Future Tense

What We Do and Don’t Know About the Sony Pictures Hack

There isn’t a lot of public Sony Hack information right now.

Photo from Chad Zuber/Shutterstock

We do know that Kanye wants to make a movie and that there’s a big pay gap between the genders at Sony. But not much information about the Sony Pictures hack itself is public right now. We don’t know who did it or even really how they did it, but here’s a rundown of where things stand.

How did it start?
Sony’s networks went down on Monday, Nov. 24, after computers displayed a red image of a skeleton and the words “Hacked By #GOP.” A Sony Pictures representative, Jean Guerin, told Reuters that there was “a system disruption” and that Sony IT was “working diligently” to fix the problem. She didn’t comment on whether the situation was a cyberattack, but rumors started swirling, and Sony quickly confirmed that it had been hacked.

Where did it come from?
At least one of the command and control servers (which control distributed malware) used in the hack is located in Bolivia. Sources also told Bloomberg that the malware was phoning home to the hackers through an IP address at a university in Thailand, and on a network at the St. Regis Bangkok. Some security experts have also speculated that the attack or some aspects of it originated in Japan, based on forensic IP address evidence.

And that’s … about it in terms of knowledge of the hack itself. It clearly penetrated deep into Sony Pictures’ networks since the hackers have been sharing hundreds of gigabytes of data. But Sony, which is working with law enforcement and FireEye Inc.’s Mandiant cybersecurity unit, is keeping details of the hack quiet. Sony Pictures did not respond to a request for comment on the nature of the hack.

Is North Korea behind this or not?
Yeah, unclear. Could the nation state itself pull this off? Are the hackers part of a group like DarkSeoul that is thought to have ties to North Korea? Did the country hire outside hackers to do this? Did North Korean sympathizers launch the attack independently? Is a disgruntled former Sony employee involved? Is it all a viral marketing campaign? No one knows yet.

Update, Dec. 17, 6:15 p.m.: The New York Times reports that U.S. officials believe the North Korean government was indeed connected to the attack. From the Times:

American intelligence officials have concluded that the North Korean government was “centrally involved” in the recent attacks on Sony Pictures’s computers, a determination reached just as Sony on Wednesday canceled its release of the comedy, which is based on a plot to assassinate Kim Jong-un, the North Korean leader.

Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was still debating whether to publicly accuse North Korea of what amounts to a cyberterrorism campaign. Sony’s decision to cancel release of “The Interview” amounted to a capitulation to the threats sent out by hackers this week that they would launch attacks, perhaps on theaters themselves, if the movie was released.

This must be a pretty sophisticated hack if we still don’t know who did it, right?
The Sony Pictures hack is definitely a big deal and affects thousands of people. But in terms of how it was executed (as far as anyone knows right now), it doesn’t seem to have been particularly ingenious. Jonathan Carter, the technical director of Arxan Technologies, told Security Week on Dec. 5:

So far, the evidence seems to suggest that the Sony hack was accomplished via execution of malicious malware. Hackers typically conduct these attacks by somehow tricking the user into executing something that is malicious in nature from within a system that is sensitive in nature. The recent iOS Masque and WireLurker vulnerabilities clearly illustrate that the delivery and execution of malicious code can take some very clever approaches. In light of these recent revelations, it is reasonable to expect to see a rise in distribution of malware … via mobile devices owned by employees that have access to sensitive backend systems.

In the case of the Target breach, it took about 10 weeks to discover the identity of the hackers. And it took more than four months to track down the collective that launched the Neiman Marcus cyberattack.

Is this cyberwar?
That is an excellent question! No one knows. The hackers have now started threatening physical attacks on movie theaters that show The Interview. And some, like David Auerbach on Slate, are already calling the hackers terrorists. But we don’t know at this point what the hackers really want—aside from generally keeping Sony Pictures from making money off of The Interview—so it’s hard to predict what will happen next.

Is it just me, or has Sony been hacked before?
Yes. A bunch of times. (Remember the 2011 PlayStation hack?) Yet clearly the company did not prioritize its cybersecurity protections the way it should have. As Chester Wisniewski, a senior security advisor at Sophos, explained to Gizmodo, “Sony’s been raising the ire of hackers for as long as I can remember, so you have to think that they’ve known they’re a serious target. … I’m not justifying what these people did. But [Sony people] are kind of the perfect people to go after.”

This is ridiculous. When are companies going to start taking this stuff seriously?
Perhaps the sheer magnitude of the Sony hack, the cost of containing it, the loss of revenue, and the class action lawsuit Sony Pictures employees are now filing will all combine to motivate companies to prioritize their cybersecurity. Hacks don’t have to use novel strategies to be devestating and extremely difficult to trace. As security expert Bruce Schneier said, “That we live in the world where we aren’t sure if any given cyberattack is the work of a foreign government or a couple of guys should be scary to us all.”

Update, Dec. 17 5p.m.: Sony is cancelling the Christmas Day theatrical release of “The Interview.” The company said in a statement

In light of the decision by the majority of our exhibitors not to show the film The Interview, we have decided not to move forward with the planned December 25 theatrical release. We respect and understand our partners’ decision and, of course, completely share their paramount interest in the safety of employees and theater-goers.