WASHINGTON — U.S. intelligence officials have concluded that the North Korean government was “centrally involved” in the recent attacks on Sony Pictures’ computers, a determination reached just as Sony on Wednesday canceled its release of the comedy “The Interview,” which is based on a plot to assassinate Kim Jong Un, the North Korean leader.
Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was still debating whether to publicly accuse North Korea of what amounts to a cyberterrorism campaign. Sony’s decision to cancel release of “The Interview” amounted to a capitulation to the threats sent out by hackers this week that they would launch attacks, perhaps on theaters themselves, if the movie was released.
Officials said it was not clear how the White House would respond to North Korea. Some within the Obama administration argue that the government of Kim must be directly confronted but that raises the question of what consequences the administration would threaten — or how much of its evidence it could make public without revealing details of how the U.S. was able to penetrate North Korean computer networks to trace the source of the hacking.
Others argue that a direct confrontation with the North over the threats to Sony and moviegoers might result in escalation and give North Korea the kind of confrontation it often covets. Japan, for which Sony is an iconic corporate name, has argued that a public accusation could interfere with delicate diplomatic negotiations underway for the return of Japanese nationals kidnapped years ago.
The sudden urgency inside the administration over the Sony issue came after a new threat was delivered this week to desktop computers at Sony’s offices that if “The Interview” was released on Dec. 25, “the world will be full of fear.” It continued: “Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.”
Sony dropped its plan to release the film after the four largest U.S. theater chains — Regal Entertainment, AMC Theatres, Cinemark and Carmike Cinemas — and several smaller chains said they would not show the film. The cancellations virtually killed “The Interview” as a theatrical enterprise, at least in the near term, one of the first known instances of a threat from another nation pre-empting the release of a movie.
While intelligence officials have concluded that the cyberattack on Sony was both state-sponsored and far more destructive than any seen before on U.S. soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with an intimate knowledge of the company’s computer systems.
“This is of a different nature than past attacks,” one senior official said. A cyberattack that began by wiping out data on corporate computers — something that had previously been seen in attacks in South Korea and Saudi Arabia but not in the U.S. — has turned “into a threat to the safety of Americans” if the movie was shown.
However, both the official and the Department of Homeland Security, the latter in a statement, said, “There is no specific, credible threat information that would suggest that any attack was imminent.”
It is not clear how the U.S. came to its determination that the North Korean regime played a central role in the Sony attacks. North Korea has been a notoriously hard target for computer penetration. But four years ago the National Security Agency launched a major effort to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.
But it is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “This was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”
It is rare for the United States to publicly accuse countries suspected of involvement in cyberintrusions or attacks. The administration never publicly said who attacked White House and State Department computers over the past two months, or JPMorgan Chase’s systems last summer. Russia is suspected in the first two cases, but there is conflicting evidence on JPMorgan.
But in this case, there is a long forensic trail. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributable to Iran — and another last year in South Korea, aimed at banks and media companies.
The attacks at Sony were routed from command and control centers across the world, including a convention center in Singapore and a computer at Thammasat University in Thailand. But one of those command and control servers, a computer in Bolivia, had been used before, in a limited set of cyberattacks on South Korean targets two years ago. That suggests, but does not prove, that the same group or individuals may have been behind both attacks.
The Sony malware shared remarkable similarities with the malware used in the destructive attacks on South Korean banks and broadcasters last year. Those attacks, which also destroyed data belonging to their victims, are believed to be the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat.
The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, where hackers wiped out data off 30,000 Aramco computers, replacing it with an image of a burning U.S. flag.
Security experts were never able to track down the hackers behind the attacks at Saudi Aramco, although U.S. officials have long said they believe the attacks emanated from Iran, using tools that are now on the black market.
In each attack, experts were never able to confirm the initial entry point. At Sony, forensics investigators are looking into the possibility that the attackers may have had inside help. Embedded in the malicious code were the names of Sony servers and administrative credentials that allowed the malware to spread across Sony’s network.
“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a security researcher at AlienVault.