US Said to Find North Korea Ordered Cyberattack on Sony – New York Times

Sony dropped plans to release “The Interview.”
December 17, 2014

WASHINGTON — American officials have concluded that North Korea ordered the attacks on Sony Pictures’s computers, a determination reached as the studio decided Wednesday to cancel the release of a movie comedy about the assassination of Kim Jong-un and that is believed to have led to the hacking.

Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was debating whether to publicly accuse North Korea of what amounts to a cyberterrorism attack. Sony capitulated after the hackers threatened additional attacks, perhaps on theaters themselves, if the movie, “The Interview,” was released.

Officials said it was not clear how the White House would respond. Some within the Obama administration argue that Mr. Kim’s government must be confronted directly. But that raises questions of the threats that the administration would issue, or how much evidence to make public without revealing details of how it was able to penetrate North Korean computer networks to trace the hacking.

Other administration officials said a direct confrontation with the North provide North Korea the kind of confrontation it covets. Japan, where Sony is an iconic corporate name, has argued that a public accusation could interfere with delicate diplomatic negotiations for the return of Japanese citizens kidnapped years ago.

The administration’s sudden urgency came after a new threat delivered this week to desktop computers at Sony’s offices warned that if “The Interview” was released on Dec. 25, “the world will be full of fear.”

“Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”

The four largest theater chains in the United States — Regal Entertainment, AMC Entertainment, Cinemark and Carmike Cinemas — and several smaller chains said they would not show the film as a result of the threat. The cancellations virtually killed “The Interview” as a theatrical enterprise, at least in the near term, one of the first known instances of a threat from another nation pre-empting the release of a movie. Sony then dropped its plan to release the film, which stars James Franco and Seth Rogen.

While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with an knowledge of the company’s computer systems, senior administration officials said.

“This is of a different nature than past attacks,” one official said.

An attack that began by wiping out data on corporate computers — something that had been previously seen in South Korea and Saudi Arabia — had turned “into a threat to the safety of Americans.” But the official, echoing a statement from the Department of Homeland Security, said there was no specific information that any attack was imminent.

It is not clear how the United States determined that Mr. Kim’s regime played a central role in the Sony attacks. North Korea’s computer network has been a notoriously difficult to infiltrate. But the National Security Agency launched a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.

It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “This was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”

It is rare for the United States to publicly accuse countries suspected of involvement in cyberintrusions. The administration never publicly said who has attacked White House and State Department computers over the past two months, or JPMorgan Chase’s systems last summer. Russia is suspected in the first two cases, but there is conflicting evidence in the Morgan case.

But there is a long forensic trail involving the Sony hacking. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributed to Iran — and another last year in South Korea aimed at banks and media companies.

The Sony attacks were routed from command-and-control centers across the world, including a convention center in Singapore and Thammasat University in Thailand. But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggests that the same group or individuals may have been behind the Sony attack.

The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat.

The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, where hackers wiped off data on 30,000 of the company’s computers, replacing it with an image of a burning American flag.

Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.

At Sony, investigators are looking into the possibility that the attackers had inside help. Embedded in the malicious code were the names of Sony servers and administrative credentials that allowed the malware to spread across Sony’s network.

“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a security researcher at AlienVault, a cybersecurity consulting firm.

What is remarkable in this case is that after three weeks of pressure, the attack forced one of Hollywood’s largest studios, and Japan’s most famous companies, to surrender.

Many attacks have been aimed at stealing credit card data, like the intrusions on the Home Depot and Target networks — and others at disrupting ATMs. An American and Israeli attack known as “Olympic Games” and targeting Iran’s nuclear program was a rare attack on infrastructure.

Sony has tried to put the best face on the situation, saying it understood that movie theaters had to be worried about the safety of their customers.

There are worries that other countries — or hacking groups — will try similar tactics over movies, books or television broadcasts that they find offensive.

The cost of the assault was small: The attackers used readily available commercial tools to steal data and then to wipe it off Sony’s machines. Representative Mike Rogers, the Michigan Republican who is chairman of the House Intelligence Committee, said the hackers “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.

The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.” Only last week, Joseph Demarest, assistant director of the F.B.I.’s cyberdivision, said there was “no attribution to North Korea at this point.”

That assessment has changed, senior intelligence officials say. But that leaves open the question of what to do about the Sony attack. The North is already under some of the heaviest economic sanctions ever applied, leaving little room for Washington to punish it further. A similar American attack would require a presidential order, and Mr. Obama has been hesitant to use the country’s cyberarsenal for fear of provoking retaliation.

David E. Sanger reported from Washington and Nicole Perlroth from San Francisco. Michael Cieply contributed reporting.

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at
Want something else to read? How about ‘Grievous Censorship’ By The Guardian: Israel, Gaza And The Termination Of Nafeez Ahmed’s Blog

Bookmark the permalink.