clock menu more-arrow no yes

Filed under:

How did North Korea take control of Sony Pictures' servers?

New, 71 comments
Clay Gilliland / Flickr

On the Monday before Thanksgiving, Sony Pictures was attacked by North Korea. The studio is still holding off on its official announcement, but by now it seems clear that the attack came in retaliation for the upcoming film The Interview, a comedy about an attempt to kill North Korean leader Kim Jong-un. North Korean officials had denounced the film as an act of war, and with the attack public, North Korean leaders have yet to deny the country is responsible.

It's the first time a foreign nation has targeted a Hollywood studio, and despite North Korea's numerous threats, it's not something anyone expected. But while Sony recovers, the attack has already raised larger questions about civilian vulnerability to cyberattacks, and how much damage a rogue state with a grudge can really do.

The data dump contained enough passwords to compromise the system

The biggest question so far is simply how the attackers got their first foothold. The initial list of leaked files contained everything from sensitive financial documents to downloaded podcasts, suggesting it was pulled en masse from a company server. We don't know how that server was compromised yet, but phishing attacks and delayed fallout from a recent PlayStation attack are high on the list. Luckily for the North Koreans, the dump seems to have contained enough password files to get them full access to the system.

From there, they caused as much trouble as possible. The entire corporate system locked up, showing a red skeleton that announced as bluntly as possible, "You've been hacked by #GOP." Hard drives were wiped, email accounts froze and employees were cautioned not to connect to the office Wi-Fi. Sony Pictures employees were forced to do business on landlines and fax machines, according to The LA Times.

Attackers have released more sensitive data through torrents, Mega and Rapidgator

Sony is working with Mandiant and the FBI to clean up the damage, but the larger concern is the bulk of data that's leaked onto the web. Five of the studio's films have already leaked onto torrent sites (four of which have not yet premiered in theaters), and in the days since the hack, the attackers have released more sensitive data through torrents and sharing services like Mega and Rapidgator, playing whack-a-mole with the feds who are trying to keep the information contained. Each time a torrent link is taken down, the attackers email a new link to journalists, many of whom have been happy to run with the scoop.

But while Sony struggles to regain control of its data, the attackers seem more interested in spreading chaos than causing lasting damage. Lots of sensitive financial information was shared in the file dump, but it's unlikely any of it will be used for identity theft simply because it was made available so publicly, attracting the attention of the FBI at a very early stage. Other data, like employee salaries and scripts in development, seem more likely to cause PR damage than lasting financial harm.

That's not to say Sony isn't suffering. This has certainly been an intense week for the studio and anyone who works there, and it remains to be seen how much the early torrent leaks will cost the company at the box office. But unlike recent breaches at Home Depot and various government agencies, the purpose of this attack wasn't to steal money or extract compromising information. At every stage, the attackers' goal was to make life miserable for Sony Pictures employees, causing as much noise as possible along the way. If they made the attack noisy enough and scary enough, we might listen the next time North Korea rattles its sabers and back off.

It's not a particularly noble or intricate plan, but judging by the headlines, it seems to be working.