Expert: Sony Hack Used Black Market Malware


President Obama described the hacking of Sony Pictures Entertainment’s computer network as an act of “cybervandalism,” not war, and an expert said the malware likely came from the black market.

“I don’t think it was an act of war,” Obama said during an interview with Candy Crowley on CNN’s “State of the Union” that aired Sunday. “I think it was an act of cybervandalism that was very costly, very expensive. We take it very seriously. We will respond proportionately.”

North Korea’s Internet reportedly crashed on Monday in one of the country’s worst network outages ever. An attack was suspected but not confirmed.

The high-profile cyber-attack against Sony was linked to the government of North Korea and exposed sensitive personal e-mails, salaries and the health records of tens of thousands of employees.

The documents contain a trove of embarrassing revelations, from private conversations among Hollywood bigwigs (producer Scott Rudin called actress Angelina Jolie a “spoiled brat”) to salary discrepancies between male and female A-listers (Oscar-winner Jennifer Lawrence was paid far less than her male co-stars in “American Hustle.”)

A group that calls itself The Guardians of Peace claimed responsibility for the breach. But the Federal Bureau of Investigation on Friday linked the malware intrusion to the government of North Korea, headed by the young dictator Kim Jung-un.

“As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the agency stated in a release.

The FBI cited the following evidence:

* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

North Korea, meanwhile, denied any role in the attack, which it called a “righteous deed,” even as it called for a joint investigation with the U.S. into the matter.

Earlier this year, the North Korean government lodged a formal protest with the United Nations against the Sony movie, “The Interview,” a comedy starring Seth Rogan and James Franco about a plot to assassinate the North Korean leader. The studio canceled the film’s scheduled Christmas Day release after theater chains opted against showing it amid the group’s threats of 9/11-style terrorist attacks.

Many in the U.S., including cybersecurity experts, have criticized the reaction by Sony and its distributors, saying it amounts to capitulation and sets a dangerous precedent by encouraging criminals to launch similar attacks in the future.

“This is beyond the wildest dreams of these attackers,” Peter Singer, author of “Cybersecurity and Cyberwar: What Everyone Needs to Know,” told “This is not just now a case study in how not to react to cyberthreats and a case study in how to not defend your networks, it’s now also a case study in how not to respond to terrorism threats.

In the CNN interview, Obama vowed, “We’re not going to be intimidated by some cyberhackers.” He added that in deciding to cancel the movie’s release, Sony officials may have been more afraid of a lawsuit stemming from possible violence.

James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington, D.C., said the president was correct in making a distinction between an act of cybervandalism and cyberwar.

“There is sort of an international consensus that to qualify the use of force you have to involve destruction or casualties,” he said. “That means that’s consistent with the laws of armed conflict. He’s exactly right.”

Lewis said forensic evidence shows the computer code was similar to what Iran employed in the 2012 cyberattack against the Saudi Arabian state-owned oil company Aramco.

At the time, it was considered “among the most destructive acts of computer sabotage on a computer to date,” and “erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag,” according to an article by Nicole Perlroth of The New York Times.

“It comes out of the criminal black market,” Lewis said of the software. “It’s not like the North Koreans sat down and invented something. They took malware developed for criminal purposes and adapted it to use against Sony.”

In a separate but related story, the operator of South Korea’s nuclear power plants on Monday said its computers were hacked, but there was no risk to the 23 reactors in operation throughout the country, Reuters reported.

About the Author

Brendan McGarry
Brendan McGarry is the managing editor of He can be reached at Follow him on Twitter at @Brendan_McGarry.
  • Rat

    I guess a foreign nation threatening to kills United states citizens by the thousands for viewing a movie is just vandalism. The fort hood shooting was workplace violence. But the kid who draws a picture of a gun in a school is charged with terrorism. The beating of a white motorist in detroit by 6 blacks isnt a hate crime. Way to go illustrious leader 0.

  • mark

    Sounds like a set up.

    • rtsy

      It really does. One computer expert said the evidence the FBI sites would be tantamount to Dexter leaving his knives at the scene of a crime. It’s hard to believe a group capable of the hack would be so careless as to leave a giant arrow pointing back at themselves.

