Skip to main content

FBI officially names North Korea as culprit in Sony hack

FBI officially names North Korea as culprit in Sony hack

Share this story

The Federal Bureau of Investigation says that North Korea is behind the cyberattack on Sony last month that's led to the release of stolen emails and social security numbers and the cancellation of The Interview. The FBI formally identified North Korea's government as culprit in the hack this morning, following anonymous reports from US officials Wednesday evening. North Korea has been widely suspected to be behind these attacks for weeks.

"Such actions of intimidation fall outside the bounds of acceptable state behavior."

"We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there," the bureau writes, saying that this hack emphasizes why cyberattacks are among the biggest national security threats. "North Korea's actions were intended to inflict significant harm on a US business and suppress the right of American citizens to express themselves. Such actions of intimidation fall outside the bounds of acceptable state behavior."

The FBI does not say what actions it will be taking in response to this attack. President Obama is expected to speak this afternoon, when he will likely explain how the US will respond to North Korea. The White House began setting expectations for his response yesterday, explaining that the response must be "proportional," as the attackers may be looking to elicit a certain reaction.

The bureau says that the malware used to attack Sony is related to malware that has previously been used by North Korea. "For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks," the bureau writes. It also saw "significant overlap" in the infrastructure used in this attack and the infrastructure used in past attacks linked to North Korea. Similar tools were used as well.

Many of these similarities have been reported in the press over the past few weeks, making these conclusions largely unsurprising. However, the FBI also notes that it used "sensitive sources and methods" in identifying the party behind this attack, and those sources and methods are not being described.

Sony first became aware of the attack in late November, when its computer systems were brought down globally. A group calling itself the "Guardians of Peace" took responsibility for the attack, and since last week it's been releasing stolen Sony files online. On Tuesday, the hackers also threatened attacks on screenings of the film The Interview, leading Sony to cancel its release.

North Korea is presumed to take issue with the content of The Interview, which is about an assassination attempt on its leader, Kim Jong-un, and depicts him dying graphically. The comedy stars Seth Rogen and James Franco and was planned for a Christmas Day release. That will no longer happen. In fact, Sony has insinuated that it may choose not to release The Interview at all, including online, on-demand, or on DVD and Blu-ray. That would amount to a big loss for Sony: The Wrap reports it's already spent around $90 million on the film, and that Sony expected to take in at least $210 million in return.

The FBI's full statement is reprinted below:

Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE). In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the "Guardians of Peace" claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies.

The FBI has determined that the intrusion into SPE’s network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees’ personally identifiable information and confidential communications. The attacks also rendered thousands of SPE’s computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company’s business operations.

After discovering the intrusion into its network, SPE requested the FBI’s assistance. Since then, the FBI has been working closely with the company throughout the investigation. Sony has been a great partner in the investigation, and continues to work closely with the FBI. Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack. Sony’s quick reporting facilitated the investigators’ ability to do their jobs, and ultimately to identify the source of these attacks.

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.

The FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential business information. Further, the FBI will continue to work closely with multiple departments and agencies as well as with domestic, foreign, and private sector partners who have played a critical role in our ability to trace this and other cyber threats to their source. Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests.