DOCSLIB.ORG

Sony's Nightmare Before Christmas: the 2014 North Korean Cyber

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Sony's Nightmare Before Christmas: the 2014 North Korean Cyber SONY’S NIGHTMARE BEFORE CHRISTMAS The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace National SecurityResearch Report Note Antonio DeSimone | Nicholas Horton NSR_11x17_Cover_Sony_v6.indd 1 11/20/17 4:09 PM SONY’S NIGHTMARE BEFORE CHRISTMAS The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace Antonio DeSimone Nicholas Horton Copyright © 2017 The Johns Hopkins University Applied Physics Laboratory LLC. All Rights Reserved. NSAD-R-17-045 SONY’S NIGHTMARE BEFORE CHRISTMas iii Contents Figures ................................................................................................................................................................................................ v Tables .................................................................................................................................................................................................. v Summary .........................................................................................................................................................................................vii Timeline of Events ....................................................................................................................................................2 Sony, The Interview, and the Attack ......................................................................................................................2 The Cybersecurity Industry Responds ..................................................................................................................7 The US Government Attributes the Attack to North Korea ........................................................................... 10 North Korea’s Response ....................................................................................................................................... 13 The Aftermath ........................................................................................................................................................ 15 Sony’s Financial and Economic Losses ..........................................................................................................................16 Conclusions ............................................................................................................................................................ 17 Divining the Motives of North Korea .............................................................................................................................17 Attribution, Behavior, and Norms ...................................................................................................................................17 Attribution, Credibility, and Perceptions ......................................................................................................................18 Information Sharing and Denial of Benefits ................................................................................................................19 Appendix North Korean Articles .........................................................................................................................................21 Bibliography ...................................................................................................................................................................................23 Acknowledgments .......................................................................................................................................................................31 About the Authors .......................................................................................................................................................................31 Figures Tables SONY’S NIGHTMARE BEFORE CHRISTMas v Figures Figure 1. Timeline of Events Surrounding 2014 Sony Cyber Attack............................................................................ 3 Figure 2. Image Displayed on Computer Monitor at Sony on November 24, 2014 (Imgur) .............................. 5 Figure 3. One of the Messages Sent by WhoIs Team in March 2013 ........................................................................... 9 Figure 4. Articles about Sony in the North Korean State-Controlled Media..........................................................14 Tables Table A-1. Articles Including “Sony” in the KCNA Watch Database, June 1, 2014–May 5, 2015 .......................21 SONY’S NIGHTMARE BEFORE CHRISTMas vii Summary The cyber attack on Sony Pictures Entertainment in late 2014 began as a public embarrassment for an American company and ultimately led to the unprecedented action by the US president to formally attribute a cyber attack to a nation-state (North Korea). The incident played out at the nexus of the private cybersecurity industry and US government communities including the White House, the Federal Bureau of Investigation, and the National Security Agency. The attack was triggered by Sony’s plan to release The Interview, a comedy in which an American talk show host and his producer are recruited by the Central Intelligence Agency to travel to North Korea and assassinate North Korea’s supreme leader, Kim Jong-un. The cyber attack was discussed everywhere: from supermarket tabloids, delighting in gossip-rich leaked emails, to official statements by leaders in the US government, including President Obama. When laid out in a timeline, the events surrounding the cyber attack—which include the attribution to North Korea and subsequent responses