The Washington Post
The Sony Pictures hack, explained
By ANDREA PETERSON
Hackers broke into the computer systems of Sony Pictures entertainment in October. The attackers stole huge swaths of confidential documents from the Hollywood studio and posted them online in the following weeks -- exposing them to everyone from potential cybercriminals to journalists who have been poring through the documents and reporting everything from the details of recent film productions to the extent of the employee data laid vulnerable on the Internet.
Multiple reports suggest U.S. government officials believe the attack is tied to the North Korean government, who expressed outrage over the Sony-backed film "The Interview," an action-comedy centered on an assassination plot against North Korean leader Kim Jong Un.
Sony Pictures canceled the theatrical release of the film Wednesday, responding to a vague threat against theaters showing the film supposedly posted by the hackers. Here's what we know so far:
The Monday before Thanksgiving, Sony Pictures employees who tried to log into their computers were greeted with a graphic of a neon red skeleton featuring the words "#Hacked by #GOP," and a threat to release data later that night if an unspecified request was not met. Over the coming weeks multiple statements purported to be from GOP, short for "Guardians of Peace," were posted online -- many to a text-sharing site called PasteBin, which is also used by some hactivist groups.
The messages were often accompanied by links to download huge amounts of what appears to be data from Sony Pictures' internal networks. In a memo shortly after the first leaks were obtained by the Hollywood Reporter, Sony Pictures executives Michael Lynton and Amy Pascal acknowledged the theft of a " large amount of confidential" data:
While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession.
The same day as the attack, the FBI released a flash memo warning about a destructive type of malware. As late as this week there are reports that that Sony employees are still unable to use their old computers due to concerns that code left by the hackers may not have been completely removed from the system.
security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bankʼs computer systems. Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
Who was responsible?
Attribution is really hard when it comes to cyberattacks because it can be difficult to tie the digital forensics left behind to real-world actors, but the leading theory is that the attack is tied in some way to the North Korean government. On Wednesday The Washington Post, the New York Times and others reported that anonymous U.S. officials were pointing the finger at the secretive nation.
One official briefed on the investigation told The Post that intelligence officials believe with "99 percent certainty" that hackers working for the North Korean government were behind the attack. But the administration is reportedly unsure what to do with that information -- fearing no good outcome could come from pointing figures at the secretive state: North Korea is diplomatically isolated, and there are already significant sanctions in place. North Korean officials have officially denied involvement in the attack, but did call it a "righteous" deed and suggested it may have been the work of supporters of the regime.
Because of the difficulty of positively identifying cyber actors, the United States rarely names nation-state actors it suspects of being behind cybersecurity incidents. An exception occurred earlier this year, when the Department of Justice announced indictments against several Chinese military employees it said were tied to cyberespionage activities against American companies. Officials are also said to be concerned about the diplomatic fallout for Japan -- Sony is based in Japan, and the nation is much closer to North Korea geographically than the United States.
The North Korean link was speculated early on, when tech news site re/Code reported that investigators were looking into the possibility of a link. After that report, messages purported to be from the hackers alluded to "The Interview" -- first saying that Sony needed to stop "the movie of terrorism," and later explicitly mentioning the film while invoking the Sept. 11, 2001, terrorist attacks and threatening theaters that planned to show the film.
Technical details about the cyberattack are reported to bear similarities to previous attacks on South Korean media institutions that some cybersecurity experts attributed to North Korea. But some remain skeptical about the connection, noting that much of the publicized evidence linking the attacks is circumstantial.
How has Sony Pictures responded?
The studio canceled plans to release "The Interview" theatrically on Wednesday, after a string of major theater chains had indicated they planned not to show the film. It's unclear if the film will receive any distribution at all.
Earlier this week, a lawyer representing Sony Pictures sent a letter to media outlets covering documents leaked by the hackers demanding that they not download future leaks and that they destroy stolen data already in their custody. It appears unlikely that this will stop outlets from reporting on the content of the documents; a 2001 Supreme Court decision said a radio station couldn't be held responsible for broadcasting newsworthy audio recordings even if those recordings were originally made by someone in violation of wiretapping laws.
Sony Pictures is also trying to block distribution of the stolen data, hiring companies such as London-based anti-piracy firm Entura International to quickly remove links to download the information. The studio has been working with the FBI and cybersecurity firm FireEye to investigate the breach.
This is not the first time Sony has struggled with cybersecurity. In 2011, the company's PlayStation Network was compromised by hackers who stole the personal information of millions of gamers and knocked the network offline for weeks. The company is facing lawsuits from former employees alleging Sony was negligent in protecting the personal data workers entrusted it with -- such as medical data, social security numbers, e-mail correspondence and performance evaluations. (The company has offered a year of credit monitoring to current employees.)
How big a deal is this?
While the news has been dominated by big retail hacks over the past year, the Sony Pictures cyberattack was much more disruptive: It knocked out computer systems at the company, and the fallout from the wholesale distribution of internal documents is far different from having to respond to the theft of credit card numbers.
Many within the cybersecurity community hope this will act as a wake-up call to the companies about their vulnerability to digital adversaries -- both in terms of beefing up their current defenses and their back-up capabilities.
Some area also concerned about the precedent set by capitulating to the hacker's demands to stop the release of "The Interview," noting that the attackers have effectively managed to get their way by controlling the conversation. What happens if other groups adopt similar tactics to advance their agendas?
Many celebrities have tweeted their worries about what this means for the future of free speech and artistic expression, and they probably have point: In the wake of the cyberattack, another studio has reportedly pulled the plug on a film that was to be set in North Korea and to star Steve Carrell, according to Deadline.
Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.
Jamie Dimon, chief executive of JPMorgan Chase, says that the digital threat is on the rise.Credit Richard Drew/Associated Press Jamie Dimon, JPMorganʼs chairman and chief executive, has acknowledged the growing digital threat. In his annual letter to shareholders, Mr. Dimon said, “Weʼre making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe.”
Even though the bank has fortified its defenses against the attacks, Mr. Dimon wrote, the battle is “continual and likely never-ending.” On Thursday, some lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a member of the Senate Commerce Committee, said “the data breach at JPMorgan Chase is yet another example of how Americansʼ most sensitive personal information is in danger.” Hackers drilled deep into the bankʼs vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts.
That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Russia and may have been sponsored by elements of the Russian government, the people with knowledge of the investigation said.
By the time the bankʼs security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bankʼs computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.
The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bankʼs systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorganʼs systems.