This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html

The article has changed 6 times. There is an RSS feed of changes available.

Version 2 Version 3
U.S. Links North Korea to Sony Hacking U.S. Said to Find North Korea Ordered Cyberattack on Sony
(about 1 hour later)
WASHINGTON — American officials have concluded that North Korea ordered the attacks on Sony Pictures’s computers, a determination reached as the studio decided Wednesday to cancel the release of a comedy movie about the assassination of Kim Jong-un that is believed to have led to the hacking. WASHINGTON — American officials have concluded that North Korea ordered the attacks on Sony Pictures’s computers, a determination reached as the studio decided Wednesday to cancel the release of a movie comedy about the assassination of Kim Jong-un and that is believed to have led to the hacking.
Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was still debating whether to publicly accuse North Korea of what amounts to a cyberterrorism campaign. Sony’s decision to cancel release of “The Interview” amounted to a capitulation to the threats sent out by hackers this week that they would launch attacks, perhaps on theaters themselves, if the movie was released. Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was debating whether to publicly accuse North Korea of what amounts to a cyberterrorism attack. Sony capitulated after the hackers threatened additional attacks, perhaps on theaters themselves, if the movie, “The Interview,” was released.
Officials said it was not clear how the White House would decide to respond to NorthKorea. Some within the Obama administration argue that the government of Mr. Kim must be directly confronted, but that raises the question of what consequences the administration would threaten or how much of its evidence it could make public without revealing details of how the United States was able to penetrate North Korean computer networks to trace the source of the hacking. Officials said it was not clear how the White House would respond. Some within the Obama administration argue that Mr. Kim’s government must be confronted directly. But that raises questions of the threats that the administration would issue, or how much evidence to make public without revealing details of how it was able to penetrate North Korean computer networks to trace the hacking.
Others argue that a direct confrontation with the North over the threats to Sony and moviegoers might result in escalation, and give North Korea the kind of confrontation it often covets. Japan, for which Sony is an iconic corporate name, has argued that a public accusation could interfere with delicate diplomatic negotiations underway for the return of Japanese nationals kidnapped years ago. Other administration officials said a direct confrontation with the North provide North Korea the kind of confrontation it covets. Japan, where Sony is an iconic corporate name, has argued that a public accusation could interfere with delicate diplomatic negotiations for the return of Japanese citizens kidnapped years ago.
The sudden urgency inside the administration over the Sony issue came after a new threat was delivered this week to desktop computers at Sony’s offices that if “The Interview” was released on Dec. 25, “the world will be full of fear.” It continued: “Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.” The administration’s sudden urgency came after a new threat delivered this week to desktop computers at Sony’s offices warned that if “The Interview” was released on Dec. 25, “the world will be full of fear.”
Sony dropped its plan to release the film after the four largest theater chains in the United States Regal Entertainment, AMC Theaters, Cinemark and Carmike Cinemas and several smaller chains said they would not show the film. The cancellations virtually killed “The Interview” as a theatrical enterprise, at least in the near term, one of the first known instances of a threat from another nation pre-empting the release of a movie. “Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”
While intelligence officials have concluded that the cyberattack on Sony was both state sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with an intimate knowledge of the company’s computer systems. The four largest theater chains in the United States Regal Entertainment, AMC Entertainment, Cinemark and Carmike Cinemas and several smaller chains said they would not show the film as a result of the threat. The cancellations virtually killed “The Interview” as a theatrical enterprise, at least in the near term, one of the first known instances of a threat from another nation pre-empting the release of a movie. Sony then dropped its plan to release the film, which stars James Franco and Seth Rogen.
“This is of a different nature than past attacks,” one senior official said. A cyberattack that began by wiping out data on corporate computers something that had previously been seen in attacks in South Korea and Saudi Arabia, but not the United States has turned “into a threat to the safety of Americans” if the movie was shown. However, the official, echoing a statement from the Department of Homeland Security, said there was “no specific, credible threat information” that would suggest that any attack was imminent. While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with an knowledge of the company’s computer systems, senior administration officials said.
It is not clear how the United States came to its determination that the North Korean regime played a central role in the Sony attacks. North Korea has been a notoriously hard target for computer penetration. But four years ago the National Security Agency launched a major effort to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country. “This is of a different nature than past attacks,” one official said.