by both the government and private-sector cybersecurity experts—provide a case study of the actions and interactions of the players in a major cyber attack. The events surrounding the attack and the attribution provide insight into three areas: the effects of government and private-sector actions on the perception of a cyber event among the public, the effect of attribution on the behavior of the attackers, and possible motives for North Korea’s high-profile cyber actions. The incident also illuminates the role of multi-domain deterrence to respond to attacks in the cyber domain. SONY’S NIGHTMARE BEFORE CHRISTMas 1 yber attacks have increased in number, scale, actions in cyberspace and an interesting case study and variety in recent years,1 threatening US of US government activities at the intersection of law economic interests and national security. In enforcement and national security. Cthe eyes of some, the cyber threat from sophisticated The wide variety of actions and actors in this case actors capable of “full spectrum” actions “has study make it particularly interesting as a source of potential consequences similar in some ways to the 2 insights into the multi-domain deterrence problem: nuclear threat of the Cold War.” High-consequence a private US company became the target of a cyber cyber attacks call for a whole-of-government attack by a foreign nation-state with minimal cyber response to detect, deny, and deter bad actors infrastructure and a nonexistent private industry. and, when appropriate, retaliate. Proper and The United States cannot deter an attack like this by proportional retaliation in the face of a cyber attack threatening retribution in kind. The United States is is a particularly difficult problem. An attacker may not likely to embrace a declaratory cyber-deterrence not have appropriate cyber targets, calling for a policy that includes attacks on private companies, and retaliatory capability in a different domain. The policy even if it did, this attacker does not have such assets issues associated with employing different levers of to hold at risk. Multi-domain deterrence policies power under different authorities (multi-domain could have an impact on adversaries considering a deterrence) should be informed by an understanding cyber attack on a US asset; this case study can help of the actions and interactions among the players in shape such policies. a cyber attack. The general outline of the events is well known. This report provides a case study of the 2014 cyber Sony planned to release The Interview, a Seth Rogen attack on Sony Pictures Entertainment (NOTE: in comedy portraying the assassination of Kim Jong-un, this paper, “Sony” will refer to Sony Pictures the supreme leader of North Korea, or, officially, the Entertainment, while “Sony Corp.” will refer to the Democratic People’s Republic of Korea. The North parent, Japan-based Sony Corporation). By following Korean government objected to the movie, including the course of a single incident, we hope to gain vehemently protesting to the secretary-general of insight into how players across governments and the United Nations (UN), but Sony pushed ahead the private sectors behave and respond when an with its plan to show the film. One month before attack occurs. The Sony attack achieved wide public The Interview’s scheduled Christmas release, a cyber notoriety, driven perhaps less by a broad interest in attack on Sony released a trove of sensitive data and national security than by leaked emails that disclosed caused extensive damage to Sony computers. Later, interesting ways celebrities misbehave. Looking past as leaks continued and anonymous threats to Sony the fascination with the culture of celebrity and the increased, the US government reacted to this attack backroom dealings in the entertainment industry, on a private company in an unprecedented public we find that the events in that short
Load more

Recommended publications
  • (U//Fouo) Assessment of Anonymous Threat to Control Systems
    UNCLASSIFIED//FOR OFFICIAL USE ONLY A‐0020‐NCCIC / ICS‐CERT –120020110916 DISTRIBUTION NOTICE (A): THIS PRODUCT IS INTENDED FOR MISION PARTNERS AT THE “FOR OFFICIAL USE ONLY” LEVEL, ACROSS THE CYBERSECURITY, CRITICAL INFRASTRUCTURE AND / OR KEY RESOURCES COMMUNITY AT LARGE. (U//FOUO) ASSESSMENT OF ANONYMOUS THREAT TO CONTROL SYSTEMS EXECUTIVE SUMMARY (U) The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting inDustrial control systems (ICS). This proDuct characterizes Anonymous’ capabilities and intent in this area, based on expert input from DHS’s Control Systems Security Program/Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) in coordination with the other NCCIC components. (U//FOUO) While Anonymous recently expressed intent to target ICS, they have not Demonstrated a capability to inflict Damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methoDs, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web‐based applications and windows systems) by employing tactics such as denial of service. Anonymous’ increased interest may indicate intent to Develop an offensive ICS capability in the future. ICS‐CERT assesses that the publically available information regarding exploitation of ICS coulD be leveraged to reDuce the amount of time to develop offensive ICS capabilities. However, the lack of centralized leadership/coordination anD specific expertise may pose challenges to this effort. DISCUSSION (U//FOUO) Several racist, homophobic, hateful, and otherwise maliciously intolerant cyber and physical inciDents throughout the past Decadea have been attributeD to Anonymous, though recently, their targets and apparent motivations have evolved to what appears to be a hacktivist1 agenda.
