Cyberwar (2016) s01e02 Episode Script

The Sony Hack

1 Ben: It was one of the most devastating attacks In corporate history.
Voice: This is voice of korea.
We've never seen an attack like this before.
Ben: It forced a major hollywood studio To shut its networks down.
Security hands you a memo, And it says there was a system disruption.
The us government was quick to blame north korea.
And we can confirm that north korea engaged in this attack.
But hackers and computer experts questioned the narrative.
It's not even a warm gun.
It's barely a gun.
Was it really north korea, or was it someone else? It all started on November 21st, 2014, When sony executives got an extortion email From an unknown group, the so-called god'sapstls.
Sony reported it to the fbi.
But three days later, all hell broke loose When a group calling themselves the guardians of peace Appeared on sony computers.
Sony pictures co-chairs amy pascal and michael lynton Scrambled to contain the damage, but it was too late.
Over the next three weeks, a mountain of data Including movies, salaries, and private corporate information Was dumped onto the internet.
But what really captured everyone's imagination Were the private emails of sony top dogs.
Everybody is suddenly reading amy pascal's Personal emails and professional emails, Which were also in many instances very embarrassing.
As the editor-at-large of the hollywood reporter, Kim masters remembers the cringe across tinseltown.
There was a sense of instant fear throughout hollywood Because everybody knew, first of all, That they were probably vulnerable.
I think simultaneously a lot of executives In the industry thought, "yeah, but I don't know If I put some of this stuff in an email.
" Producer scott rudin called out angelina jolie For being a spoiled brat.
Sony exec clint culpepper bad-mouthed kevin hart.
Worst of all, pascal and rudin gossiped about what flicks The first black president of the United States might be into.
It was so extreme and so emotional, And sometimes in some cases so inappropriate.
But the breach went beyond salacious emails.
Sony employees watched helplessly As their social security numbers, medical records And more were released online for everyone to see.
I met someone who was on sony's lot The day the attack went down.
She was a senior coordinator for the studio's digital tv Department, and eventually quit because of the hack.
Celina was the only sony employee I spoke to Who was willing to go on camera.
When did you find out your personal information Was actualy leaked though? We got a memo saying that unfortunately A cyber hack attack happened, and they got everybody's Information, and but they didn't specify who.
They just basically anybody that ever worked For sony at anytime in their lifetime possibly Had a chance of their stuff being hacked.
So if you could just break down specifically how You went about finding your name and finding out that You were, you know, personally affected by it.
I literally went to google and searched "sony hack 2014", And then I saw just like a tree directory, Like old school style dos, And you saw just different file names.
And they named the files like "celina's offer letter", And they were named specifically what that document was.
So it wasn't hard to find out your information Was put out there.
What were some of the things that were going down? Like, 'cause obviously you can't use computers.
That's everything.
Did everything just revert to like the stone age? Like what happened? We started saying we're working "analog".
You literally had to write stuff out.
But yeah, there was a lot of drinking and partying And eating, 'cause that's all you could do.
And I mean, sony already paid for their christmas party, So we had it, and it was huge, and it was awesome.
And then michael lynton and amy pascal stood up And gave a speech, and then amy pascal kinda Challenged the hackers.
Challenged the hackers? How? In her speech, she was like oh, this wasn't gonna get us down.
Like, "we're gonna beat you guys," and all that stuff.
Pascal's defiance didn't save her, And she was eventually forced to resign.
But from early on, the real question everyone asked Was why would hackers target sony pictures? The media had an answer You want us to kill the leader of north korea? Yes.
A movie starring seth rogan and james franco with a plot Ng on assassinating the life leader of north korea.
President kim jong-un! The interview was, you know, just a raunchy stoner comedy.
I don't think anybody would argue it was high art Or oscar material.
With the interview set for a christmas release, A rambling message posted online threatened Terrorist attacks on the movie's premiere In any theatres daring to screen the film.
Sony pictures pulled the movie.
We had no alternative but to not proceed With the theatrical release on the 25th of December.
And then, out of nowhere, president obama named the perp.
The fbi announced today that And we can confirm that North korea engaged in this attack.
It was the first time a president has blamed A nation state for a major cyber attack on american soil.
The us retaliated with sanctions.
The white house didn't discuss the evidence, But the fbi came forward with some details.
Brett leatherman is an agent in the fbi's cyber division.
Based on what's publically known, The hack seems to have gone down in four phases.
First: Spear phishing, which the fbi said Was likely how the hackers got into sony.
