cards still worked, the elevators worked.  The company’s web sites, hosted by a third party, were still working, although the attackers did attempt to take those servers down the following day and did compromise them.

Since the Sands was working to do damage control,  it said only that their web site had been vandalized and that some other systems were not working.

The hackers, getting upset that they were not getting the effect that they wanted, posted a video on You Tube explaining what they had done.  While the video was removed after a few hours, the attack was no longer a secret.

So what does a company do?  One thought is to hack back.  The challenge is to figure out where.  More than likely, the attacks are coming from compromised computers all over the world (the Initial attacks on Sony came from a hotel in Thailand – are we going to blow up Thailand?).  What if the attacks are coming from – or seem to be – from a farm house in Iowa.  Are we going to send S.W.A.T. in after Ma and Pa?  You might speculate.  You might eventually have evidence.  But in the U.S. if you get caught hacking in to other people’s computers (unless you are the CIA or NSA), you will go to jail.  That is the law.

There are no easy answers unfortunately.  BUT, what is clear is that companies need to start making contingency plans because this problem is not going away.

And, as news of the Sony and Sands attacks go mainstream – maybe with others following it – attackers will only amp it up and go after more people.

To paraphrase the Boy Scouts – BE PREPARED!