Antihack Blog

The Sony Pictures Entertainment Hack: A Look at the Evidence We Have

21 Jan 2019

Note: Much of this information comes from an official affidavit, The United States of America vs. Park Jin Hyok, also known as (“aka”) “Jin Hyok Park,” aka “Pak Jin Hek,” (United States District Court for the Central District of Caliornia June 8, 2018). If you want to review the entire 179-page document, it’s available [here].


This week, the U.S. Department of Justice announced charges against a North Korean spy, Park Jin Hyok, in violation of the following:

18 U.S.C. § 371 (Conspiracy), for conspiring to commit the following offenses: 18 U.S.C. §§ 1030(a)(2)(c), 1030(a)(4), (a)(5)(A)-(C) (Unauthorized Access to Computer and Obtaining Information, with Intent to Defraud, and Causing Damage, and Extortion Related to Computer Intrusion); and,

18 U.S.C. § 1349 (Conspiracy), for conspiring to commit the following offense: 18 U.S.C. § 1343 (Wire Fraud).

Park goes by several aliases, so he is commonly just referred to as “Park” in the official affidavit. These charges originate from a multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People’s Republic of Korea (DPRK) while located there and in China, among other places. The intrusions targeted various entertainment companies, like AMC Theaters and Mammoth Screen. It also included financial institutions, and even defense contractors like Lockheed Martin. These intrusions were all done for malicious purposes, including the collection of confidential information and theft of money. However, the investigation primarily focuses on Park and his involvement in the intrusions, particularly due to the evidence collected against him. According to the affidavit, Park was hired by Chosun Expo, a company that is a front for the DPRK.

Park’s particular involvement in the November 2014 Sony Pictures Entertainment hack garnered special attention to investigators. The intrusion was supposedly a retaliatory response to a comedic film, The Interview, which was to be released later that same month. The hackers escaped with company confidential information that ultimately embarrassed Sony executives and produced major financial loss. The hack on Sony rose questions regarding First Amendment protections, U.S. government safeguards and responsibility, and the likelihood of more attacks in cyberspace.

In February 2016, Park and other co-conspirators also fraudulently transferred $81 million from Bangladesh Bank, the central bank of Bangladesh. They also engaged in similar financial heists that accumulated monetary losses into the billions and included several financial services in the United States. To this day, the conspirators continue to target U.S. defense contractors, university faculty, technology companies, virtual currency exchanges, and U.S. electric utilities. They’ve also been accused of authoring “WannaCry 2.0,” which was the ransomware that infected systems on a global scale last year.

Of course, North Korean officials denied any involvement in the Sony intrusions despite making many public statements expressing their disapproval of the film. In fact, North Korea’s news agency called for a ban on the film, calling it “reckless U.S. provocative insanity” and even threatened a “resolute and merciless response.” The DPRK even sent a letter to the U.S. government, stating:

The trailer of “The Interview” newly edited by the “Harlem Studio” of the United States has still impolite contents of deriding and plotting to make harm to our Supreme Leadership. We remind you once again that the production of such kind of movie defaming the supreme dignity that our Army and people sanctify is itself the evilest deed unavoidable of the punishment of the Heaven. . . Once our just demand is not put into effect, the destiny of those chief criminals of the movie production is sure to be fatal and the wire-pullers will get due retaliation.

Several days after the attack, file-sharing hubs were used to release confidential Sony information to the public, such as embarrassing e-mail messages, future Sony film scripts, employee medical and financial information, personal information on celebrities, social security numbers, and film contracts. In early December, Sony employees turned on their company computers to discover a threatening note warning Sony not to release The Interview. Otherwise, the release of the movie would invoke a retaliation “similar to September 11, 2001.”

“Hacked By #GOP. Warning: We’ve already warned you, and this is just a beginning. We continue till our request be met. We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world. Determine what will you do till November the 24th, 11:00 PM (GMT).”

Five links were also provided on the infected computer screens, which were links that contained lists of files stored on Sony servers, proving they had access to the data. The infected Sony computers spread world-wide to computers in the UK and even in Latin America. Due to the widespread infection, between 7,500 and 8,000 workstations had to be disconnected from the Internet in order to contain the spread of the intrusion. Dozens of Sony Twitter accounts were also hacked. Days and weeks after, Sony executives received warning emails from the conspirators in broken English.

Half of Sony’s personal computers’ and more than half of its servers’ information were wiped as a result of a a type of ransomware infection delivered by the conspirators. The specific piece of malware used was named “Destover.” According the FBI, Destover:

contained a “dropper” mechanism to spread the malicious service from the network servers onto the host computers on the network;  it contained a “wiper” to overwrite or erase system executables or program files—rendering infected computers inoperable; and it used a web-server to display the “Hacked By #GOP” pop-up window discussed above and to play a .wav file which had the sound of approximately six gunshots and a scream.

The threat by the hackers was successful and Sony suspended the release of The Interview. U.S. government investigations suspected North Korea since the plot of the movie involved two CIA agents assassinating North Korean leader, Kim Jong Un. Furthermore, the malware used in the attack bared a resemblance to similar malware used in cyberattacks executed by North Korea in the past. North Korea’s motivation behind the attack also seemed quite obvious. Despite the threatening messages, President Obama released a statement soon after stating that suspending The Interview was the wrong path to take.

SOURCE: https://thecybersecurityman.com/2018/09/09/the-sony-pictures-entertainment-hack-a-look-at-the-evidence-we-have/

Share this link: