URGENT >> BULLETIN >> MOVING: ‘North Korean Government’ Responsible For Sony Pictures Hack, FBI Says

URGENT >> BULLETIN >> MOVING: The “North Korean government” is responsible for the catastrophic hack at Sony Pictures Entertainment last month, the FBI says.

As pressure mounts for the United States to retaliate, President Obama is expected to take questions on the matter at 1:30 p.m. today.

The FBI said it was “deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States.

“Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”

Threats of 9/11-style terrorist attacks against movie patrons and theaters that screened a comedic film that mocks North Korea leader Kim Jong Un and depicts him as an assassination target first caused theaters to bail on “The Interview,” a Sony film scheduled to open Christmas Day. Sony itself later withdrew the film, triggering an avalanche of criticism that it had caved into the demands of terrorists.

As the situation evolved, it became clear that the United States viewed the attack on Sony as an attack against the country itself.

The actual hacking of Sony appears to have occurred in November, with “Guardians of Peace” taking credit. Troves of private emails and records were stolen, Sony and its employees were threatened and Sony’s computers effectively were rendered inoperable. Sony has been in PR damage-control mode for weeks, even as the firm’s intellectual property such as films not yet released fell into the hands of the hackers.

Sony quickly reported the incident to the FBI, and the swiftness aided in the probe, the agency said.

Here’s more from the FBI’s statement (italics added):

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

About the Author

18 Responses to “URGENT >> BULLETIN >> MOVING: ‘North Korean Government’ Responsible For Sony Pictures Hack, FBI Says”

  1. U.S. Department of Homeland Security Secretary Jeh Johnson issues statement on Sony hack:


    The cyber attack against Sony Pictures Entertainment was not just an attack against a company and its employees. It was also an attack on our freedom of expression and way of life.

    This event underscores the importance of good cybersecurity practices to rapidly detect cyber intrusions and promote resilience throughout all of our networks. Every CEO should take this opportunity to assess their company’s cybersecurity. Every business in this country should seek to employ best practices in cybersecurity. The Department of Homeland Security and other federal agencies are here to help. We seek to raise the level of cybersecurity in both the private sector and civilian government, and provide timely information to protect all our systems against cyber threats. For businesses and other organizations that want to improve their cybersecurity, the Cybersecurity Framework is a great starting point and a great tool. It lays out best practices developed together by government and the private sector.

    We encourage all businesses and other organizations to use the Cybersecurity Framework to assess and limit cyber risks and protect against cyber threats.

    For tips and resources on how you can protect yourself and your organization from cyber threats, visit http://www.dhs.gov.


    Source: http://www.dhs.gov/news/2014/12/19/statement-secretary-johnson-cyber-attack-sony-pictures-entertainment


  2. Former U.S. Senator Chris Dodd, now the chairman of the Motion Picture Association of America, has issued a statement:


    The FBI’s announcement that North Korea is responsible for the attack on Sony Pictures is confirmation of what we suspected to be the case: that cyber terrorists, bent on wreaking havoc, have violated a major company to steal personal information, company secrets and threaten the American public.

    It is a despicable, criminal act.

    Disappointingly, that fact has been lost in a lot of the media coverage of this over the past few weeks. This situation is larger than a movie’s release or the contents of someone’s private emails.

    This is about the fact that criminals were able to hack in and steal what has now been identified as many times the volume of all of the printed material in the Library of Congress and threaten the livelihoods of thousands of Americans who work in the film and television industry, as well as the millions who simply choose to go to the movies.

    The Internet is a powerful force for good and it is deplorable that it is being used as a weapon not just by common criminals, but also, sophisticated cyber terrorists.

    We cannot allow that front to be opened again on American corporations or the American people.”


    Source: http://www.mpaa.org/wp-content/uploads/2014/12/Statement-from-Senator-Dodd-on-the-Cyber-Attack-on-Sony-Pictures-Entertainment.pdf


  3. http://www.theregister.co.uk/2014/12/19/sony_hackers_stole_credentials/

    Hackers obtained system administrators’ passwords to pull of the mega-hack against Sony Pictures’ servers, according to reports. This will come as no surprise to IT professionals.