    [Show full text]
  • Accepted Manuscript Version
    Research Archive Citation for published version: Tony Shaw, and Tricia Jenkins, ‘An Act of War? The Interview Affair, the Sony Hack, and the Hollywood– Washington Power Nexus Today’, Journal of American Studies, April 2017. DOI: https://doi.org/10.1017/S0021875817000512 Document Version: This is the Accepted Manuscript version. The version in the University of Hertfordshire Research Archive may differ from the final published version. Copyright and Reuse: © 2017 Cambridge University Press and British Association for American Studies. This version is free to view and download for private research and study only. Not for re-distribution, re-sale or use in derivative works. Enquiries If you believe this document infringes copyright, please contact the Research & Scholarly Communications Team at [email protected] An Act of War? The Interview Affair, the Sony Hack, and the Hollywood/Washington Power Nexus Today An early quasi-police procedural showing J. Edgar Hoover’s Federal Bureau of Investigation “smashing” a communist sleeper cell in Boston, Alfred L. Werker’s 1952 docudrama Walk East on Beacon looks at first much like any other Red-baiting Hollywood production of the McCarthy era. On closer inspection, the movie offers us a keen insight into the Hollywood/Washington power nexus during the Cold War. Recently declassified documents reveal that the FBI’s top brass not only helped to inspire Walk East on Beacon but also to cast and market the film. More intriguingly, America’s most powerful military Cold War think tank, the RAND Corporation, was at the heart of the movie’s screenplay. Hollywood scriptwriter Leo Rosten worked as a part-time adviser on social sciences for RAND and based key elements of his plot for Walk East on Beacon on top-secret RAND projects, principally the military uses of satellites and computers.
    [Show full text]
  • Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches
    Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches OVERVIEW Over the past several years, the Cybersecurity and Infrastructure Security Ransomware is a serious and increasing threat to all government and Agency (CISA) and our partners have responded to a significant number of private sector organizations, including ransomware incidents, including recent attacks against a U.S. pipeline critical infrastructure organizations. In company and a U.S. software company, which affected managed service response, the U.S. government providers (MSPs) and their downstream customers. launched StopRansomware.gov, a centralized, whole-of-government Ransomware is malware designed to encrypt files on a device, rendering webpage providing ransomware files and the systems that rely on them unusable. Traditionally, malicious resources, guidance, and alerts. actors demand ransom in exchange for decryption. Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful. Malicious actors increasingly exfiltrate data and then threaten to sell or leak it—including sensitive or personal information—if the ransom is not paid. These data breaches can cause financial loss to the victim organization and erode customer trust. All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems. This fact sheet provides information for all government and private sector organizations, including critical infrastructure organizations, on preventing and responding to ransomware-caused data breaches. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations below. PREVENTING RANSOMWARE ATTACKS 1. Maintain offline, encrypted backups of data and regularly test your backups.
    [Show full text]
  • About the Sony Hack
    All About the Sony Hack Sony Pictures Entertainment was hacked in late November by a group called the Guardians of Peace. The hackers stole a significant amount of data off of Sony’s servers, including employee conversations through email and other documents, executive salaries, and copies of unreleased January/February 2015 Sony movies. Sony’s network was down for a few days as administrators worked to assess the damage. According to the FBI, the hackers are believed have ties with the North Korean government, which has denied any involvement with the hack and has even offered to help the United States discover the identities of the hackers. Various analysts and security experts have stated that it is unlikely All About the Sony Hack that the North Korean government is involved, claiming that the government likely doesn’t have the Learn how Sony was attacked and infrastructure to succeed in a hack of this magnitude. what the potential ramifications are. The hackers quickly turned their focus to an upcoming Sony film, “The Interview,” a comedy about Securing Your Files in Cloud two Americans who assassinate North Korean leader Kim Jong-un. The hackers contacted Storage reporters on Dec. 16, threatening to commit acts of terrorism towards people going to see the Storing files in the cloud is easy movie, which was scheduled to be released on Dec. 25. Despite the lack of credible evidence that and convenient—but definitely not attacks would take place, Sony decided to postpone the movie’s release. On Dec. 19, President risk-free. Obama went on record calling the movie’s cancelation a mistake.
