North Korea’s Fingerprints Said Found in Sony Hacking

Updated on
Sony Pictures Entertainment Inc.
Signage is displayed outside of the Sony Pictures Entertainment Inc. Studios building in Culver City, California, U.S. Photographer: Jonathan Alcorn/Bloomberg

North Korea may have had a hand in a digital attack against Sony Pictures that used destructive malware to disable systems and destroy data, according to two people with the knowledge of the investigation.

Some of the malware contained Korean language code, and other aspects of the breach bear important similarities to attacks that wiped out the computers of South Korean banks and broadcasters in March 2013, said the people, who weren’t authorized to speak publicly and asked not to be identified.

The FBI sent a flash alert to U.S. companies about the malware on Dec. 1, mentioning the use of Korean language, while not linking it directly to the Nov. 25 attack on Sony Corp.’s Culver City, California-based entertainment unit. One of the people confirmed the alert refers to malware in the Sony case.

“We consider that the theories regarding the attribution to North Korea are credible,” said John Hultquist, senior cyber espionage practice lead at iSight Partners, a Dallas-based cybersecurity company.

ISight isn’t involved in the Sony investigation. It has analyzed other destructive attacks linked to North Korean hackers, Hultquist said.

The malware, designed by unknown operators, has the ability to overwrite data files, including what’s called the master boot record, making computers unusable, the FBI said in its five-page alert to companies.

The use of destructive malware has been a hallmark of North Korean attacks, including devastating attacks last year against some of South Korea’s largest banks and at least two major television broadcasters.

Security Consultant

North Korea’s UN mission didn’t immediately respond to an e-mail request for comment. When asked about the attack, a spokesman for North Korea’s UN mission told the BBC: “The hostile forces are relating everything to the DPRK (North Korea). I kindly advise you to just wait and see.”

Sony hasn’t independently confirmed a link to North Korea, according to a person with knowledge of the matter who wasn’t authorized to speak publicly and requested anonymity.

The entertainment unit has hired the security consultants Mandiant, a unit of FireEye, to assist in the recovery, the person said. Some systems, such as e-mail, are back online, the person added, while adding they aren’t fully operational.

Mandiant didn’t respond to requests for comment.

Sony has managed to make progress on its promotional campaigns for annual film awards and other matters, even though the attack hit at a particularly busy time for the industry, the person said. The hacking led to the leak of the details of executive pay at Sony Pictures, according to Fusion, an ABC-Univision owned news group.

Crippling Assault

The attack on Sony crippled its computer systems, forcing some employees to communicate by text message.

The attackers also were able to obtain copies of recent and imminent motion-picture releases that were then posted on the Internet for download.

The breach occurred a month before the scheduled release of “The Interview,” a comedy about a CIA plot to kill North Korea’s leader, Kim Jong-Un.

The Seth Rogen film, currently advertised for release on Dec. 25, features Rogen and James Franco as TV producers who are recruited by the Central Intelligence Agency to assassinate Kim. Plans for the film drew a rebuke from the country, with a foreign ministry spokesman saying in state media that the release would be an “act of war,” according to the BBC.

“In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations,” Joshua Campbell, a bureau spokesman, said in an e-mail. “This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

Before it's here, it's on the Bloomberg Terminal. LEARN MORE