back to top

North Korean Government Responsible For Sony Hack, FBI Says

It's extremely rare for the U.S. to officially blame a nation for a cyberattack. Meanwhile, the hackers sent Sony a message saying they were "wise" to cancel the release of The Interview.

Posted on
Kevork Djansezian / Reuters

A security guard stands at the entrance of United Artists theater during the premiere of The Interview in Los Angeles on Dec. 11. The film has since been pulled.

The Federal Bureau of Investigation officially said the North Korean government was behind the massive hack of sensitive and embarrassing information against Sony, a rare instance where the U.S. government is blaming a specific country for a cyberattack.

Here is the evidence the FBI said backs up its assessment:


* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

* Separately, the tools used in the SPE attack have similarities to a cyberattack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

"North Korea's attack on [Sony] reaffirms that cyber threats pose one of the gravest national security dangers to the United States," the agency said in a statement. "The destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea's actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves.

"Such acts of intimidation fall outside the bounds of acceptable state behavior," the agency said, adding that Sony reported the breach within hours.

The unprecedented hack made public a massive amount of sensitive and embarrassing data from the company, actors, and others in the entertainment industry. It also carried a threat from the hackers, who called themselves Guardians of Peace, threatening violence at theaters that showed the film, which depicts the fictional assassination of North Korea's leader, Kim Jong-un. Sony since scrapped the film's release, a decision that actors and politicians have criticized.

Homeland Security Secretary Jeh Johnson called the hack "an attack on our freedom of expression and way of life."

Sony executives also reportedly received an email on Thursday evening from the hackers, saying the company was "very wise" for canceing the worldwide release of The Interview, CNN reported.

The email received by Sony officials mimicked previous messages from the hackers, CNN reported:

The hacker message is effectively a victory lap, telling the studio, "Now we want you never let the movie released, distributed or leaked in any form of, for instance, DVD or piracy."

The message also says, "And we want everything related to the movie, including its trailers, as well as its full version down from any website hosting them immediately."

Earlier, Reuters reported that the U.S. was expected to say that China had possible ties to the attack, but that was not part of the FBI's statement, a government official told Reuters.

Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE). In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the "Guardians of Peace" claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies.The FBI has determined that the intrusion into SPE's network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees' personally identifiable information and confidential communications. The attacks also rendered thousands of SPE's computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company's business operations.After discovering the intrusion into its network, SPE requested the FBI's assistance. Since then, the FBI has been working closely with the company throughout the investigation. Sony has been a great partner in the investigation, and continues to work closely with the FBI. Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack. Sony's quick reporting facilitated the investigators' ability to do their jobs, and ultimately to identify the source of these attacks.As a result of our investigation, and in close collaboration with other U.S. Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:· Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.· The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. Government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack. · Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea's attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea's actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt – whether through cyber-enabled means, threats of violence, or otherwise – to undermine the economic and social prosperity of our citizens.The FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential business information. Further, the FBI will continue to work closely with multiple departments and agencies as well as with domestic, foreign, and private sector partners who have played a critical role in our ability to trace this and other cyber threats to their source. Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests.

This is a breaking news story, please check back here and at BuzzFeed News on Twitter for updates.

Tom Namako is the deputy news director for BuzzFeed News and is based in New York.

Contact Tom Namako at tom.namako@buzzfeed.com.

Got a confidential tip? Submit it here.