Sony Pictures hacking: a whodunnit gripping Hollywood

The cyberattack on Sony Pictures became an international incident when the US government accused North Korea of involvement. Simon Wilson reports.

What happened?

Beginning on 24 November, a group of hackers calling themselves Guardians of Peace (GOP) launched a massive hacking attack against Sony Pictures. They initially leaked the social security numbers of 47,000 current and former employees, published sensitive financial information, distributed copies of yet-
to-be released films, and published a massive trove of highly embarrassing emails. Then, on 8 December, after a week of media stories linking North Korea to the Sony hack, the GOP hackers made their first reference to The Interview, a film about two US journalists tasked by the CIA with assassinating Kim Jong-un. Amid threats of September 11th-style attacks on cinemas showing the film, cinema chains told Sony they couldn’t take the risk, and Sony took the decision to pull its release.

What was the reaction?

The reaction from investors was that Sony had done the sensible thing: its share price jumped. The reaction from Hollywood and many politicians was that it had given in to cyber blackmail. Actor Rob Lowe captured the mood, tweeting that Sony had “done Neville Chamberlain proud today”. Former House speaker Newt Gingrich wrote that “with the Sony collapse, America has lost its first cyberwar. This is a very, very dangerous precedent.” President Obama criticised Sony for giving in to cyber blackmail, and advised Americans to “go to the movies”. The US categorised the incident as “cyber vandalism” rather than terrorism, but accused North Korea of being “centrally involved” in the hacking campaign.

What does North Korea have to say?

That it is not responsible, but whoever was should be congratulated. An official statement said Pyongyang “estimates highly” the hackers’ “righteous action”, although it’s “not aware of where they are”, and accused President Obama of “making the rumour” that North Korea was responsible. As a result of this slander, “the army and people of the DPRK are fully ready to stand in confrontation with the US in all war spaces including cyber warfare space… Our toughest counteraction will be boldly taken against the White House, the Pentagon and the whole US mainland, the cesspool of terrorism, by far surpassing the ‘symmetric counteraction’ declared by Obama.”

Is this business as usual?

Yes and no. The North often uses violent rhetoric against the South and the US. Yet it rarely bothers to deny hacking claims in such forthright terms. Moreover, this statement comes from the most powerful body in North Korea, the National Defence Commission, chaired by Kim Jong-un himself. In addition, the statement includes some detailed rebuttal of the FBI’s claims that there were signs in the computer code that North Korea was behind the Sony attack.

How strong is the FBI’s evidence?

North Korea obviously has a motive, as well as a track record of hacking, but the technical evidence is far from conclusive. The FBI says that there are similarities between the type of malware used in the Sony hack and code used in an attack on South Korea last year. But when any malware is discovered, it is shared around many experts for analysis; any attacker could simply “re-version” the code for their own use. The FBI also says that “several Internet Protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hard coded into the data deletion malware used in this attack”, although it’s not clear from the statement whether these IP addresses were located in North Korea or refer to servers outside the country that are believed to be controlled by North Korean hackers.

What evidence points away from North Korea?

As Kim Zetter points out in Wired, nation-state attacks don’t generally announced themselves with taunting messages and images of blazing skeletons posted to infected computers, as happened in this case. They don’t normally give themselves catchy noms-de-hacks like “Guardians of Peace”, or mock their victims for having poor security. Nor do they typically involve massive dumps of data onto Pastebin (the “unofficial cloud repository of hackers”, as Zetter puts it). On the other hand, all these are the hallmarks of hacktivist groups such as Anonymous or LulzSec. So was it an insider bent on revenge (see box)? Is it the work of just one group, or did other groups with North Korean links jump on the bandwagon once it was rolling? And what evidence does the US have that it has so far not made public? The Interview saga is ending 2014 on a cliffhanger; 2015 look certain to bring more plot twists.

Was the Sony hack an insider job?

It is especially significant, argues Marc Rogers, a blogger and security analyst for Cloudflare, that the hackers only latched onto The Interview after the media did. “I think the attackers both saw this as an opportunity for ‘lulz’ [mischievious fun] and as a way to misdirect everyone into thinking it was a nation state. After all, if everyone believes it’s a nation state, then the criminal investigation will likely die.” In addition, it is “clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware”, it looks much more like an insider bent on revenge.