News Stay informed about the latest enterprise technology news and product updates.

North Korea behind Sony attack -- what now?

The FBI pointed to North Korea as the culprit behind the Sony Pictures security breach, and reports hint the foreign government may have gotten inside help. Also on Searchlight: Yahoo CEO Marissa Mayer's flawed attempts to channel Steve Jobs; Samsung takes on Apple Pay.

The FBI announced today that it has enough evidence to conclude that North Korea was behind the devastating cyberattack on Sony Pictures' computer systems last month that exposed and destroyed millions of corporate files.

Although the attack originated from outside North Korea, routed by the hackers from command-and-control servers worldwide, the FBI and cybersecurity analysts, including Kaspersky Lab analyst Kurt Baumgartner, say that one of the servers was also used in North Korea's attacks on South Korea two years ago. The attack on Sony Pictures was in apparent retaliation for the studio's upcoming film The Interview, a movie that depicts an assassination plot against North Korean leader Kim Jong Un.

The FBI's announcement comes shortly after Sony canceled the Dec. 25 release of The Interview, a decision made after "Guardians of the Peace" hackers, invoking the Sept. 11 terrorist attacks, threatened to harm American citizens who go to see the movie.

It's not exactly clear how U.S. intelligence officials were able to attribute the hack to North Korea's government, particularly because its computer network has been challenging to penetrate in the past. But according to The New York Times, a major effort by the National Security Agency's elite cyberteam to penetrate North Korean systems and monitor its malware has been in the works for four years now.

While mum on details, the FBI has alerted the public to the unprecedented and frightening nature of this cyberattack. "Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart," the FBI stated. "North Korea’s attack on [Sony Pictures] reaffirms that cyber threats pose one of the gravest national security dangers to the United States."

Time will tell how the involvement of a state government in a cyberattack on a private corporation will affect companies and their security policies. But it seems the goalposts for cyberattacks have shifted. “It used to be that only countries fought wars and companies provided aid and/or suffered collateral damage. Now that warfare is moving into the digital arena,” Forrester analyst James McQuivey wrote in a blog post yesterday. He speculates that companies must brace themselves for being drawn into political cyberwar.

Protecting against the insider threat

Security experts disagree as to whether the hackers were aided by Sony insiders with knowledge of the company's network. One clue that points to that possibility is that Sony server names and administrators' credentials were embedded within the malware that infected Sony's computers.

"They already had access to Sony's network before the attack," Jaime Blasco, researcher at AlienVault, a cybersecurity consulting firm, told The New York Times.

The insider threat isn't a new phenomenon or uncommon. According to Verizon's 2014 Data Breach Investigations Report, "insider misuse" accounts for 19% of security incidents, tied for second place with crimeware. Not only do insider threats account for nearly one-fifth of all security incidents across all industries, but the perpetrators come from every level of an organization, all the way up to the C-suite, according to the report. "Wherever a business trusts people, you'll find this risk," the authors state.

So what are Verizon's suggestions for preventing insider and privilege misuse? First and foremost, the report stresses that you must know where your data is located and who can access it. Once you've determined which employees can access sensitive data, put into effect a process for revoking their access when they transfer departments or leave the company.

Verizon also advises that IT set up controls that monitor data transfer in and out of the organization. Anonymized audit results should be broadcast companywide to show that security policies are being enforced, which could deter further misuse.

Emailing passwords and other bad habits

Even if the hackers didn't receive inside help, however, coverage of the attack reveals that the company and its staff didn't really follow industry-standard best practices, such as securing their passwords and other sensitive information. For example, according to the Associated Press, Sony Pictures CEO Michael Lynton had assistants email him the actual passwords of his email, banking and other personal accounts -- just another of the many embarrassing C-level behaviors leaked by the hackers.

Another telling revelation from the leaks? Sony knew its security was crappy. Apparently, David C. Hendler, Sony Pictures CFO, expressed his unhappiness about how ineffective the company's security policies and IT practices were in various emails to Lynton. Never mind the exploding head of Kim Jong Un in a movie that may never see the light of day -- heads, you can be sure, are rolling at Sony.

