The Attack on Sony
The following script is from "The Attack on Sony" which aired on April 12, 2015. Steve Kroft is the correspondent. Graham Messick, producer.
If most people remember anything about the North Korean government's cyberattack against Sony Pictures last November, it's probably that there was a lot of juicy gossip in leaked emails about movie stars, agents, and studio executives. There was also an absurd quality to the whole episode, which was over an ill-advised movie comedy about the assassination of North Korea's leader, which the North Koreans did not find funny. The weirdness of it all has obscured a much more significant point: that an impoverished foreign country had launched a devastating attack against a major company on U.S. soil and that not much can be done about it. In some ways it's another milestone in the cyberwars which are just beginning to heat up, not cool down.
The cyberattack on Sony Pictures entertainment exposed a new reality -- that you don't have to be a superpower to inflict damage on U.S. corporations; a fact that has been duly noted within corporate board rooms and the national security apparatus.
Steve Kroft: What's the significance of the Sony hack in a nutshell?
James Lewis: The significance is that a foreign power has reached out and touched an American target. The fact that the North Korean government felt that it could do something in the United States and get away with it, that's what's significant.
James Lewis, a director at the Center for Strategic and International Studies in Washington, has helped shape U.S. cyber policy for decades...dealing with criminals stealing money, Russians stealing intelligence, and the Chinese stealing the latest technology.
"The fact that the North Korean government felt that it could do something in the United States and get away with it, that's what's significant."
James Lewis: This was different, because it qualified as the use of force. It qualified as an attack. There was disruption. There was destruction of data. There was an intent to hurt the company.
And it succeeded, bringing a major U.S. entertainment company to its knees. Like other corporate victims of cyberattacks -- Sony has released very little information and declined our requests for interviews. We were allowed to film on Sony's 44-acre studio lot and inside this building where technicians were still repairing damaged computers.
We do know that when people fired up their computers on the morning of November 24th they were greeted with this skeletal image now referred to as the "Screen of Death." It announced an undetected cyberattack that actually began weeks earlier when a malicious piece of software began stealing vast amounts of data from the Sony computer network. Now, it had begun the job of wiping Sony's corporate files.
Kevin Mandia: It was the attacker saying I'm gonna delete what you've made. I'm gonna destroy your stuff.
Kevin Mandia is one of the best known cybersleuths in the U.S. and his company, FireEye, was hired by Sony to respond immediately to the crisis. But there was only so much they could do.
Kevin Mandia: For lack of a better analogy, the wiping's the grand finale. That's the infamous, "We ran into the house, we took what we wanted, and then we left the detonation charge behind us." And then that detonation charge goes off, you're not going back to the house anymore.
Steve Kroft: And that's what happened?
Kevin Mandia: That's what happened.
More than 3,000 computers and 800 servers were destroyed by the attackers after they had made off with mountains of business secrets, several unreleased movies, unfinished scripts, and the personal records of 6,000 employees, all of whom were given a taste of living offline.
Sony made the decision to take itself off the grid. All connections to the Internet, all connections to the rest of Sony, and all connections to third parties were shut off, effectively disconnecting an international corporation from the outside world, and plunging itself into a pre-digital age of landline telephones and hand-delivered messages written with pen and paper.
Kevin Mandia: Immediately employees start to remember the things they took for granted. Does the gate let you in the garage? You can't get your e-mail. People's benefits can't be processed appropriately, time cards can't be done. What if payroll's the next day? There are so many things that depend on the Internet that quite frankly most companies don't even know all of them. So they come off the Internet and go, "Oh wow, didn't see that comin'."
To Kevin Mandia, it looked like a military-style operation mounted by a foreign government. And when his company began comparing the Sony computer virus with the 500-million pieces of malware in its archives, it quickly came up with a nearly identical match -- right down to the skull on the calling card. It was a cyberattack two years ago against South Korea's banks and broadcast networks called "Dark Seoul" that wiped out 40,000 computers and caused $700 million in damage.
Kevin Mandia: We had the malware from the attacks that happened in South Korea in 2013. And these things, when put side-by-side, this looks like whoever hacked South Korea in 2013 is hacking Sony. And the attribution in those attacks in 2013 was to North Korea.