    I wonder if the password was “password”?

    “This attack technique is trivial for an insider with valid network credentials and only incrementally harder for an external actor,” according to Trey Ford, global security strategist at Rapid7.

    I hope Sony switched the server off then on again.

  4. From the comments posted from the story above I vote for this alternative hypothesis:

    The collective heads of Sony Pictures are as stupid, selfish, short-sighted and negligent as you think they are.

    Having worked for big, stupid companies like Sony I think this is more likely.

  5. Another Vulture story

    The computer security industry largely remains unconvinced North Korea is to blame for the hack attack against the movie giant, since the very notion of Norks developing malware to take revenge against a Hollywood giant is hard to swallow.

    The evidence the FBI presented on Friday is flimsy at best, he said, adding that he expected more from the agency.

  6. Appreciate you sending along those links, Tony. Plenty to think about here.

    As for the alternative theory that a former Sony person pulled this off: I don’t buy it. It would be an exceptionally extreme reaction for, say, a disgruntled former employee or contractor. If the person was American, he or she would have to know that that the FBI would be on the case immediately and basically would have a blank check. There was a very high probability of getting caught.

    I think it much more likely that persons who didn’t care about getting caught or even wanted to get caught are responsible. They must perceive there was no downside to getting caught because they effectively are untouchable at their current locations.


  7. More food for thought

    Experts think it’s unlikely, if indeed it was North Korea, that the country could have acted alone. Unnamed US officials quoted by Reuters said the US was considering that people operating out of China, with its considerable cyber-attack capability, may have been involved.

    However I still favour corporate or government incompetence.

  8. Tony H: More food for thought

    From this link to the BBC:


    Mr Rogers is one of several security experts to question the use of The Interview as the obvious motive for the hack. It was not until the media made the link, Mr Rogers notes, that the hackers started mentioning the film.

    Up until that point, it was all about taking on the company, with language that hinted more at a grudge than a political statement.


    This argument has been advanced elsewhere. I would not reject it out of hand. Nor would I embrace it. Too many rabbit holes, which, perhaps, is the point.

    My instincts tell me this was far too extreme to be a grudge. Regardless, I do have to concede that the grudge theory is a simple explanation that would accommodate all the facts — and that sort of explanation tends to be the correct one.

    But if it was a grudge, it’s grudge-overkill to the extreme, thousands of additional blows after the fatal one. That’s why NORK seems much more likely to me. It just feels like the most vengeful of political attacks, as though someone got stabbed 10,000 times in the name of the Great Leader.

    As for security lapses: Only other people get cancer. Only other people suffer burglaries. Only other people experience network intrusions . . .


  9. The Interview is finally out (in the US) — watch with us live!


    I wonder if the film will live up to all the hype & publicity. Amazing how it was released just before Christmas.

  10. The United States is not backing away from its claim that North Korea is responsible for the Sony hack.

    Statement by the White House press secretary, dated today:


    Statement by the Press Secretary on the Executive Order Entitled “Imposing Additional Sanctions with Respect to North Korea”

    Today, the President issued an Executive Order (E.O.) authorizing additional sanctions on the Democratic People’s Republic of Korea. This E.O. is a response to the Government of North Korea’s ongoing provocative, destabilizing, and repressive actions and policies, particularly its destructive and coercive cyber attack on Sony Pictures Entertainment

    The E.O. authorizes the Secretary of the Treasury to impose sanctions on individuals and entities associated with the Government of North Korea. We take seriously North Korea’s attack that aimed to create destructive financial effects on a U.S. company and to threaten artists and other individuals with the goal of restricting their right to free expression.

    As the President has said, our response to North Korea’s attack against Sony Pictures Entertainment will be proportional, and will take place at a time and in a manner of our choosing. Today’s actions are the first aspect of our response.