But it is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “This was of a sophistication that a year ago we would have said was beyond the North’s capabilities.” An attack that began by wiping out data on corporate computers something that had been previously seen in South Korea and Saudi Arabia had turned “into a threat to the safety of Americans.” But the official, echoing a statement from the Department of Homeland Security, said there was no specific information that any attack was imminent.
It is rare for the United States to publicly accuse countries suspected of involvement in cyberintrusions or attacks. The administration never publicly said who attacked White House and State Department computers over the past two months, or JPMorgan Chase’s systems last summer. Russia is suspected in the first two cases, but there is conflicting evidence on JPMorgan. It is not clear how the United States determined that Mr. Kim’s regime played a central role in the Sony attacks. North Korea’s computer network has been a notoriously difficult to infiltrate. But the National Security Agency launched a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.
But in this case, there is a long forensic trail. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago widely attributable to Iran and another last year in South Korea, aimed at banks and media companies. It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “This was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”
The attacks at Sony were routed from command and control centers across the world, including a convention center in Singapore and a computer at Thammasat University in Thailand. But one of those command and control servers, a computer in Bolivia, had been used before, in a limited set of cyberattacks on South Korean targets two years ago. That suggests, but does not prove that that the same group or individuals may have been behind both attacks. It is rare for the United States to publicly accuse countries suspected of involvement in cyberintrusions. The administration never publicly said who has attacked White House and State Department computers over the past two months, or JPMorgan Chase’s systems last summer. Russia is suspected in the first two cases, but there is conflicting evidence in the Morgan case.
The Sony malware also shared remarkable similarities with the malware used in the destructive attacks on South Korean banks and broadcasters last year. Those attacks, which also destroyed data belonging to their victims, are believed to be the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat. But there is a long forensic trail involving the Sony hacking. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago widely attributed to Iran and another last year in South Korea aimed at banks and media companies.
The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, where hackers wiped out data off 30,000 Aramco computers, replacing it with an image of a burning American flag. The Sony attacks were routed from command-and-control centers across the world, including a convention center in Singapore and Thammasat University in Thailand. But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggests that the same group or individuals may have been behind the Sony attack.
Security experts were never able to track down the hackers behind the attacks at Saudi Aramco, though United States officials have long said they believe the attacks emanated from Iran, using tools that are now on the black market. The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat.
In each attack, experts were never able to confirm the initial entry point. At Sony, forensics investigators are looking into the possibility that the attackers may have had some inside help. Embedded in the malicious code were the names of Sony servers and administrative credentials that allowed the malware to spread across Sony’s network. The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, where hackers wiped off data on 30,000 of the company’s computers, replacing it with an image of a burning American flag.
“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a security researcher at AlienVault. Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.
At Sony, investigators are looking into the possibility that the attackers had inside help. Embedded in the malicious code were the names of Sony servers and administrative credentials that allowed the malware to spread across Sony’s network.
“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a security researcher at AlienVault, a cybersecurity consulting firm.
What is remarkable in this case is that after three weeks of pressure, the attack forced one of Hollywood’s largest studios, and Japan’s most famous companies, to surrender.
Many attacks have been aimed at stealing credit card data, like the intrusions on the Home Depot and Target networks — and others at disrupting ATMs. An American and Israeli attack known as “Olympic Games” and targeting Iran’s nuclear program was a rare attack on infrastructure.
Sony has tried to put the best face on the situation, saying it understood that movie theaters had to be worried about the safety of their customers.
There are worries that other countries — or hacking groups — will try similar tactics over movies, books or television broadcasts that they find offensive.
The cost of the assault was small: The attackers used readily available commercial tools to steal data and then to wipe it off Sony’s machines. Representative Mike Rogers, the Michigan Republican who is chairman of the House Intelligence Committee, said the hackers “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.
The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.” Only last week, Joseph Demarest, assistant director of the F.B.I.’s cyberdivision, said there was “no attribution to North Korea at this point.”
That assessment has changed, senior intelligence officials say. But that leaves open the question of what to do about the Sony attack. The North is already under some of the heaviest economic sanctions ever applied, leaving little room for Washington to punish it further. A similar American attack would require a presidential order, and Mr. Obama has been hesitant to use the country’s cyberarsenal for fear of provoking retaliation.