Mandia's suspicions about North Korea -- which has a well-established cybercapability and a long history of attacking its neighbor - were soon confirmed by the NSA, the FBI and the White House. And the attackers themselves hinted at it when they contacted Matt Zeitlin of BuzzFeed.com, and at least a half-a-dozen other online reporters, offering them everything they had stolen from Sony.
Steve Kroft: So this is the first email you got?
Matt Zeitlin: Yep. The weekend after Thanksgiving. You know, it says that it has all this data from Sony. And have all these links, so that we could download the information.
What followed from Zeitlin and others was two weeks of damaging, embarrassing stories from the corporate files and private emails of Sony executives, as well as threats and a specific demand from the attackers that Sony not release its comedy about the assassination of North Korean leader Kim Jong-un.
[Actor portraying Kim Jong-un: They hate us because they ain't us!]
Steve Kroft: "Soon all the world will see what an awful movie Sony Pictures Entertainment has made."
Matt Zeitlin: That part may have been true. [laughs]
Kevin Mandia: Sony, scares CEOs. Right? I mean that's the difference. Every CEO is walking around going "How do I feel if my emails out on the Internet? How would I feel if my machines got disrupted?" So all of a sudden every chief information security officer is now talking to their board because every board wants to know, "Hey, is this the new normal?"
And it may well be. Mandia says even big corporations with sophisticated IT departments are no match for the dozens of countries that now have offensive cyberwar capabilities.
Kevin Mandia: All advantage goes to the offense in cyber. It just does. On the defensive side, you have to say I must defend all 100,000 machines, all 50,000 employees. The offense side thinks, "I only need to break into one and I'm on the inside."
Steve Kroft: And any company or any corporation is as strong as its weakest link.
Kevin Mandia: In a way, yes, in security.The nation state threat actors, or hackers, target human weakness, not system weakness.
And there's no shortage of weaknesses. Most company employees are allowed to browse online or visit Facebook on corporate computers and many take them home for personal use. All it takes to contaminate a network is for one person to unwittingly access an infected file that looks realistic...like an Adobe Flash Player update or an email that pretends to be from Apple Support.
Steve Kroft: And then what happens when they click on them?
Kevin Mandia: They compromise their machine. And now that machine, being on the inside of a corporate network, can be used as a beachhead to increase access.
And that's what happened at Sony. Eventually, the North Koreans were able to obtain the passwords and credentials of the company's computer system administrators and build them right into the malware that carried out the attack.
Steve Kroft: With help from anybody?
Kevin Mandia: You know, anything's possible. I simply don't know--
Steve Kroft: How sophisticated was the malware that they used? Was this brand new stuff?
Kevin Mandia: It was sophisticated enough that it works on the vast majority of companies. You know, the FBI's quoted as saying this would work at over 90 percent of the companies that they deal with.
Jon Miller: We're going to see more and more companies hacked. We're going to see deeper levels of destruction.
Steve Kroft: So you're saying we're at the beginning?
Jon Miller: Yeah, it's going to get worse before it gets better.
If you want to talk about state-of-the-art hacking or what's going on in the international cyber arms market, Jon Miller's a good place to start. He turned down a job with the NSA and a government car while he was still in high school, because he says he was already making more money doing private consulting work and honing his skills as a penetration tester.
Steve Kroft: So you're a hacker?
Jon Miller: I was. Now I'm, you know, a computer security professional. But yeah, I mean, for the majority of my career I was an ethical hacker, where I would actually go out and hack companies and then work with them to make sure they didn't get hacked by somebody else.
Since Miller says he's been well-paid to hack into nuclear power plants by utility companies, we wanted to know what he thought about the Sony attack and the malware the North Koreans used to pull it off.
Steve Kroft: If I set you down and gave you a pencil and paper and said, "Write a list of a dozen people that could do this."
Jon Miller: Oh yeah, I mean, there are way more than a dozen people. There are probably three, four, five thousand people that could do that attack today.
Steve Kroft: And not all of them are in friendly countries.
Jon Miller: No, not all of 'em are in friendly countries. And the number is growing rapidly.