    Source: http://www.whitehouse.gov/the-press-office/2015/01/02/statement-press-secretary-executive-order-entitled-imposing-additional-s


    Also: A letter from the President of the United States to the Congress:


    Letter — Imposing Additional Sanctions with Respect to North Korea

    Dear Mr. Speaker: (Dear Mr. President:)

    Pursuant to the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), I hereby report that I have issued an Executive Order (the “order”) with respect to North Korea that expands the national emergency declared in Executive Order 13466 of June 26, 2008, expanded in scope in Executive Order 13551 of August 30, 2010, and relied upon for additional steps in Executive Order 13570 of April 18, 2011. The order takes additional steps to address North Korea’s continued actions that threaten the United States and others.

    In 2008, upon terminating the exercise of certain authorities under the Trading With the Enemy Act (TWEA) with respect to North Korea, the President issued Executive Order 13466 and declared a national emergency pursuant to IEEPA to deal with the unusual and extraordinary threat to the national security and foreign policy of the United States posed by the existence and risk of the proliferation of weapons-usable fissile material on the Korean Peninsula. Executive Order 13466 continued certain restrictions on North Korea and North Korean nationals that had been in place under TWEA.

    In 2010, I issued Executive Order 13551. In that order, I determined that the Government of North Korea’s continued provocative actions destabilized the Korean peninsula and imperiled U.S. Armed Forces, allies, and trading partners in the region and warranted the imposition of additional sanctions, and I expanded the national emergency declared in Executive Order 13466. In Executive Order 13551, I ordered blocked the property and interests in property of three North Korean entities and one individual listed in the Annex to that order and provided criteria under which the Secretary of the Treasury, in consultation with the Secretary of State, may designate additional persons whose property and interests in property shall be blocked.

    In 2011, I issued Executive Order 13570 to further address the national emergency with respect to North Korea and to strengthen the implementation of United Nations Security Council Resolutions 1718 and 1874. That Executive Order prohibited the direct or indirect importation of goods, services, and technology from North Korea.

    I have now determined that that the provocative, destabilizing, and repressive actions and policies of the Government of North Korea, including its destructive, coercive cyber-related actions during November and December 2014, actions in violation of United Nations Security Council Resolutions 1718, 1874, 2087, and 2094, and commission of serious human rights abuses, constitute a continuing threat to the national security, foreign policy, and economy of the United States.

    The order is not targeted at the people of North Korea, but rather is aimed at the Government of North Korea and its activities that threaten the United States and others. The order leaves in place all existing sanctions imposed under Executive Orders 13466, 13551, and 13570. It provides criteria for blocking the property and interests in property of any person determined by the Secretary of the Treasury, in consultation with the Secretary of State:

    to be an agency, instrumentality, or controlled entity of the Government of North Korea or the Workers’ Party of Korea;

    to be an official of the Government of North Korea;

    to be an official of the Workers’ Party of Korea;

    to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, the Government of North Korea or any person whose property and interests in property are blocked pursuant to the order; or to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, the Government of North Korea or any person whose property and interests in property are blocked pursuant to the order.

    In addition, the order suspends entry into the United States of any alien determined to meet one or more of the above criteria.

    I have delegated to the Secretary of the Treasury the authority, in consultation with the Secretary of State, to take such actions, including the promulgation of rules and regulations, and to employ all powers granted to the President by IEEPA, as may be necessary to carry out the purposes of the order. All executive agencies are directed to take all appropriate measures within their authority to carry out the provisions of the order.

    I am enclosing a copy of the Executive Order I have issued.







  11. More analysis here:

    A statement from the Obama administration’s press secretary on Friday made it plain the latest sanctions are a direct response to the alleged cyber-attack on Sony – not, say, the death camps and the “unspeakable atrocities” committed in North Korea by the Kim government. The UN said in February 2014 that “policies established at the highest level of State” have led to crimes against humanity within the impoverished hermit nation.

    [My bold]