    [Show full text]
  • North Korean Cyber Capabilities: in Brief
    North Korean Cyber Capabilities: In Brief Emma Chanlett-Avery Specialist in Asian Affairs Liana W. Rosen Specialist in International Crime and Narcotics John W. Rollins Specialist in Terrorism and National Security Catherine A. Theohary Specialist in National Security Policy, Cyber and Information Operations August 3, 2017 Congressional Research Service 7-5700 www.crs.gov R44912 North Korean Cyber Capabilities: In Brief Overview As North Korea has accelerated its missile and nuclear programs in spite of international sanctions, Congress and the Trump Administration have elevated North Korea to a top U.S. foreign policy priority. Legislation such as the North Korea Sanctions and Policy Enhancement Act of 2016 (P.L. 114-122) and international sanctions imposed by the United Nations Security Council have focused on North Korea’s WMD and ballistic missile programs and human rights abuses. According to some experts, another threat is emerging from North Korea: an ambitious and well-resourced cyber program. North Korea’s cyberattacks have the potential not only to disrupt international commerce, but to direct resources to its clandestine weapons and delivery system programs, potentially enhancing its ability to evade international sanctions. As Congress addresses the multitude of threats emanating from North Korea, it may need to consider responses to the cyber aspect of North Korea’s repertoire. This would likely involve multiple committees, some of which operate in a classified setting. This report will provide a brief summary of what unclassified open-source reporting has revealed about the secretive program, introduce four case studies in which North Korean operators are suspected of having perpetrated malicious operations, and provide an overview of the international finance messaging service that these hackers may be exploiting.
    [Show full text]
  • Sample Iis Publication Page
    https://doi.org/10.48009/1_iis_2012_133-143 Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012 HACKERS GONE WILD: THE 2011 SPRING BREAK OF LULZSEC Stan Pendergrass, Robert Morris University, [email protected] ABSTRACT Computer hackers, like the group known as Anonymous, have made themselves more and more relevant to our modern life. As we create and expand more and more data within our interconnected electronic universe, the threat that they bring to its fragile structure grows as well. However Anonymous is not the only group of hackers/activists or hacktivists that have made their presence known. LulzSec was a group that wreaked havoc with information systems in 2011. This will be a case study examination of their activities so that a better understanding of five aspects can be obtained: the Timeline of activities, the Targets of attack, the Tactics the group used, the makeup of the Team and a category which will be referred to as The Twist for reasons which will be made clear at the end of the paper. Keywords: LulzSec, Hackers, Security, AntiSec, Anonymous, Sabu INTRODUCTION Information systems lie at the heart of our modern existence. We deal with them when we work, when we play and when we relax; texting, checking email, posting on Facebook, Tweeting, gaming, conducting e-commerce and e- banking have become so commonplace as to be nearly invisible in modern life. Yet, within each of these electronic interactions lies the danger that the perceived line of security and privacy might be breached and our most important information and secrets might be revealed and exploited.
    [Show full text]
  • Attacking from Inside
    WIPER MALWARE: ATTACKING FROM INSIDE Why some attackers are choosing to get in, delete files, and get out, rather than try to reap financial benefit from their malware. AUTHORED BY VITOR VENTURA WITH CONTRIBUTIONS FROM MARTIN LEE EXECUTIVE SUMMARY from system impact. Some wipers will destroy systems, but not necessarily the data. On the In a digital era when everything and everyone other hand, there are wipers that will destroy is connected, malicious actors have the perfect data, but will not affect the systems. One cannot space to perform their activities. During the past determine which kind has the biggest impact, few years, organizations have suffered several because those impacts are specific to each kinds of attacks that arrived in many shapes organization and the specific context in which and forms. But none have been more impactful the attack occurs. However, an attacker with the than wiper attacks. Attackers who deploy wiper capability to perform one could perform the other. malware have a singular purpose of destroying or disrupting systems and/or data. The defense against these attacks often falls back to the basics. By having certain Unlike malware that holds data for ransom protections in place — a tested cyber security (ransomware), when a malicious actor decides incident response plan, a risk-based patch to use a wiper in their activities, there is no management program, a tested and cyber direct financial motivation. For businesses, this security-aware business continuity plan, often is the worst kind of attack, since there is and network and user segmentation on top no expectation of data recovery.