Steve Kroft: I mean, it's certainly within the realm of possibility that a terrorist group could go out and put together a team and do some real damage.
Jon Miller: I mean, ISIS hacked CENTCOM's Twitter. The barrier to entry is low.
Miller's previous job was leading a research team for a company that made and sold offensive cyberweapons to the U.S. government. He is currently a vice president of Cylance, a company that makes next generation anti-virus software for banks and Fortune 500 companies. It is currently marketing a product it claims would have detected and stopped the Sony hack while it was in progress.
Steve Kroft: How sophisticated was this attack?
Jon Miller: Not very. When you look at it in contrast to the capabilities that the United States government are deploying, it is nowhere close to being sophisticated.
My favorite analogy is the malware that was used to hack Sony is like a moped, and the malware being deployed by United States intelligence agencies is like an F-22 fighter jet. It's much more sophisticated, it's much harder to detect.
Steve Kroft: And yet still, if this is a moped, there were only a handful of companies in the United States that would have been able to survive this attack.
Jon Miller: And that really is the scary part-- is, it does not take an overly sophisticated attack to compromise these huge global multinational brands.
Miller says there have been other major cyberattacks like the one against Sony but they didn't get as much attention. In 2012, Iran was blamed for an attack against the headquarters of Saudi Arabia's national oil company, Aramco, that destroyed 30,000 computers. Iran has also been accused of a cyberassault against a group of casinos owned by Sheldon Adleson, a vocal enemy of regime in Tehran. And there have been others.
Jon Miller: I've worked with companies before in the oil and gas space that have had control system networks get compromised by malware, and they've lost control of their floating oil platforms.
Steve Kroft: I don't remember reading about that.
Jon Miller: Yeah, yeah. No, you didn't read about it. There was no need to disclose, no customer information got leaked.
Steve Kroft: So these things happen more often than the public knows?
Jon Miller: Absolutely.
There is a lot the public doesn't know about, including an active, international underground market in cyberweapons like the one that was used to take down's Sony's computers. Miller took us to a site on "dark web" where you can buy them.
Jon Miller: This is actually a list of black market exploits that I was contacted from a Russian hacker that he was trying to sell. And his price.
Steve Kroft: What does this one do? Flash player?
Jon Miller: This is a vulnerability in that software that would allow someone to take over control of your computer.
Steve Kroft: $29,000, $39,000.
Jon Miller: Yeah, majority of them are over 30.
That's $30,000 payable in Bitcoin, the virtual currency of choice on the dark web.
Jon Miller: Tor the most part, the Internet is completely unregulated. It's the Wild West, it truly, truly is the Wild West right now. What we're seeing are people getting pulled out onto the street and shot, and it's like, "Where's the sheriff?" There's no sheriff.
James Lewis: When I started doing this stuff, about 20 years ago, there were things that were top secret. You know, only NSA and FBI knew about. And you weren't allowed to even talk about them in public. You can download them now for free, right?
James Lewis of the Center for Strategic and International Studies knows better than most that there are no easy solutions. He says the U.S. can deter catastrophic cyberattacks from China and Russia by responding in kind. But how do you respond to a rogue state like North Korea for an attack against major corporations like Sony?
James Lewis: Turning off the lights in North Korea, no one would notice. It happens all the time, right? Going after a North Korean movie studio, it would probably be a relief for the people there. The only pressure point we really have is going after the leadership, going after the revenue streams coming to the leadership.
And that's what the Obama administration has done...at least publicly. Lewis and others believe that it will take a technological breakthrough in cyberwar defense to solve a problem technology created, but that could take years. Legislation forcing companies to improve cybersecurity has gone nowhere.
James Lewis: Well, there's a reluctance in the Congress to force companies to do anything. The administration shares that reluctance. We were lucky until this year. Hopefully we'll be a little luckier for a bit longer.
Steve Kroft: In the time being, keep your fingers crossed.
James Lewis: I used to say that the U.S. had a faith-based defense when it came to cybersecurity. Because we had faith that the people who didn't like us weren't gonna do anything bad. That's what Sony has changed. Is that we had somebody who doesn't like us step out and say, "How far can I go with the Americans?" And that's where faith isn't enough.
