• Bloomberg


North Korea may have had a hand in the digital attack against Sony Pictures Entertainment that used destructive malware to disable systems and destroy data, according to two sources with knowledge of the investigation.

Some of the malware contained Korean language code, and other aspects of the breach bear important similarities to attacks that wiped out the computers of South Korean banks and broadcasters in March 2013, said the sources, who were not authorized to speak publicly and asked not to be identified.

The FBI sent a flash alert to U.S. companies about the malware Monday, mentioning the use of Korean language, while not linking it directly to the Nov. 25 attack on Sony Corp.’s California-based entertainment unit. One of the sources confirmed that the alert refers to malware in the Sony case.

“We consider that the theories regarding the attribution to North Korea are credible,” said John Hultquist, senior cyber-espionage practice lead at iSight Partners, a Dallas-based cybersecurity company.

ISight is not involved in the Sony investigation. It has analyzed other destructive attacks linked to North Korean hackers, Hultquist said.

The malware, designed by unknown operators, has the ability to overwrite data files, including what is called the master boot record, making computers unusable, the FBI said in its five-page alert to companies.

The use of destructive malware has been a hallmark of North Korean attacks, including devastating attacks last year against some of South Korea’s largest banks and at least two major television broadcasters.

North Korea’s U.N. mission did not immediately respond to an email request for comment. When asked about the attack, a spokesman for North Korea’s U.N. mission told the BBC: “The hostile forces are relating everything to the DPRK. I kindly advise you to just wait and see.”

Sony has not independently confirmed a link to North Korea, according to a person with knowledge of the matter who was not authorized to speak publicly and requested anonymity.

The entertainment unit has hired security consultants Mandiant, a unit of FireEye, to assist in the recovery, the person said. Some systems, such as email, are back online, the person added, while adding they are not fully operational.

Mandiant did not respond to requests for comment.

Sony has managed to make progress on its promotional campaigns for annual film awards and other matters, even though the attack hit at a particularly busy time for the industry, the person said. The hacking led to the leak of the details of executive pay at Sony Pictures, according to Fusion, a news joint venture between ABC and Univision.

The attack on Sony crippled its computer systems, forcing some employees to communicate by text message.

The attackers also were able to obtain copies of recent and imminent motion-picture releases that were then posted on the Internet for download.

The breach occurred a month before the scheduled release of “The Interview,” a comedy about a CIA plot to kill North Korea’s leader, Kim Jong-Un.

The Seth Rogen film, currently advertised for release on Dec. 25, features Rogen and James Franco as TV producers who are recruited by the Central Intelligence Agency to assassinate Kim. Plans for the film drew a rebuke from the country, with a Foreign Ministry spokesman saying in state media that the release would be an “act of war,” the BBC reported.

“In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyberthreat indicators observed during the course of our investigations,” Joshua Campbell, a bureau spokesman, said in an email. “This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals.”

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.