    [Show full text]
  • Eminem Interview Download
    Eminem interview download LINK TO DOWNLOAD UPDATE 9/14 - PART 4 OUT NOW. Eminem sat down with Sway for an exclusive interview for his tenth studio album, Kamikaze. Stream/download Kamikaze HERE.. Part 4. Download eminem-interview mp3 – Lost In London (Hosted By DJ Exclusive) of Eminem - renuzap.podarokideal.ru Eminem X-Posed: The Interview Song Download- Listen Eminem X-Posed: The Interview MP3 song online free. Play Eminem X-Posed: The Interview album song MP3 by Eminem and download Eminem X-Posed: The Interview song on renuzap.podarokideal.ru 19 rows · Eminem Interview Title: date: source: Eminem, Back Issues (Cover Story) Interview: . 09/05/ · Lil Wayne has officially launched his own radio show on Apple’s Beats 1 channel. On Friday’s (May 8) episode of Young Money Radio, Tunechi and Eminem Author: VIBE Staff. 07/12/ · EMINEM: It was about having the right to stand up to oppression. I mean, that’s exactly what the people in the military and the people who have given their lives for this country have fought for—for everybody to have a voice and to protest injustices and speak out against shit that’s wrong. Eminem interview with BBC Radio 1 () Eminem interview with MTV () NY Rock interview with Eminem - "It's lonely at the top" () Spin Magazine interview with Eminem - "Chocolate on the inside" () Brian McCollum interview with Eminem - "Fame leaves sour aftertaste" () Eminem Interview with Music - "Oh Yes, It's Shady's Night. Eminem will host a three-hour-long special, “Music To Be Quarantined By”, Apr 28th Eminem StockX Collab To Benefit COVID Solidarity Response Fund.
    [Show full text]
  • The 2014 Sony Hack and the Role of International Law
    The 2014 Sony Hack and the Role of International Law Clare Sullivan* INTRODUCTION 2014 has been dubbed “the year of the hack” because of the number of hacks reported by the U.S. federal government and major U.S. corporations in busi- nesses ranging from retail to banking and communications. According to one report there were 1,541 incidents resulting in the breach of 1,023,108,267 records, a 78 percent increase in the number of personal data records compro- mised compared to 2013.1 However, the 2014 hack of Sony Pictures Entertain- ment Inc. (Sony) was unique in nature and in the way it was orchestrated and its effects. Based in Culver City, California, Sony is the movie making and entertain- ment unit of Sony Corporation of America,2 the U.S. arm of Japanese electron- ics company Sony Corporation.3 The hack, discovered in November 2014, did not follow the usual pattern of hackers attempting illicit activities against a business. It did not specifically target credit card and banking information, nor did the hackers appear to have the usual motive of personal financial gain. The nature of the wrong and the harm inflicted was more wide ranging and their motivation was apparently ideological. Identifying the source and nature of the wrong and harm is crucial for the allocation of legal consequences. Analysis of the wrong and the harm show that the 2014 Sony hack4 was more than a breach of privacy and a criminal act. If, as the United States maintains, the Democratic People’s Republic of Korea (herein- after North Korea) was behind the Sony hack, the incident is governed by international law.
