Christmas 2014 is sure to be remembered as a terrible one for cyber security. A distributed denial-of-service (DDoS) attack took down the Playstation Network and Xbox Live for days. #anonymouspocalypse saw the release of some 13,000 passwords and credit card numbers. But the hack suffered by Sony Pictures, seemingly motivated by their comedy The Interview, is one that we’ll be talking about for weeks to come.
It started on November 24. Sony Pictures shut down their entire network after discovering that their systems had been compromised by a group calling themselves Guardians of Peace (#GOP)—employees were told not to access the company network or their email inboxes. Twitter accounts belonging to Sony Pictures were also taken over, but were subsequently recaptured by Sony.
Sony Pictures was greeted with this message:
While the message states that Sony Pictures must “obey,” there were no demands given at this point—just a warning that all of the data at Sony Pictures had been compromised. In emails to media sources, #GOP stated that they had acquired an absolutely monumental amount of data—almost 100 terabytes.
Shortly after the attack was discovered, #GOP started releasing files. Copies of the unreleased films Annie, Mr. Turner, Fury, and Still Alice started hitting torrents. Emails between executives were released, many of which contained insensitive or downright hostile comments about movie stars and other public celebrities, including Leonardo DiCaprio, Angelina Jolie, Adam Sandler, and Barack Obama.
How come I know you don’t write anything you don’t want broadcast in an email? How come I know that? Who’s advising [these] people?
—Lisa Kudrow, interview with Huffington Post
Potentially even more damaging to Sony Pictures’ reputation are emails making it clear that some female stars are paid less than their male counterparts for the same movies (both Jennifer Lawrence and Amy Adams were mentioned for their roles in American Hustle). David O. Russell, the director of American Hustle, was also called out for being abusive toward Amy Adams and the cast.
And the list goes on. Emails were released over the course of several days, and a number of mean-spirited, racist, misogynist, and other sorts of awful emails sent and received by execs at Sony Pictures were revealed. Personal identifying information, including social security numbers, addresses, phone numbers, salary information, and more details, was also stolen.
So what did #GOP want? Why did they go through the trouble of stealing almost 100 terabytes of data and releasing dozens of nasty emails? They made it clear in an email:
We will clearly show it to you at the very time and places The Interview be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you’d better leave.)
Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.
The Interview, Sony’s James Franco and Seth Rogen-fronted comedy about a two-man team sent to assassinate Kim Jong-Un, was always likely to ruffle a few feathers. But no one expected a response like this.
Two days after the “11th of September” email showed up, two more were seen: one to Sony execs saying that the studio would face no further torment from the group if they didn’t release the film. Another public email stated that Sony Pictures had “suffered enough” and that The Interview could be released if Kim Jong-un’s death scene wasn’t “too happy.”
Who’s Behind The Attack?
As soon as the news broke that the hack had taken place, people started speculating as to who could be behind the attack. It’s one of the most significant hacks in history, and it obviously took a great deal of planning and prowess in execution—so who could pull that off?
The first—and most obvious—guess that most people made was that North Korea was behind the attack. The Interview would be very offensive to the country with its depiction of the assassination of a member of the Kim dynasty, and Pyongyang has never responded well to criticism. Experts, including those at the Federal Bureau of Investigation, also stated that the code used to perpetrate the attack, called Destover, was similar to code that had been used by North Korea in the past, though it’s been in circulation around the world for quite a while.
The FBI and many others pointed the finger at Pyongyang quickly, and a lot of people believed them. President Obama obviously did, as he criticized Sony for backing down and promised retribution for the cyber attack. But not everyone was convinced.
Pyongyang denied responsibility for the attack, which was uncharacteristic of their brash international behavior. And many experts believe that North Korea just isn’t capable of an attack that size—that they lack both the infrastructure and the skill. Marc Rogers came up with 10 good reasons why it probably wasn’t North Korea, and Bruce Schneier agrees—he even presents some linguistic evidence that the hackers could be Russian. Public opinion now seems to be that the attack came from elsewhere. But where?
A recent CNN article detailed a number of possible culprits: Lizard Squad, the cyber-vandals who took down the Playstation Network and Xbox Live over Christmas; a former high-access employee code-named “Lena”; other former members of staff unhappy about layoffs; and other hacking groups. Unfortunately, the latest answer to “Who hacked Sony?” is “We don’t know.”
Understandably, a number of major movie theatre chains cancelled their showings of The Interview in an effort to keep their patrons (and their reputations) safe. Shortly after the public announcements that they wouldn’t be showing the movie, Sony cancelled the release altogether, causing a storm on Twitter. The cancellation would cost Sony Pictures about $90 million in lost returns on the movie, according to the The Wrap.
Many in Hollywood weren’t so happy about this reaction. George Clooney circulated a petition to tell Sony that the industry stood behind them and would support them in fighting back against #GOP—but couldn’t get a single person to sign it. Judd Apatow, Michael Moore, Rob Lowe, and Mia Farrow also voiced their displeasure with the studio. Even John McCain weighed in.
We don’t negotiate with terrorists unless they make vague, unsubstantiated threats about comedy movies.
— Christmas Brandon (@UNTRESOR) December 17, 2014
Amy Pascal, involved in several embarrassing email conversations leaked by the hackers, issued a public apology, saying that those emails don’t define who she is. Amy Adams cancelled an interview because the interviewers insisted on talking about the hack. Sony executives have told the press that they’re afraid to send emails.
Many people have characterized the attack as an act of cyber-terrorism on American soil, which has led to some posturing by US politicians and advocates. Obama’s promise of retribution may have already been carried out—the Internet has been totally shut down in North Korea multiple times since the hack, and Pyongyang has blamed the US.
Sony has been heavily criticized in the wake of the attack, with many members of Hollywood wondering how the film got produced in the first place. North Korea is known for not responding kindly to jabs at its leaders, and a movie that includes a depiction of the assassination of Kim Jong-un was never going to go down well. The company hasn’t been especially great at protecting its employees’ privacy—or much of anything, for that matter.
The Interview and the Future
In the end, Sony decided to release The Interview in limited theaters and online on Christmas Day. They’ve made an estimated $12-15 million from the release, despite dismal reviews (one review says that the movie “utterly sucks”). Obviously, the movie has benefitted from being at the center of the biggest news story in a Christmas filled with a number of cynicism-inducing cyber attacks.
They say that all press is good press, and this has led more than a few people to speculate that the whole thing was perpetrated by Sony Pictures to get some attention for their movie. I certainly wouldn’t put it beyond a company to fake a cyber attack to get some press, but this particular attack seems like a bit much for that strategy. Releasing the huge amount of data that we’ve seen, including at least four full movies, seems to be just too much for a hoax.
So where are we now? What happens next? As the search for the real perpetrator of the attack continues, we have little to go on. If the US has promised (and carried out) retribution on North Korea without proof, the entire affair could be quite embarrassing. Especially for the FBI, who stated with confidence that Pyongyang was behind the whole thing.
All in all, it’s been a fascinating and worrying holiday season for cyber security. We’re looking forward to finding out more about the attack, who’s behind it, and what the long-term fallout will be.
What do you think of the Sony hack? Do you believe that it was perpetrated by North Korea? That it was a hoax? Or that we have yet to find out the full truth? How does it make you feel about cyber security? Share your thoughts below!
Image credit: J.A. de Roo via Wikimedia Commons.