Reference no: EM132300729
Sony Pictures Hacked by North Korea – Black Market Malware
A strange turn of events all began with a conversation that ultimately turned into one of the worst hacks in recent history. The conversation was between screenwriter Evan Goldberg and actor Seth Rogen, joking about making a comedy about assassinating the leader of North Korea, Kim Jong-un. On March 2013, this joke became reality when Sony Pictures Entertainment announced that both Goldberg and Rogen would direct the comedy movie, The Interview.
They thought they had tremendous potential working with Seth Rogen, who seemed to be popular everywhere, and James Franco taking the lead in a “comedy” targeted for Christmas 2014 release. The plot of The Interview is now well known. A doltish tabloid talk-show host played by James Franco and his bosom-buddy producer (Seth Rogen) are invited to North Korea to interview Kim Jong-un, who’s a secret fan of their program. The CIA then enlists the pair to assassinate Kim. It all ends with Kim’s fiery death in a helicopter, which Franco’s and Rogen’s characters gun down from a commandeered tank. Needless to say, North Korea saw no humor what-so-ever in a movie depicting the killing of their country’s leader.
On Monday, Nov. 24, 2014, a crushing cyberattack was launched on Sony Pictures Entertainment in Hollywood, California. Employees logging on to their network were met with the sound of gunfire, scrolling threats, and the menacing image of a fiery skeleton looming over the tiny zombified heads of the studio’s top two executives.
Before Sony’s IT staff could pull the plug, the hackers’ malware had leaped from machine to machine throughout the lot and across continents, wiping out half of Sony’s global network. It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. To make sure nothing could be recovered, the attackers had even added a little extra poison: a special deleting algorithm that overwrote the data seven different ways. When that was done, the code zapped each computer’s startup software, rendering the machines brain-dead.
The hackers had actually first “broke in” to Sony’s internal systems a few months earlier to plant pieces of the malware, then, from the moment the malware was launched, it took just one hour to throw Sony Pictures back into their 1980’s era of the Betamax. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.
That was only the beginning of Sony’s horror story. Before destroying the company’s data, the hackers had stolen it. Over the next three weeks they dumped nine batches of confidential files onto public file-sharing sites: everything from unfinished movie scripts and mortifying emails to salary lists and more than 47,000 Social Security numbers. Five Sony films, four of them unreleased, were leaked to piracy websites for free viewing.
Then the hackers threatened a 9/11-style attack against theaters, prompting Sony to abandon The Interview’s Christmas release. A week later, after an uproar, the studio announced it would make the movie available, after all, through video on demand and in a few hundred theaters.
On Dec. 19 the FBI blamed the hack on North Korea, which had issued threats over the film. The White House followed with economic sanctions. Sony was pilloried both for horrendous judgment (for making a comedy depicting the killing of North Korea’s sovereign leader) and its seeming capitulation (for its initial refusal to show the film). In its darkest hours Sony drew zero support from Hollywood—and a blast from President Obama. Sony’s traumatized employees face an ongoing threat of identity theft.
In Sony’s view, the company is a blameless victim. In a Dec 2014 interview with National Public Radio, Sony Pictures CEO, Michael Lynton, insisted his company was “extremely well prepared for conventional cybersecurity,” but faced “the worst cyberattack in U.S. history.” Lynton has no plans to fire or discipline anyone. The CEO’s reasoning rests on the belief that because Sony’s assailant was a foreign government, with far more resources than a renegade band of hackers, what happened was unstoppable. His view was that the studio simply faced an unfair fight.
The FBI released a statement also in Dec 2014, saying, “In close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions.” The FBI cited technical analysis that showed similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks along with several Internet protocol (IP) addresses associated with known North Korean infrastructure.
What happened at Sony stands as a landmark event. It struck terror in boardrooms throughout corporate America. Countless large companies have been victimized by hacking on a massive scale, including Target, Anthem Health Care, Home Depot, and J.P. Morgan, suffering incursions for profit-oriented data theft or corporate espionage. But for the most part, previous corporate invasions have afflicted customers and employees, not the businesses directly. The Sony Pictures hack showed how attackers could bring a company itself to its knees.
Sony had the information for the Critical Controls identified by the US Government Office of Cybercrime or a myriad of Security consulting companies. Utilizing even a few of the Critical Controls such as malware defenses, monitoring, audit logs, encryption, controlled use of administrative credentials, and incident response could have provided the necessary defenses to prevent this 1990’s hacker movie from turning into reality.
1a. Was Sony negligent for getting hacked? Explain techniques Sony could have utilized to better protect its digital systems from hackers. [Students may research the latest security techniques organizations (including Sony) use to protect themselves from hackers.]
b. When should the U.S. government get involved? When it did, earlier, later, not at all?
c. Should threats of cyber-destruction be taken as seriously as threats of direct physical attacks? Explain with an example.