In the release they describe the workings of the malware. It attacks the MBR and all data files. After infection the infected systems to connect to one of three random, one of these three IP addresses (88.53.215.64, 217.96.33.164, 203.131.222.102) via either port 8080 or 8000.
Sony Pictures Entertainment is dealing with the aftermath of a massive infection that must be keeping them very busy and many people out of work.

Snort can be configured to detect the traffic. The FBI also release the following siganture:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;

It’s time to check your log files and check if those IPs are listed as destination IPs in any of your traffic or log data.

Wondering what the level of forensics, if the incident response teams were in place to handle the incidents and aftermath. Is it based on NIST 800-61?

Who could it been? Russia, China, Venezuela, Brazil, a teenager from a basement?

On this day and age as soon as an organization is breach we get to read about the dirty details, the how, and more especially the who. How come we are not hearing these this time around?

The security community deserves an explanation and more importantly tax payers have the right to know.