9:30am PT by Fred Kaplan
Sony Hack: Computer Passwords Included "12345" and "ABCDE"
This story first appeared in the March 18 issue of The Hollywood Reporter magazine. To receive the magazine, click here to subscribe.
The Cold War ended in 1989, but the age of cyberwar began six years before that. In 1983, after President Ronald Reagan saw War Games, the Matthew Broderick thriller about a teen who hacks into the NORAD computers and almost starts World War III, he asked the Joint Chiefs of Staff, "Could this really happen?" The answer produced the first national security policy on cyberwarfare. Today, the U.S. military spends more than $14 billion a year on cyberwarfare. Pulitzer Prize-winning national security reporter Fred Kaplan tells this story for the first time in his new book Dark Territory: The Secret History of Cyber War (Simon & Schuster). In this exclusive excerpt, he goes behind the scenes of the December 2014 hack of Sony Pictures to show how a shadowy group of elite government superhackers, known as the Tailored Access Operations, knew with absolute certainty that the culprits were North Korean and then explains how this event opened a new front in the 21st century's digital war.
On Dec. 17, 2014, three weeks after the massive cyberattack on Sony Pictures Entertainment — which destroyed 3,000 computers and pilfered 100 terabytes of data, the juiciest bits of which were distributed to an array of eager news reporters — senior U.S. officials declared, with an unusual degree of confidence, that the hackers were with a group called DarkSeoul, which worked directly for the North Korean government.
In public, officials said they'd based their conclusion on the fact that the hackers used many of the same "signatures" that DarkSeoul had used in the past — the same encryption algorithms, data-deletion methods and Internet Protocol addresses. The reasoning was circumstantial at best. Some computer experts were so unconvinced they wrote papers doubting that North Korea had anything to do with the hack; a few speculated that it might have been an inside job by some disgruntled studio employee.
But the skeptics were wrong. The real reason for the government's certainty about the hacker's identity — a reason no official could discuss publicly — was that the National Security Agency had long ago penetrated North Korea's computer networks. Anything done on those networks, the NSA could follow. When the hackers looked at their computer screens, the NSA could intercept the signals from those screens and watch what the hackers were watching — not in real time (unless there was a particular reason to be watching North Koreans in real time), but NSA analysts could retrieve the files, watch the images and analyze the evidence retroactively.
The ability to pull off this sort of feat had been evolving, over the previous 15 years, among an elite corps of superhackers in a division of the agency known as Tailored Access Operations, or TAO. Located in a separate wing of NSA headquarters at Fort Meade, Md., it was the subject of whispered rumors but little solid knowledge, even among those with otherwise high-security clearances. Anyone seeking entrance into its lair had to get by an armed guard, a retinal scanner and a cipher-locked door.
TAO was created in the late 1990s, as part of a reorganization inside NSA. A few years earlier, the agency's array of antenna dishes and listening posts — erected decades ago to intercept foreign radio, telephone and microwave signals — were proving steadily less useful in a world of digital packets, cellular providers and the Internet. As the NSA developed tools to monitor these new networks, TAO devised techniques to penetrate them.
TAO's mission, and informal motto, was "getting the ungettable." If the president wanted to know what a terrorist leader was thinking and doing, TAO would track his computer, hack into its hard drive, retrieve its files and intercept its email — sometimes purely through cyberspace, sometimes with the help of foreign contractors, special-ops shadow soldiers or a CIA outfit called the Information Operations Center. These spies would lay their hands on the computer and insert a thumb drive loaded with malware or attach a beacon that a TAO specialist would home in on.
It started out as a small outfit: a few dozen computer programmers, who'd passed an absurdly difficult entrance exam, occupying a corner of the NSA's main floor. Gradually, its ranks swelled to 600 "intercept operators" at Fort Meade, plus another 400 or more at NSA outlets — Remote Operations Centers, they were called — in Wahiawa, Hawaii; Fort Gordon, Ga.; Buckley Air Force Base near Denver; and the Texas Cryptology Center in San Antonio.
Early on, TAO hacked into computers in fairly simple ways: sniffing passwords (one program tried out every word in the dictionary, along with variations and numbers, in a few seconds) or sending emails with alluring attachments, which would download malware when opened. Over time, though, the TAO teams sharpened their skills and their arsenal. Obscure points of entry were discovered in computer servers, routers, workstations, handsets, phone switches, even firewalls (which, ironically, were supposed to keep hackers out).
In the process, in-house scientists developed devices and software that resembled something out of the most exotic James Bond movie. As later revealed in documents leaked by NSA contractor Edward Snowden, one of these devices, called LoudAuto, activated a laptop's microphone and monitored the conversations of anyone in its vicinity. HowlerMonkey extracted and transmitted files via radio signals, even if the computer wasn't hooked up to the Internet. MonkeyCalendar tracked a cellphone's location and conveyed the information through a text message. NightStand was a portable wireless system that loaded a computer with malware from several miles away. RageMaster tapped into the emissions of a computer screen's video signal, so TAO analysts could see what was on the screen and thus watch what the person being targeted was watching — if the target was a hacker, they could watch what he was hacking.
North Korea hacked the Sony networks as punishment for the studio's release of The Interview, the $44 million Seth Rogen-James Franco comedy that lampooned the country's dictator, Kim Jong-un, and graphically depicted his assassination. One week before opening day, Sony received an email threatening violence against theaters that showed the film. Sony canceled its release — and suddenly, the embarrassing emails and data stopped flowing to the media.