CIO news roundup for week of Dec. 15

And here is more news from the past week:

  • According to excerpts from Nicholas Carson's upcoming book Marissa Mayer and the Fight to Save Yahoo! (published in this week's New York Times Magazine under the rather catty title, "What Happened When Marissa Mayer Tried to be Steve Jobs"), the Yahoo CEO's efforts to restore the company to its former tech glory days have been unsuccessful. Carson detailed how many shareholders would rather Mayer liquidate the company's remaining stake with Alibaba and return the resulting proceeds to them -- and in the process make Yahoo an attractively cheap acquisition. Calling AOL, again?
  • Another juicy tidbit from the book making the rounds online: Mayer apparently balked at hiring actress and lifestyle guru Gwyneth Paltrow as food editor -- because Paltrow didn't graduate college. (That's not very Jobs-like, is it?)
  • Apple Pay might soon have a worthy rival: Samsung is in talks with payments startup LoopPay to roll out a wireless mobile payment service in early 2015. Meanwhile, more banks and retailers are signing on to use Apple Pay.
  • A Sony clip-on wearable is in the works that might give Google Glass a run for its money. Unlike Google's glasses, Sony's module attaches to regular eyeglasses and other eyeware, transforming the ordinary specs into wearable technology.
  • On Tuesday, Google published its annual A Year in Search, a video that lists the top queries global Internet users have typed into Google's search engine in the past year. Not surprisingly, Robin Williams topped the list, followed by the World Cup, Ebola and Malaysia Airlines Flight 370. Ferguson and Ukraine were popular search terms unique to Americans.

Check out our previous Searchlight roundups on how the Sony hack differs from other attacks and why Uber matters for CIOs.

Next Steps

Check out more updates on the Sony Pictures breach on SearchSecurity. Then, see SearchCIO's coverage of other cyberbreaches this year, on Searchlight.

Dig Deeper on Enterprise data privacy management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Did Sony Pictures made the correct call in canceling the release of The Interview?
The cynic in me thinks there is more to this issue than meets the eye. On one hand, the idea that a hacker can blackmail an organization into doing what they want them to do sets a horrible precedence, but ultimately, it's the company's call as far as if they want to accept the risks or not. Part of me just thinks that they may realize that they have a turkey on their hands, and this helps them spin it into a different story, but again, that's the cynic in me speaking. Ultimately every company answers to its stakeholders, and if the stakeholders don't want to take the risk, the company can choose to follow suit.
good points, Michael! on the one hand, I can see Obama's point that this could set a dangerous precedent. on the other, Sony is a private company.

as to whether or not it's a turkey -- I hope I get to find out!
I think this is the best thing that could've happened to this movie - to be honest, it looks pretty bad, but people will be lining up to see it (now that some theaters will show it) just because of the controversy. So while it may not have been a great move initially to cancel the release, it may turn out to be one. 
Hah, Ben, I'm actually starting to agree with you. Sony Pictures just announced yesterday that they're releasing it in select theaters (and VOD, probably) -- which makes me think that they could have pulled it as a publicity stunt (or as you said, used the controversy for publicity) ... and it will probably work!
Whether or not the movie is any good, it is a good reason for companies to consider how they would plan for similar situations in their business. EMC had this with the RSA hack several years ago, and we've seen similar hacks with banks and retail as well. This is partially a technology issue and partially a PR/Community management issue. Just as with any crisis, a company should have plans in place for responses.
great point, Brian. Based on Sony's responses post-breach, it's apparent it didn't at all have a response plan in place.
Nope. They were running scared and it was a bad move. In fact, I tuned into the movie this weekend and found that it was so bad as to be unwatchable. If a country's leadership is threatened by a piece of crap movie like that, they have much more to worry about than whether an entertainment company in the United States is lampooning them. I think bigger security issues are at play and ultimately Sony and companies in a similar position should do a full review of their security protocols and bring their tech up to today's standard.
Not sure where I stand on this. There is probably tons of videos out there that may offend U.S. citizens, but I do not see any fallout from that. With threats made if it was released it makes you wonder if they could do more than that. You have already been breached but you do not know to what extent.
thanks Jeff and Todd for your opinion. Yes, it does bring up the question of whether Sony was unwilling to accept the risks and/or look at their security architecture. On the other hand, there was sensitive corporate data at risk. While it is very true that the N. Korean government probably has bigger fish to fry, one wonders if U.S. private companies are now involved in the cyberwarfare between governments.