Sony Computer Entertainment America (SCEA) does not know who stole data from nearly 75 million customer accounts on their PlayStation and Sony Online services, but they claim to have a hunch.
In an open letter to members of the U.S. House Subcomittee on Commerce Manufacturing and Trade, the chairman of SCEA claimed that forensic researchers have discovered a file that was “planted” on their systems by hackers.
He told Congress the document only contained a single sentence: Titled “Anonymous,” it read, “We are legion.”
That is indeed an Anonymous catch-phrase, but it is not entirely clear whether this can be blamed on the group, one of its members or someone trying to make it appear as if they were involved.
In a media release pushed through a number of regular Anonymous channels, the group claims they had nothing to do with the attack on PlayStation or the theft of users’ credit card data.
“1. Anonymous has never been known to have engaged in credit card theft,” they insist. “2. Many of our corporate and governmental adversaries, on the other hand, have been known to have lied to the public about Anonymous and about their own activities.”
They went on: “3. To the contrary, Anonymous is an ironically transparent movement that allows reporters in to our operating channels to observe us at work and which has been extraordinarily candid with the press when commenting on our own activities, which is why reporters prefer to talk to us for truthful accounts of the situation rather than go to our degenerate enemies to be lied to.
“4. Whoever broke into Sony’s servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history. No one who is actually associated with our movement would do something that would prompt a massive law enforcement response.”
SCEA chairman Kazuo Hirai, however, did not seem too certain. He noted in his letter that at the same time PlayStation was hacked, members of Anonymous had openly declared that they were launching a Distributed Denial of Service (DDoS) attack on the company’s website. He claims that may have increased their vulnerability to other attacks — “all perhaps by design,” Hirai speculates.
“Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know,” Hirai admits. “In any case, those who participated in the denial of service attacks should understand that — whether they knew it or not — they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world.”
“A group of standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track,” Anonymous maintains.
In a chat log published by Ars Technica, one member even called Sony’s letter to Congress part of “a false-flag op.”
“Anyone could leave such a file,” user BarrettBrown wrote. “We could break into a server and leave a file saying ‘Hai this is opAnon64 please arrest me!’ […] That’s the nature of a false flag op”.
The orchestration of DDoS attacks, which Anonymous clearly promoted in dozens or even hundreds of instances over the last years, is not always illegal. While many have born the hallmarks of being carried out by massive sub-networks of computers enslaved by malware without the knowledge of their owners, other DDoS attacks have been voluntary, with participants lining up to request a website do what it is made to do: serve pages. These are more akin to a sit-in protest, and some legal experts have suggested they should not be banned.
It was not clear what form of DDoS attack Sony’s websites were under at the time of the theft. Anonymous said it was launching the DDoS to protest Sony’s pursuit of hacker George “Geohot” Hotz, who figured out how to jailbreak the PlayStation 3 and install user-created software on it.
Although the U.S. government has permitted this sort of activity when it comes to iPhones and other mobile devices, Sony was able to trigger a police SWAT raid on Hotz’s home after he publicized in an Internet posting a string of numbers that unlocks the system.
Hotz and Sony have since settled the case — but now it seems another one, of much greater significance, is set to begin in earnest.
The PlayStation Network (PSN) has been down since April 19, when the data theft was discovered. It was still offline at time of this writing. The company told members of Congress it would provide affected users with access to identity theft protection services and give them a free month of access to PSN.
*Update: An original version of this article said 75 million customers’ credit cards were stolen. In fact, that has yet to be determined — and it was 75 million user accounts, not necessarily 75 million customers.