Sony Cancels Movie, US Confirms North Korea Involvement, But Were Bomb Threats Empty?

After the Sony hackers issue threats of physical violence and 9/11-style attacks, <i>The Interview</i> is being killed before it even premieres. But would the attackers have really blown up theaters?

Sara Peters, Senior Editor

December 17, 2014

5 Min Read
Dark Reading logo in a gray background | Dark Reading

ORIGINALLY RELEASED 6:24 p.m. Dec. 17. UPDATED 7:00 p.m. Dec. 17: Unnamed American intelligence officials concluded Wednesday evening that the North Korean government was "centrally involved" in the attacks on Sony Pictures, The New York Times reports. According to the NYT, "Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was still debating whether to publicly accuse North Korea of what amounts to a cyberterrorism campaign."

Also this evening, Sony Pictures Entertainment announced it was dropping its plans for a Dec. 25 release of The Interview -- Sony's upcoming comedy about assassinating North Korean leader Kim Jong-Un. Sony had already canceled the film's New York premiere yesterday, in response to hackers' thinly veiled threats of physical violence at the event. The film's stars, James Franco and Seth Rogen, have canceled all public appearances, and movie theaters are beginning to declare they will not show the film at all.

Yet were the warnings of physical violence empty threats?

The Guardians of Peace (GOP), the hacking group that has accepted responsibility for the massive cyberattacks against Sony Pictures Entertainment, told a reporter weeks ago that they were not backed by any nation-state, were not based in North Korea, and were not explicitly motivated by protesting The Interview. North Korea denied any role, and some security experts stated that there was no technical evidence to the contrary. Yet rumors about North Korea continued anyway.

Are the cyberattackers simply being opportunistic -- using the rumors to create more mischief, draw more attention, and create more problems for Sony?

Probably, say some security experts.

Does the threat match the MO?
On Tuesday, the GOP issued a message that warned people about visiting cinemas showing the movie: "Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you'd better leave)."

Ominous. However, acts of physical terrorism don't fit the Sony hackers' apparent MO.

"These guys don't sound like terrorists," says Tom Chapman, director of the Cyber Operations Group at EdgeWave, who was a US Navy intelligence officer until he retired in September. "They don't really match to the definition."

In interviews and statements, the GOP certainly has demonstrated a great understanding of American English. Chapman says the group is also very attuned to American culture. Some people have compared these attackers to Dark Seoul -- which went after South Korean private industry, posing as hacktivists, while really digging up national secrets -- but Chapman says the Dark Seoul attackers were less conspicuous than the Sony hackers.

The acts against Sony "seemed personal to me," he says. The threats made yesterday were probably just another way for the attackers to cause Sony -- and law enforcement -- strife. "Some people just wanted to watch the whole thing burn. Someone's really enjoying this."

Rob Sadowski, director of technology solutions for RSA, says that a scenario of hacktivists proceeding to acts of physical terrorism is "certainly inconsistent" with the norm. However, he won't rule out the possibility.

Different types of cybercrime actors are motivated by different things, Sadowski says. For example, those looking for financial gain and those gathering international intelligence generally keep quiet about it, while hacktivists trying to draw attention to something will be quite vocal. "What's tricky is that we're seeing blurring of those motivations and of those lines."

Nevertheless, he says, it's unusual to see attackers execute a big cyberattack and then add on a physical attack for good measure. Usually, it's the other way around -- the cyberattack will be to support or augment the primary attack.

Bill Barry and Terrence Gareau of Nexusguard are also skeptical of the notion that the hackers really meant the threats made Tuesday, but they won't rule it out entirely.

"Yesterday's rock through the window is today's DDoS," says Barry, Nexusguard's executive vice president, describing what drives hacktivists. However, the people with the motive and the people with the skills to carry out an attack are not necessarily the same.

"We still don't know who these guys are," says Gareau, Nexusguard's chief scientist, so this would be a very unusual case, but we can't know for sure. Maybe the intention was never to conduct physical attacks. Maybe the threats were made simply to cost money -- which they certainly will.

Though the folks who conduct cyberattacks are not usually the same folks who set off bombs, if cybercrime groups can have marketing departments (and some do), then there's no reason they can't have a bomb department or another "department of havoc," Barry and Gareau say.

Was an insider involved?
In January, Sony Pictures laid off an undisclosed number of employees in its technology unit. Considering the nature of the attack -- destroyed machines, public disclosure of terabytes of company data, declarations denouncing Sony's social responsibility, a general glee about the entire thing -- and the extent of the knowledge the attackers had about the company's IT infrastructure, could one of the attackers be a disgruntled, laid-off Sony IT staffer?

Chapman thinks an ex-employee, but not a current one, was probably involved. "I have a feeling if they were still employed by [Sony], the FBI would have them in custody by now."

Whether or not an insider was involved, Sadowski, Barry, and Gareau say that, though the attack was exceptionally well planned, it could certainly have been carried out without any insider help.

Sadowski says the attackers "clearly gained a foothold in the organization that was equivalent to an insider's," but it could have been obtained through the standard phishing, compromise, and privilege escalation.

Chapman says he might begin a hunt for the attackers by searching for someone who bought a great deal of cloud storage, considering the huge amount of information that was stolen from Sony. "Where do you put 100 TB of data?"

About the Author

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights