SONY’S NIGHTMARE BEFORE CHRISTMAS The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace National SecurityResearch Report Note Antonio DeSimone | Nicholas Horton NSR_11x17_Cover_Sony_v6.indd 1 11/20/17 4:09 PM SONY’S NIGHTMARE BEFORE CHRISTMAS The 2014 North Korean Cyber Attack on Sony and Lessons for US Government Actions in Cyberspace Antonio DeSimone Nicholas Horton Copyright © 2017 The Johns Hopkins University Applied Physics Laboratory LLC. All Rights Reserved. NSAD-R-17-045 SONY’S NIGHTMARE BEFORE CHRISTMas iii Contents Figures ................................................................................................................................................................................................ v Tables .................................................................................................................................................................................................. v Summary .........................................................................................................................................................................................vii Timeline of Events ....................................................................................................................................................2 Sony, The Interview, and the Attack ......................................................................................................................2 The Cybersecurity Industry Responds ..................................................................................................................7 The US Government Attributes the Attack to North Korea ........................................................................... 10 North Korea’s Response ....................................................................................................................................... 13 The Aftermath ........................................................................................................................................................ 15 Sony’s Financial and Economic Losses ..........................................................................................................................16 Conclusions ............................................................................................................................................................ 17 Divining the Motives of North Korea .............................................................................................................................17 Attribution, Behavior, and Norms ...................................................................................................................................17 Attribution, Credibility, and Perceptions ......................................................................................................................18 Information Sharing and Denial of Benefits ................................................................................................................19 Appendix North Korean Articles .........................................................................................................................................21 Bibliography ...................................................................................................................................................................................23 Acknowledgments .......................................................................................................................................................................31 About the Authors .......................................................................................................................................................................31 Figures Tables SONY’S NIGHTMARE BEFORE CHRISTMas v Figures Figure 1. Timeline of Events Surrounding 2014 Sony Cyber Attack............................................................................ 3 Figure 2. Image Displayed on Computer Monitor at Sony on November 24, 2014 (Imgur) .............................. 5 Figure 3. One of the Messages Sent by WhoIs Team in March 2013 ........................................................................... 9 Figure 4. Articles about Sony in the North Korean State-Controlled Media..........................................................14 Tables Table A-1. Articles Including “Sony” in the KCNA Watch Database, June 1, 2014–May 5, 2015 .......................21 SONY’S NIGHTMARE BEFORE CHRISTMas vii Summary The cyber attack on Sony Pictures Entertainment in late 2014 began as a public embarrassment for an American company and ultimately led to the unprecedented action by the US president to formally attribute a cyber attack to a nation-state (North Korea). The incident played out at the nexus of the private cybersecurity industry and US government communities including the White House, the Federal Bureau of Investigation, and the National Security Agency. The attack was triggered by Sony’s plan to release The Interview, a comedy in which an American talk show host and his producer are recruited by the Central Intelligence Agency to travel to North Korea and assassinate North Korea’s supreme leader, Kim Jong-un. The cyber attack was discussed everywhere: from supermarket tabloids, delighting in gossip-rich leaked emails, to official statements by leaders in the US government, including President Obama. When laid out in a timeline, the events surrounding the cyber attack—which include the attribution to North Korea and subsequent responses by both the government and private-sector cybersecurity experts—provide a case study of the actions and interactions of the players in a major cyber attack. The events surrounding the attack and the attribution provide insight into three areas: the effects of government and private-sector actions on the perception of a cyber event among the public, the effect of attribution on the behavior of the attackers, and possible motives for North Korea’s high-profile cyber actions. The incident also illuminates the role of multi-domain deterrence to respond to attacks in the cyber domain. SONY’S NIGHTMARE BEFORE CHRISTMas 1 yber attacks have increased in number, scale, actions in cyberspace and an interesting case study and variety in recent years,1 threatening US of US government activities at the intersection of law economic interests and national security. In enforcement and national security. Cthe eyes of some, the cyber threat from sophisticated The wide variety of actions and actors in this case actors capable of “full spectrum” actions “has study make it particularly interesting as a source of potential consequences similar in some ways to the 2 insights into the multi-domain deterrence problem: nuclear threat of the Cold War.” High-consequence a private US company became the target of a cyber cyber attacks call for a whole-of-government attack by a foreign nation-state with minimal cyber response to detect, deny, and deter bad actors infrastructure and a nonexistent private industry. and, when appropriate, retaliate. Proper and The United States cannot deter an attack like this by proportional retaliation in the face of a cyber attack threatening retribution in kind. The United States is is a particularly difficult problem. An attacker may not likely to embrace a declaratory cyber-deterrence not have appropriate cyber targets, calling for a policy that includes attacks on private companies, and retaliatory capability in a different domain. The policy even if it did, this attacker does not have such assets issues associated with employing different levers of to hold at risk. Multi-domain deterrence policies power under different authorities (multi-domain could have an impact on adversaries considering a deterrence) should be informed by an understanding cyber attack on a US asset; this case study can help of the actions and interactions among the players in shape such policies. a cyber attack. The general outline of the events is well known. This report provides a case study of the 2014 cyber Sony planned to release The Interview, a Seth Rogen attack on Sony Pictures Entertainment (NOTE: in comedy portraying the assassination of Kim Jong-un, this paper, “Sony” will refer to Sony Pictures the supreme leader of North Korea, or, officially, the Entertainment, while “Sony Corp.” will refer to the Democratic People’s Republic of Korea. The North parent, Japan-based Sony Corporation). By following Korean government objected to the movie, including the course of a single incident, we hope to gain vehemently protesting to the secretary-general of insight into how players across governments and the United Nations (UN), but Sony pushed ahead the private sectors behave and respond when an with its plan to show the film. One month before attack occurs. The Sony attack achieved wide public The Interview’s scheduled Christmas release, a cyber notoriety, driven perhaps less by a broad interest in attack on Sony released a trove of sensitive data and national security than by leaked emails that disclosed caused extensive damage to Sony computers. Later, interesting ways celebrities misbehave. Looking past as leaks continued and anonymous threats to Sony the fascination with the culture of celebrity and the increased, the US government reacted to this attack backroom dealings in the entertainment industry, on a private company in an unprecedented public we find that the events in that short