Skip to content ↓ | Skip to navigation ↓

A security researcher has found that hackers used phishing emails to penetrate Sony Picture Entertainment’s computer networks last fall.

Stuart McClure, CEO of computer security firm Cylance, says he analyzed a downloaded database of Sony emails and in the process discovered a pattern of phishing attempts.

“We started to realize that there was constant email around Apple ID email verification, and it was in a number of inboxes,” he told POLITICO.

On Tuesday, McClure gave a talk at RSA Conference 2015 entitled “Hacking Exposed: Next Generation Attacks,” in which he detailed some of his findings.

McClure’s data suggests that many top Sony executives, including Sony Pictures CEO Michael Lynton, received fake Apple ID verification emails in mid-September that contained a link to “” Upon visiting this domain, the victim was prompted to enter in his/her Apple ID information into a fake verification form.

After obtaining their Apple IDs and passwords, the hackers then presumably used these credentials in conjunction with employees’ LinkedIn profiles to figure out their Sony network login information, all in the hopes that the employees had used the same passwords for work and personal accounts.

It was these credentials that the hackers coded into a strain of malware known as “Wiper,” which succeeded in crippling the company’s computer networks.

More than a month after first gaining access to Sony’s network, the hackers posted the links to a collection of stolen documents, including financial records and the private keys to Sony’s servers.

It was later announced in early December that the North Korean government had been responsible for the hack.

According to McClure, companies need to implement some safeguards that will better protect user credentials if they are to avoid becoming the victim of a Sony-styled attack.

“The basic general guidance that I always give is that organizations should use some form of memory process injection protection,” he said. “User credentials always need to be monitored and, perhaps most importantly, password reuse needs to be avoided.”