Malware & Spywarecritical

Sony Pictures Hack: North Korea Destroys a Studio's IT Infrastructure

A nation-state attack attributed to North Korea wiped Sony Pictures' entire IT infrastructure — deleting data from thousands of workstations and servers — in retaliation for the film "The Interview."

Sony Pictures Entertainment·2014·2 min read

Background

Sony Pictures Entertainment produced "The Interview," a comedy depicting the assassination of North Korean leader Kim Jong-un. North Korean government officials publicly demanded the film not be released. On November 24, 2014, Sony employees arrived at work to find their screens displaying a red skull and the message "Hacked by #GOP."

The Attack

The attackers — a group the FBI attributed to North Korea's Lazarus Group — had maintained persistent access to Sony's network for months before the destructive phase. They deployed "Destover," a custom wiper malware, across Windows systems simultaneously, rendering machines unbootable by overwriting the Master Boot Record. They also exfiltrated 100 terabytes of data including unreleased films, executive emails, employee SSNs, salary details, and medical records, which they released progressively to journalists and file-sharing sites.

Response

Sony shut down its entire network and returned to using paper and personal mobile phones. The company rebuilt its IT infrastructure from scratch, spending an estimated $35 million. Sony released "The Interview" on streaming services and in select cinemas on Christmas Day despite threats.

Outcome

The attack was the most destructive cyber attack against a US corporation up to that point. Five Sony films were leaked online. Executive emails exposed embarrassing private communications. The FBI formally blamed North Korea — one of the first public attributions of a nation-state cyber attack.

Key Takeaways

  1. Destructive wiper malware can permanently destroy business operations — backups must be offline and isolated
  2. Nation-state actors will use cyber attacks for geopolitical coercion
  3. Months of dwell time before destructive action means detection must happen long before the attack is visible
  4. Exfiltrated data can be weaponised for public embarrassment, not just financial gain
wiper malwarenation-stateNorth KoreaLazarus Groupdestructive attack

More in Malware & Spyware

2001critical

Code Red Worm Infects 359,000 Servers in 14 Hours

2 min readMalware & Spyware
2003critical

SQL Slammer: The Fastest-Spreading Worm in History

2 min readMalware & Spyware
2016critical

Mirai Botnet: IoT Devices Take Down the Internet's Infrastructure

2 min readMalware & Spyware