Any good consultant can produce a report giving the answer the client prefers, and Kevin Mandia, the man hired by Sony’s film studio to investigate its embarrassing hacking attack, did so. Michael Lynton, Sony Pictures’ chief executive, emailed his staff Mandia’s assessment that it was “an unparalleled and well-planned crime” involving “undetectable” malware.
Mandia, founder of the security firm Mandiant, was a bit economical with the truth in calling the hack “unprecedented”. It has several precedents, including an attack on the Sony PlayStation network three years ago by a group called Lulz Security. The studio assailants used similar techniques to the Dark Seoul group that attacked South Korean companies last year.
Sony does not want to gain a reputation as a soft touch for malware, but it is starting to look like one. Mandiant found in 2012 that 38 per cent of the targets of “advanced persistent threat” — sustained assaults on companies with valuable intellectual property — suffered a repeat. Like burglars, hackers return to the scene of the crime.
The true innovation is how entertaining this attack is for those not involved. The original “hacktivists” of the 1990s — groups such as Electronic Disturbance Theater and Cult of the Dead Cow, which were precursors to Anonymous — tried to humiliate corporate targets. None managed that as amusingly as the self-styled Guardians of Peace, who dug out emails between Sony executives.
“We will end up being the laughing stock of our industry and we will deserve it,” wrote Scott Rudin, a film producer, in one email to Amy Pascal, co-chairman of Sony Pictures. The topic was the actress Angelina Jolie, whom Rudin described as “a minimally talented spoiled brat” and “a camp event and a celebrity and that’s all”.
In other emails, Sony executives complained that film-makers “bleed us dry with their outlandish requests for private jets” and that “we continue to be saddled with the mundane, formulaic Adam Sandler films”. One said of its technologists that the layer of managers below the chief information officer “don’t even seem to get along” — even before the hackers struck.
This feels more like a caper unleashed by The Joker in Batman than a serious felony but the implications are very serious, not only for Sony but for other companies. Sony Pictures was an unlikely target — it is not a defence contractor, a bank, or a pharmaceutical company. Yet it has not only been ripped apart but also subjected to a sophisticated technological assault.
In one sense, it is not a revelation that Hollywood executives are egotistical and scathing about rivals behind their backs while lauding them in public at the Academy Awards. Tantrums go with the business and hackers might struggle to find such juicy material at, say, a transport logistics company.
But it would be excruciating for any company to have laid bare exactly what each executive earns, as well as details of contract negotiations, its views of suppliers, and tensions among individuals and departments — all the grist for internal gossip. If Lynton and Pascal come through this scandal, they will be dealing with the repercussions for a long time.
The attack combined revelations with a “wiper” hack, deleting documents and wrecking computers. Wiper attacks on companies are unusual: most corporate hacks involve the stealing (or “exfiltration”) of credit card details or intellectual property. Personal data from 110 million customers of the US retailer Target were hacked a year ago.
Wipers are common in state-sponsored sabotage such as Stuxnet (the worm that struck Iran’s nuclear programme in 2010) and Shamoon (the Wiper, a virus that crippled 30,000 computers at Saudi Aramco, the Saudi Arabian oil and gas company, two years ago). Some analysts think that Shamoon was Iranian-backed revenge for Stuxnet, which was attributed to US and Israeli intelligence agencies.
It is overkill to unleash such weapons on a film studio, but the Destover bug that hit Sony was a wiper and bore traces of Korean language packs, such as the Dark Seoul attack in South Korea. That is one reason why North Korea, which has protested angrily about The Interview, a new Sony comedy portraying the assassination of the country’s dictator Kim Jong Un, is suspected of involvement, which it denies.
Banks, defence suppliers and retailers that hold sensitive data know they have to invest heavily in keeping hackers out. But what about another company that happens to offend a touchy nation or a hacker collective, and then finds itself being shamed while terabytes of its data are destroyed? Many others could become casual targets in the same way that Sony has.
“It could definitely be a blueprint for other attacks,” says Roel Schouwenberg, principal researcher for Kaspersky Lab, an internet security group. “The operation was executed really quite well to gain deep access to Sony’s network and create the maximum damage, both on the technology side and from a public relations point of view. We are looking at the future.”
If so, the future is a dystopian comedy combining national rivalry, hacker ideology, performance art, ritual humiliation and data combustion, culminating in complete corporate chaos. The Joker would be proud.
— Financial Times
