President Obama described the hacking of Sony Pictures Entertainment’s computer network as an act of “cybervandalism,” not war, and an expert said the malware likely came from the black market.
“I don’t think it was an act of war,” Obama said during an interview with Candy Crowley on CNN’s “State of the Union” that aired Sunday. “I think it was an act of cybervandalism that was very costly, very expensive. We take it very seriously. We will respond proportionately.”
North Korea’s Internet reportedly crashed on Monday in one of the country’s worst network outages ever. An attack was suspected but not confirmed.
The high-profile cyber-attack against Sony was linked to the government of North Korea and exposed sensitive personal e-mails, salaries and the health records of tens of thousands of employees.
The documents contain a trove of embarrassing revelations, from private conversations among Hollywood bigwigs (producer Scott Rudin called actress Angelina Jolie a “spoiled brat”) to salary discrepancies between male and female A-listers (Oscar-winner Jennifer Lawrence was paid far less than her male co-stars in “American Hustle.”)
A group that calls itself The Guardians of Peace claimed responsibility for the breach. But the Federal Bureau of Investigation on Friday linked the malware intrusion to the government of North Korea, headed by the young dictator Kim Jung-un.
“As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the agency stated in a release.
The FBI cited the following evidence:
* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
North Korea, meanwhile, denied any role in the attack, which it called a “righteous deed,” even as it called for a joint investigation with the U.S. into the matter.
Earlier this year, the North Korean government lodged a formal protest with the United Nations against the Sony movie, “The Interview,” a comedy starring Seth Rogan and James Franco about a plot to assassinate the North Korean leader. The studio canceled the film’s scheduled Christmas Day release after theater chains opted against showing it amid the group’s threats of 9/11-style terrorist attacks.
Many in the U.S., including cybersecurity experts, have criticized the reaction by Sony and its distributors, saying it amounts to capitulation and sets a dangerous precedent by encouraging criminals to launch similar attacks in the future.
“This is beyond the wildest dreams of these attackers,” Peter Singer, author of “Cybersecurity and Cyberwar: What Everyone Needs to Know,” told Vice.com. “This is not just now a case study in how not to react to cyberthreats and a case study in how to not defend your networks, it’s now also a case study in how not to respond to terrorism threats.
In the CNN interview, Obama vowed, “We’re not going to be intimidated by some cyberhackers.” He added that in deciding to cancel the movie’s release, Sony officials may have been more afraid of a lawsuit stemming from possible violence.
James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington, D.C., said the president was correct in making a distinction between an act of cybervandalism and cyberwar.
“There is sort of an international consensus that to qualify the use of force you have to involve destruction or casualties,” he said. “That means that’s consistent with the laws of armed conflict. He’s exactly right.”
Lewis said forensic evidence shows the computer code was similar to what Iran employed in the 2012 cyberattack against the Saudi Arabian state-owned oil company Aramco.
At the time, it was considered “among the most destructive acts of computer sabotage on a computer to date,” and “erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag,” according to an article by Nicole Perlroth of The New York Times.
“It comes out of the criminal black market,” Lewis said of the software. “It’s not like the North Koreans sat down and invented something. They took malware developed for criminal purposes and adapted it to use against Sony.”
In a separate but related story, the operator of South Korea’s nuclear power plants on Monday said its computers were hacked, but there was no risk to the 23 reactors in operation throughout the country, Reuters reported.