    [Show full text]
  • Wikileaks and the Institutional Framework for National Security Disclosures
    THE YALE LAW JOURNAL PATRICIA L. BELLIA WikiLeaks and the Institutional Framework for National Security Disclosures ABSTRACT. WikiLeaks' successive disclosures of classified U.S. documents throughout 2010 and 2011 invite comparison to publishers' decisions forty years ago to release portions of the Pentagon Papers, the classified analytic history of U.S. policy in Vietnam. The analogy is a powerful weapon for WikiLeaks' defenders. The Supreme Court's decision in the Pentagon Papers case signaled that the task of weighing whether to publicly disclose leaked national security information would fall to publishers, not the executive or the courts, at least in the absence of an exceedingly grave threat of harm. The lessons of the PentagonPapers case for WikiLeaks, however, are more complicated than they may first appear. The Court's per curiam opinion masks areas of substantial disagreement as well as a number of shared assumptions among the Court's members. Specifically, the Pentagon Papers case reflects an institutional framework for downstream disclosure of leaked national security information, under which publishers within the reach of U.S. law would weigh the potential harms and benefits of disclosure against the backdrop of potential criminal penalties and recognized journalistic norms. The WikiLeaks disclosures show the instability of this framework by revealing new challenges for controlling the downstream disclosure of leaked information and the corresponding likelihood of "unintermediated" disclosure by an insider; the risks of non-media intermediaries attempting to curtail such disclosures, in response to government pressure or otherwise; and the pressing need to prevent and respond to leaks at the source. AUTHOR.
    [Show full text]
  • The Middle East Under Malware Attack Dissecting Cyber Weapons
    The Middle East under Malware Attack Dissecting Cyber Weapons Sami Zhioua Information and Computer Science Department King Fahd University of Petroleum and Minerals Dhahran, Saudi Arabia [email protected] Abstract—The Middle East is currently the target of an un- have been designed by the same unknown entity 1. The next precedented campaign of cyber attacks carried out by unknown malware of this lineage was Flame [7] which was discovered parties. The energy industry is praticularly targeted. The in May 2012 by Kaspersky Lab while investigating another attacks are carried out by deploying extremely sophisticated malware. The campaign opened by the Stuxnet malware in piece of malware called Wiper [8]. Flame features very 2010 and then continued through Duqu, Flame, Gauss, and unusual characteristics such as large size, large number of Shamoon malware. This paper is a technical survey of the modules, self adapting, etc. As Duqu, Flame’s objective is attacking vectors utilized by the three most famous malware, data collection and espionnage. Gauss [9] is another data namely, Stuxnet, Flame, and Shamoon. We describe their main stealing malware discovered in June 2012 by Kaspersky Lab modules, their sophisticated spreading capabilities, and we discuss what it sets them apart from typical malware. The focusing on banking information. Flame and Gauss exhibit main purpose of the paper is to point out the recent trends striking similarities and several technical evidences indicate infused by this new breed of malware into cyber attacks. that they come from the same “factories” that produced Stuxnet and Duqu [9]. The latest malware-based attack Keywords-Malwares; Information Security; Targeted At- tacks; Stuxnet; Duqu; Flame; Gauss; Shamoon targeting the middle east was the Shamoon attack on Saudi Aramco [10].
    [Show full text]
  • Wikileaks, the First Amendment and the Press by Jonathan Peters1
    WikiLeaks, the First Amendment and the Press By Jonathan Peters1 Using a high-security online drop box and a well-insulated website, WikiLeaks has published 75,000 classified U.S. documents about the war in Afghanistan,2 nearly 400,000 classified U.S. documents about the war in Iraq,3 and more than 2,000 U.S. diplomatic cables.4 In doing so, it has collaborated with some of the most powerful newspapers in the world,5 and it has rankled some of the most powerful people in the world.6 President Barack Obama said in July 2010, right after the release of the Afghanistan documents, that he was “concerned about the disclosure of sensitive information from the battlefield.”7 His concern spread quickly through the echelons of power, as WikiLeaks continued in the fall to release caches of classified U.S. documents. Secretary of State Hillary Clinton condemned the slow drip of diplomatic cables, saying it was “not just an attack on America's foreign policy interests, it [was] an attack on the 1 Jonathan Peters is a lawyer and the Frank Martin Fellow at the Missouri School of Journalism, where he is working on his Ph.D. and specializing in the First Amendment. He has written on legal issues for a variety of newspapers and magazines, and now he writes regularly for PBS MediaShift about new media and the law. E-mail: [email protected]. 2 Noam N. Levey and Jennifer Martinez, A whistle-blower with global resonance; WikiLeaks publishes documents from around the world in its quest for transparency, L.A.
    [Show full text]