At his year-end press conference, President Obama told the world that Sony's executives "made a mistake" when they pulled the movie. "I wish they had spoken to me first," he said. "I would have told them 'Do not get into a pattern in which you're intimidated by these kinds of criminal acts.' " He also announced that the United States would "respond proportionally" to the North Korean attack, "in a place and time and manner that we choose."
The president's statement set off a debate inside the White House: What was a "proportional" response to a cyberattack? Did this response have to be delivered in cyberspace, or could it be economic and political? Finally, what role should government play in responding to cyberattacks on private companies? A bank gets hacked, that's the bank's problem; but what if two, three or a dozen banks were hacked? At what point did these assaults become a concern of the state, an issue of national security?
On Dec. 22, three days after Obama's press conference, someone unplugged North Korea from the Internet. Kim Jong-un's spokesmen accused Washington of launching a cyberattack. It was a reasonable guess. Obama had, after all, pledged to launch a "proportional" response to the Sony hack; shutting down North Korea's Internet access for 10 hours seemed to fit the bill. It wouldn't have been an onerous task, given that the whole country had just 1,024 IP addresses (fewer than the number on some blocks in New York City), all of them connected through a single service provider in China.
In fact, though, according to several officials, some speaking in confidence, the United States government had nothing to do with the shutdown. A debate broke out in the White House over whether to deny the charge publicly. Some argued that it would be good to clarify what a proportional response was not. Others argued that making any statement would set an awkward precedent: If U.S. officials issued a denial this time, they would also have to deny American involvement the next time a digital calamity occurred during an international confrontation; otherwise, everyone would infer that Washington did launch that attack, whether or not it actually had — at which point the victim might fire back. The North Koreans didn't escalate this conflict, in part because they couldn't. But another power, with a more robust Internet, might have.
After a few rounds of discussion, White House officials settled on a compromise. Right after the holidays, on Jan. 2, 2015, President Obama signed an executive order imposing new sanctions against North Korea. His press spokesman, Josh Earnest, pointedly called it "the first aspect of our response" to the Sony hack. Though no one spelled this out explicitly — at least not on the record — listeners could infer from the word "first" that the United States had not shut down North Korea's Internet 11 days earlier.
Some cybersecurity specialists were flummoxed by the whole Sony business and its elevation to national policy. The computer networks of hundreds of American banks, retailers, utility companies, defense contractors — even those of the Department of Defense — had been hacked routinely by foreign powers, sometimes at great expense, with no retributive action by the U.S. government, at least not publicly. "But," one specialist exclaims, "a Hollywood studio gets breached, over a movie, and the president publicly pledges to retaliate?"
Obama was deliberate in making this distinction. Jeh Johnson, his secretary of homeland security, stated it explicitly the same day, saying that the Sony attack constituted "not just an attack against a company and its employees" but "also an attack on our freedom of expression and way of life." A frothy comedy like The Interview may have been an unlikely emblem of the First Amendment or American values, but so were many other works that had come under attack through the nation's history, yet were still worth defending, because an attack on basic values had to be answered — however ignoble the target — lest some future assailant threaten to raid the files of some other studio, publisher, art museum or record company if their executives didn't cancel some film, book, exhibition or album.
The Sony hack heralded a new phase in this new realm of conflict known as cyberwar. It was a computer attack motivated not by a desire for money, trade secrets or an advantage in military intelligence, but rather by displeasure over the behavior or speech of a private individual or corporation.
It wasn't the first time this sort of attack had occurred. Nine months earlier, in February 2014, Iran had launched a cyberattack against the Las Vegas Sands Corporation, owner of the Venetian and Palazzo hotel-casinos — wiping out the hard drives in thousands of its servers, PCs and laptops — because Sheldon Adelson, the ardently pro-Israel, right-wing billionaire who owned 52 percent of the company's shares, had said he'd like to drop an atomic bomb on an Iranian desert, as a message, if the mullahs of Tehran took too hard a stance at the nuclear talks, which had recently begun. Iran's supreme leader, Ayatollah Ali Khamenei, fumed that someone "should slap these prating people" and "crush their mouths." That's what Iran's hackers were doing to Adelson. Hacking into a casino, they could have made off with a lot of money; they didn't steal a dime.
But the Sony hack was the first major cyberattack on public speech, and it was on a company whose business was public speech. Sony had been hacked twice before: One of the attacks shut down its PlayStation network for 23 days after purloining data from 77 million accounts; the other stole data from 25 million viewers of Sony Online Entertainment, including 12,000 credit card numbers. The cost, in business lost and damages repaired, came to about $170 million.
Like many conglomerates, Sony ran its various branches in stovepipe fashion: The executives at PlayStation had little contact with those at Online Entertainment, who had little contact with those at Sony Pictures. So the lessons learned in one division were not shared with the others.
After the North Korean attack, Sony Pictures hired security firms to diagnose and fix its problems, and they found a company shockingly lax in cyberhygiene, its servers and networks protected by the lamest passwords — on the order of "12345," "ABCDE" and "password" — if they were protected at all. And why not? What cyberthief, terrorist or nation-state would be interested in the computer records of a movie studio?
One lesson of the Sony attack, which the managers of every kind of company have taken to heart if they have a brain, is that no one is immune from the connivances of a wily hacker; everyone has something that someone might want for some reason. In a modern society, that something — nearly everything — is stored in a computer, and computers are by nature vulnerable.
Fred Kaplan, is the author of four other books, including the Pulitzer Prize finalist The Insurgents: David Petraeus and the Plot to Change the American Way of War.