Sony Hack: FBI Confirms North Korea Is "Responsible for These Actions"
In an email to the studio's top executives, the hackers called the decision not to release 'The Interview' "very wise"
On Friday morning, the FBI officially accused North Korea of the devastating hack on Sony Pictures Entertainment, which began shortly before Thanksgiving and led to confidential information, including emails from top executives, being leaked.
The FBI, which has been working with Sony since the studio discovered it was hacked, said its findings were an update in its ongoing investigation.
"As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions," the law-enforcement agency said in a statement.
In explaining how it determined North Korea was behind the attack, the FBI confirmed what some security experts have speculated about the malware used in the attack and how this latest hack has similarities to previous cyber attacks carried out by North Korea.
Specifically, the FBI said "analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously deployed." There were similar lines of code, encryption algorithms, data deletion methods and compromised networks.
The FBI also found "significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea." Several IP addresses associated with known North Korean infrastructure communicated with IP addresses hardcoded into the data deletion malware used in the Sony attack, the FBI said.
Furthermore, tools used in the Sony attack have similarities to those employed in a cyberattack carried out by North Korea against South Korean banks and media outlets in March of last year.
The FBI went on to say it is "deeply concerned about the destructive nature of this attack," noting that the significant harm North Korea attempted to inflict on the studio and suppress people's freedom of expression goes "outside the bounds of acceptable state behavior."
The FBI concluded by stating that it will "impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests."
MPAA CEO Chris Dodd released a statement shortly after the FBI confirmed the link to North Korea. Dodd called the hacking by the totalitarian regime "a despicable, criminal act."
"This situation is larger than a movie’s release or the contents of someone’s private emails," Dodd continued. "This is about the fact that criminals were able to hack in and steal what has now been identified as many times the volume of all of the printed material in the Library of Congress and threaten the livelihoods of thousands of Americans who work in the film and television industry, as well as the millions who simply choose to go to the movies. The Internet is a powerful force for good and it is deplorable that it is being used as a weapon not just by common criminals, but also, sophisticated cyber terrorists. We cannot allow that front to be opened again on American corporations or the American people.”
Department of Homeland Security Secretary Jeh Johnson also released a statement, saying, "The cyber attack against Sony Pictures Entertainment was not just an attack against a company and its employees. It was also an attack on our freedom of expression and way of life."
Johnson added that the incident illustrates the need for good cybersecurity practices and urged businesses to assess their company's safeguards.
The hackers also sent Sony's top executives a victory note after the studio canceled its Christmas release of the controversial new film, The Interview, which centers on two American journalists enlisted by the CIA to assassinate North Korean leader Kim Jong Un.
In the email, received by Sony's top executives Thursday night, the hackers call the decision to cancel The Interview's release "very wise." The hackers also told Sony it wants the studio to remove trailers and not release the film on DVD, threatening further leaks of confidential information. A source with knowledge of the situation confirmed the contents of this email and that it was received. CNN initially reported on the victory note.
A source told CNN that the company believes the email came from the hackers because it followed a pattern of previous messages sent to a list of particular executives and was formatted a certain way.
Sony canceled The Interview's Christmas Day release on Wednesday after several top theater chains said they wouldn't show the film following a threat from the hackers of 9/11-style attacks.
Trailers for the film are still available online, including on Sony's YouTube channel. The ending of the film has also leaked online.
Sony declined to comment.
The FBI's full statement follows.
Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE).
In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the “Guardians of Peace” claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies. The FBI has determined that the intrusion into SPE’s network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees’ personally identifiable information and confidential communications. The attacks also rendered thousands of SPE’s computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company’s business operations.
After discovering the intrusion into its network, SPE requested the FBI’s assistance. Since then, the FBI has been working closely with the company throughout the investigation. Sony has been a great partner in the investigation, and continues to work closely with the FBI. Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack. Sony’s quick reporting facilitated the investigators’ ability to do their jobs, and ultimately to identify the source of these attacks.
As a result of our investigation, and in close collaboration with other U.S. Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions.
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. Government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea. We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior.
The FBI takes seriously any attempt – whether through cyber-enabled means, threats of violence, or otherwise – to undermine the economic and social prosperity of our citizens. The FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential business information. Further, the FBI will continue to work closely with multiple departments and agencies as well as with domestic, foreign, and private sector partners who have played a critical role in our ability to trace this and other cyber threats to their source. Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests.
Erik Hayden, Gregg Kilday and Tatiana Siegel contributed to this report.