Hackers who knocked Sony Pictures Entertainment's computer
systems offline last week used tools very similar to those used
last year to attack South Korean television stations and ATMs,
people briefed on the investigation said.
The similarity would reinforce a hunch among some investigators,
which include Sony, the Federal Bureau of Investigation and a team
from Silicon Valley security company FireEye Inc., that North Korea
played a role in the breach at the film and television studio, one
of the largest in the U.S. South Korea publicly blamed the 2013
attacks on North Korea.
In the wake of the Sony attack, the FBI issued a private warning
to companies late Monday to be on the lookout for a certain type of
destructive malware that can make data on hard drives inaccessible,
according to someone who had seen it. Retrieving any data from an
affected hard drive can be quite difficult and costly, according to
the FBI warning.
Sony Pictures is set to release this month "The Interview," a
comedy in which U.S. spies enlist a television host played by James
Franco and his producer, played by Seth Rogen, to assassinate North
Korean leader Kim Jong Un. In June, a spokesman for the Pyongyang
government said distribution of the movie would be "the most
undisguised terrorism and a war action" and threatened a "strong
and merciless countermeasure" if the U.S. government "patronizes
the film."
Employees at the Sony Corp.-owned studio behind "The Amazing
Spider-Man" and hit TV show "The Blacklist," have been forced to
work with cellphones and personal email accounts since images of a
skull appeared on company computers last week along with the
message "Hacked by #GOP." Employees were warned by Sony not to use
any digital devices connected to its internal networks. The hacker
group, known as "Guardians of Peace, " hasn't revealed any details
about its identity or provided Sony with a list of demands.
Over Thanksgiving weekend, certain critical operations began to
come back online, including those linked to DVD sales during Black
Friday. On Monday, email and telephones were working, though
employees were only able to work in certain buildings whose
networks had been deemed secure.
By then a new crisis had emerged, however, as high-quality
copies of five Sony movies, including the Brad Pitt World War II
drama "Fury" and a coming adaptation of the musical "Annie," leaked
onto the Internet. Executives at the studio assume the leaks are
connected to last week's attack although they have no evidence yet,
said a person familiar with the matter.
Four of the five films have yet to be released in theaters. That
is a blow to the studio at a time when, thanks to strict security
measures, it is rare for movies to appear on pirate websites before
they open. "The Interview" wasn't among the leaked pictures.
Technology news websites Recode and Ars Technica previously
reported on suspected links between the Sony hacking and North
Korea. The FBI, which is leading the probe, hasn't yet determined
who was behind the breach, a person familiar with the investigation
said.
"The FBI is working with our interagency partners to investigate
the recently reported cyber intrusion at Sony Pictures
Entertainment," the agency said Monday. "The targeting of public
and private sector computer networks remains a significant threat,
and the FBI will continue to identify, pursue, and defeat
individuals and groups who pose a threat in cyberspace."
The malicious code used against Sony is nearly identical to the
hacking tools used in March 2013 against South Korea, people
briefed on the investigation said. In that operation, known as
"Dark Seoul," computer systems at South Korean broadcasters and
banks went offline. ATMs also wouldn't work.
The South Korean government publicly blamed that incident on
North Korea's Reconnaissance General Bureau. Western security
researchers, without naming North Korea, said the group that caused
Dark Seoul launched a follow-up attack on June 25, 2013, which is
the anniversary of the start of the Korean War.
A person at Sony Pictures with knowledge of the matter said that
a connection to North Korea is one of many possibilities the studio
is examining and that it has no direct knowledge that the communist
nation was involved in the attack.
As the U.S., Israel, China and Russia move to build up their
hacker forces, North Korea has also been aggressive, if a bit of a
laggard, U.S. officials have said. Its Internet connections run
through China, which have caused U.S. and South Korean officials to
believe Beijing at least tolerates North Korea's activity, said
former U.S. officials and people familiar with the
investigation.
"They certainly have the ability to engage in the kind of
disruptive attacks that you've seen," said James Lewis, a
cybersecurity expert at the Center for Strategic and International
Studies, who advises lawmakers and the White House on hackers. Mr.
Lewis said the attack on Sony, if it is indeed the work of North
Korea, is probably close to the limits of its capabilities.
A Sony spokeswoman said Monday that Sony Pictures "continues to
work through issues related to what was clearly a cyberattack last
week. The company has restored a number of important services to
ensure ongoing business continuity and is working closely with
law-enforcement officials to investigate the matter."
Write to Danny Yadron at danny.yadron@wsj.com and Ben Fritz at
ben.fritz@wsj.com
Access Investor Kit for Sony Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=JP3435000009
Access Investor Kit for Sony Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US8356993076
Subscribe to WSJ: http://online.wsj.com?mod=djnwires