Sony Pictures Entertainment appears to be striking back at hackers using some of the same techniques hackers use, a game plan that could become increasingly common for similarly victimized corporations.

The recent hacker attack deeply penetrated computers at Sony’s (SNE) movie-making unit, resulting in a vast trove of private information – everything from gossipy Hollywood emails to the salaries of top executives to employee medical records – being made public.

Even security experts who have spent decades fighting hackers were alarmed by the breadth and scope of the Sony attack. Kevin Mandia, CEO of cybersecurity firm Mandiant, called the crime “unparalleled” and said no company could have been fully prepared. FBI officials said the sophisticated attack would have beaten cybersecurity at 90% of private companies and governments.



After failing to keep the hackers out, Sony is now using some of the same tactics as hackers to try to limit the damage, according to reports from web sites Recode and ArsTechnica this week. Sony Pictures did not respond to requests for comment.



The hackers, an anonymous group calling itself Guardians of Peace, have been dumping the data they stole from Sony across the Internet via the same file-sharing techniques used to spread illegally pirated music and videos. Instead of placing the files on a single web site, pieces of the files are shared among thousands of users' computers and linked up through Bittorrent software.









So Sony has been connecting thousands of its own computers to the same Bittorrent networks, but with phony versions of the files that appear to be legitimate, according to the ArsTechnica report. Data seekers downloading the phony files also share them further, creating massive congestion making it more difficult to download the actual stolen files.

As hackers are able to penetrate ever-more secure targets, corporations have to change their responses, too, says Marc Gaffan, CEO of Incapsula, a firm that helps ward off cyber attacks.

Story continues

“As it becomes a question of when it happens, not if it happens, organizations are changing so they can react quickly,” he says.

But companies must be careful to stay within the bounds of the law. Recode’s report described Sony’s countermeasures as a denial of service attack. Commonly used by hackers, such an attack typically seeks to overwhelm a web site with millions of bogus requests for data, effectively knocking the site out of commission.

Denial of service attacks like that are unlawful in the U.S., so companies must be sure to strike back legally, Gaffan says. “There are many precedents of taking action within the rules of the game, either to strike back or to minimize the effect of an attack,” he says.

Sony is a customer of Amazon’s (AMZN) cloud services unit, which could have been used to launch the counterattack, Recode reported. But Amazon on Wednesday denied such actions were “currently happening” on its platform.

Denial of service attacks can also disrupt Internet service providers and other bystanders, notes cybersecurity researcher Qijun Gu, an associate professor at Texas State University. “I don’t think that’s ethical,” he says.

Gu also isn’t convinced that counterattcks like Sony’s do much good, as the stolen data can spread so quickly and broadly. Similar efforts used to stop people from downloading pirated movies haven’t proven effective, for example.

“There’s really no effective, efficient technology to fight back,” Gu says. “It’s a last resort.”



