Investigators say a crippling cyberattack against Sony Pictures Entertainment was probably the work of North Korea, in what would be the first known case of the reclusive nation using its growing hacking capability to cause major disruptions to a company in the United States.
The attack brought Sony, one of Hollywood’s biggest studios, to a near-standstill last week, forcing employees to use paper and pens instead of their computers. Hackers also deleted files from hard drives, uploaded several unreleased films to the Internet and leaked sensitive personal information regarding thousands of Sony employees.
The cyberattack may have come in retaliation for Sony’s upcoming movie “The Interview,” a comedy built around a fictional CIA plot to kill North Korea’s 31-year-old supreme leader, Kim Jong Un, say people familiar with the probe who spoke on the condition of anonymity because the investigation is not complete.
North Korean officials have repeatedly complained about the movie — which is due to open in theaters on Christmas Day — warning of “stern” and “merciless” retaliation. On Tuesday, a North Korean government spokesman declined to comment on whether it was behind the Sony incident, according to a report by BBC News that quoted the spokesman as saying, “Wait and see.”
If investigators’ beliefs turn out to be true, the hack on Sony would mark a troubling new development at the intersection of international relations, commerce and cyberspace.
“This is a step beyond what they’ve done in the past, but it’s a logical trajectory for them,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies. He said he did not have definitive knowledge that North Korea was responsible for the Sony hack but noted that it shared characteristics of cyberattacks by North Korea against South Korean companies.
Banks in South Korea were hit last year by a virus that deleted data from hard drives in a cyberattack campaign that investigators dubbed “Dark Seoul.” Jaime Blasco, labs director for the security firm AlienVault, said analyses of the malicious software used in that attack and the one against Sony show similarities. “The techniques and code are similar in both,” Blasco said. Dark Seoul was attributed to North Korea by the cybersecurity firm CrowdStrike, which dubbed the hacker group Silent Chollima.
Foreign-government hackers for years have stolen information from U.S. companies and in some cases disrupted online operations, but the cyberattack against Sony Pictures has been unusually intrusive and seemingly vengeful.
Disruptions to computer systems began in the days before Thanksgiving, and this week private company records were made available online, according to various media reports. The records have included employee salaries, evaluations by their managers and Social Security numbers, the Web site Fusion has reported.
The company did not comment directly on reports of possible North Korean responsibility for the attack but issued a statement saying: “Sony Pictures continues to work through issues related to what was clearly a cyber attack last week. The company has restored a number of important services to ensure ongoing business continuity and is working closely with law enforcement officials to investigate the matter.”
The FBI, which is investigating the Sony hack, declined to comment on who was behind it. On Monday, the bureau issued a flash warning to businesses about “destructive malware,” though it did not specifically link the alert to the Sony hack. The alert noted that the malware was written in the Korean language and was capable of overriding data on hard drives and erasing data files stored on machines.
In “The Interview,” Seth Rogen and James Franco play a producer and talk-show host who are headed to North Korea for an exclusive interview with Kim and are then tasked by the CIA with killing him. North Korean officials also complained to the United Nations and the United States about the film.
A State Department official, speaking on the condition of anonymity, declined to comment on allegations about North Korea but said: “We are of course aware of reports about North Korean concerns about this movie. While it may be difficult for [North Korea] to understand the concept, in the United States, entertainers are free to make movies of their choosing.”
The investigation into the attack could take months, and some media outlets have pointed to the possibility that current or former employees could be responsible for the leaked information. A person familiar with the investigation said that is not likely.
The hack “sounds like one of Sony’s own movie plots,” said Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative. “As crazy as the North Koreans are, most of us would have completely dismissed this as a ridiculous plot for a Hollywood movie.”
Though disruptive, he said, the attack shows how cyberattack techniques are not “a strategic weapon that terrorizes societies and brings down infrastructure.” But it also shows “that nations are increasingly comfortable with using cyber in this gray area between peace and war.”
The State Department has attempted to establish norms of responsible state behavior in cyberspace, aimed at promoting the use of cybertechnology for peaceful purposes, but rogue countries such as North Korea are among the most resistant.
Healey said the U.S. government should speak up if North Korea is proved to be behind the incident and establish the norm that civilian targets should not be subject to cyberattacks. “If we’re saying it’s okay to hack companies that are saying things you don’t like, is Twitter going to be next? Is Facebook going to be next?”
The wave of cyberattacks against large U.S. retailers, including Target and Home Depot, over the past year has made hacks feel like a fact of life for many consumers. But the cyberattack against Sony was more strikingly disruptive.
“It is now apparent that a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents,” said a memo from Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal, according to a copy obtained by the Hollywood Reporter. “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession.”
The posting of employee information online came a week after Sony employees reportedly were met with computers displaying images of a neon red skull and a message proclaiming the company had been hacked by “#GOP,” said to stand for “Guardians of Peace.”
“If it’s true that North Korea was behind it, it almost seems to be taking a tool from the methods of terrorists who try to hurt innocent civilians to attack a country or a company,” said Jules Polonetsky, executive director of the Future of Privacy Forum. “They’ve apparently gone to great lengths to personally hurt individuals who are working at the company to assert displeasure at the company.”