  • Derek

    I look at that picture and all I see is a starving army.

    • Scott

      I saw the exact same thing, they look really bad.

    • blight_

      The ROK should build a line of food trucks just south of the DMZ. Or let the smell of Korean BBQ waft over the line. Poor bastards.

  • oblatt22

    The FBI case is a based on a chain of conjecture without any positive identification that is why nobody in the security industry takes it seriously.

    As a terrorism target America is by far the best bang for a buck. Americans are primed and ready to be terrorism victims. Many Americans crave the recognition that a terrorism attack brings. Because for most Americans it isn’t politics its entertainment.

    • Atomic Walrus

      My guess is that the FBI evidence is simply what can be shared with the public. The real evidence was likely gathered by the NSA, and no government is going to willingly share evidence of their capabilities in those areas.

      • blight_

        The publicly disclosed evidence isn’t clear enough. Any reasonably competent attacker could re-route through the publicly disclosed proxies, and anyone can toss a Korean phrase into a translator.

        Conceivably, a DPRK attack could throw in an English phrase in, get a jumbled Korean phrase out, and then use that to create ambiguity. We assume that a cyber-attacking DPRK /wants/ to put their stamp on it, but what if they prefer plausible deniability, an attribute that we commonly assume applies only to Western nations (but might also apply to the DPRK).

    • William_C1

      Shilling for the North Koreans now? You know they can’t afford to pay you, right?

      • ccc40821…

  • JOHN

    so, the action was all in the usa…….the company is owned overall by the Japanese. why haven’t we heard from them?????

    • Derek

      Because the movie production division of Sony is in L.A. (Hollywood), its run by Americans. So the Japanese weren’t effected at all by this, heck, the movie “The Interview” was never going to be shown there.

  • ccc40821

    I’m no fan of North Korea, and even less so of conspiracy theories, but until there is solid evidence of NK standing behind the attack, everybody should calm a bit on the rhetoric:…

  • andy

    send a few Cruise Missiles at night time and selected the targets where the CHUPPIE SLEEPING AT NIGHT with a label MADE IN CHINA …DONE ….

  • Fred Brennion

    So now the stage is set to define down to ‘cybervandalism’ any hack attack over which we do not want to resort to military action. I got it.

    Shades of Major Hassan and the “workplace violence” moniker in order not to find him to be a terrorist.

    Wait for the laughably tortured language invented under orders from the White House for the military to avoid finding that Bowe Bergdahl was a deserter.

    • rtsy

      They stole emails that made some execs look bad, you really want to bomb someone for that?

      • commenter

        The other thing to remember here is Sony’s IT security has been breached around 56 times in little over a decade. And they still didn’t follow the most basic security practices. Even at the top. Most companies would be smart enough to tighten security after being hit so many times with major hacks.

        Their security was abysmal and it should be no surprise they were hacked.

        Additionally, There is absolutely no reason to ever use military action in retaliation for a hack of a corporate entertainment company. There is absolutely no national security implications and the real effect on the US is nil. It makes Sony look like idiots and hurts them, but on the whole it’s pretty benign.

        You’d spend hundreds millions of dollars to send a “military message” to not hack a US subsidiary of a Japanese multinational entertainment corporation that didn’t have the intelligence to take the most basic IT security steps?

        The evidence against DPRK is weak as well. It’s a lot of thin circumstantial evidence.

    • blight_

      If the DPRK had broken into a Sony facility and extracted the data, it would be vandalism, not terrorism.

      Unless you subscribe to the belief that action by any state actor is terrorism. In which case, we routinely crack foreign intelligence and foreign systems and plant malware and rootkits…your broad implication that penetration by a foreign intelligence agency is an act of terrorism ironically paints the United States itself as terrorism. Thus, we will never call a tactic we are not above using “terrorism”. Instead, we will stick to defining terrorism as things we are unlikely to do: such as hijacking airliners and flying them into buildings, or deliberately targeting civilian crowds for injury and death because Magical Book says so.