Somebody within a company or organization would receive An email that looks like it's a legitimate email That might contain an attachment or a link to a website.
Once you click on that link, It would take you then to a website, Or it would launch malware on your computer that would allow Somebody to then compromise your system.
Next, the hackers gained broader access So they're looking for a user with escalated privileges, And it could be an admin, or it could be a ceo or cfo Who needs access to your network in an administrative capacity.
So admin credentials are key In going laterally through a network.
With their almost god-like access to sony, The hackers moved to phase 3: Data theft.
It probably took them months to steal everything Y eventually released online.
And then came the grand finale: Data destruction.
The unique thing about the sony attack Was the destructive nature of the malware.
The hackers launched malware, or malicious software, That destroyed sony computers from within, Wiping data off its systems.
But that still doesn't explain how the government Attributed the attack to north korea.
Stole sensitive data, then smashed whatever they could On the way out.
But to this day, one question remains: How was the us government so sure it was north korea? So I can't comment on ongoing fbi investigations.
So why is the investigation ongoing? A cyber investigation is a long-term effort To just not only attribute If there's a particular country involved, not just attribute Who that country might be, but also to attribute Threat actors behind the actual compromise.
Because there's other groups that are involved In these kind of attacks.
So there are other groups who kinda jump on the bandwagon For their own benefit.
And that was the case with sony.
Possibly.
That may have been the case with sony, But in general I think we frequently see that Beyond the fbi, the national security agency, One of america's spy powers, was reported to have evidence It was north korea.
But the nsa won't confirm or deny anything.
Well actually, I think the government was more forthcoming In the sony hack than is usually the case.
You know, historically the government wouldn't really Attribute it at all to a nation state.
Michael chertoff was the secretary of homeland security Under president george w.
Bush.
He and former nsa and cia director michael hayden Now run a private consulting firm.
And then you have the government pretty clearly saying North korea was responsible for the sony hack.
And I think that was a decision that the risk of revealing A little bit about sources and methods was outweighed By the importance of saying to the bad actors, "we know it's you, and there's a limit To our willingness to tolerate this.
" So in your expert opinion, Do you think that was a good decision? I think if you look at actually the way north korea operates, There is a small group of privileged individuals, Which include people who are have technical skills that are Useful to the regime, that are well resourced, And are quite capable.
I mean, they may not be the a team, but they're the b team, And the b team can do a lot of damage.
I had an idea who chertoff's b team could be: A north korean military agency known as bureau 121.
But north korea can barely keep the lights on, So could they really have an elite hacking unit? - Martyn.
- Hi.
- How're you doing? - I'm good, how are you? Good.
Sounds like you're calling You're trying to access some aliens or something.
- Almost, north korea.
- Almost.
Martyn williams is a reporter who's been to north korea, And has written extensively on their tech capabilities.
What do we know about bureau 121, the actual Hacking collective of the cyber warriors of kim jong-un? Like what do we know about them? Because nobody seems to know anything, Like who they are, what they do.
I mean, welcome to the world of looking at north korea.
Nobody knows anything about anything in the country.
Very little information gets out, Except what you can hear on the radio.
There are snippets that come out through defectors.
It seems that what they're doing is taking the The kids that are really good at science And really good at mathematics from the From high school, putting them into good universities, And then after universities, training them.
Some of that training apparently takes place in pyongyang.
A lot of it we see taking place overseas.
We've heard that hacking and hackers Are obviously a new focus.
Why do you think that is? It's much cheaper.
A room full of hackers is way cheaper than a jet aircraft, Or keeping tanks in operation, or submarines, So if they can start being a power on the internet, then It's a cheap way of projecting their power across the world.
I wondered what bureau 121, The hermit kingdom's military hacking unit, is really like.
With the help of an rpreter, I made contact with Defector who claims he was north korean army lieutenant.
Jang se yul defected to south korea almost a decade ago, But still keeps tabs on old friends.
You were working with and you were training with hackers? Do you know anyone in bureau 121, And are you in contact with them? What's the worst thing that north korea could do To the us in the cyber realm? Mr.
Jang said the sony hack might be a sign North korea is preparing for war.
But as I dug into the case, I discovered that Many highly regarded hackers and security experts Doubt north korea was behind the attack at all.
Ben: Just weeks after sony pictures was hacked, The fbi released vague evidence pointing to north korea.
Hackers and computer experts st immediately poked holes In the fbi's case.
Do I think the north koreans started it? One of the most vocal doubters is marc rogers, a malware expert And self-described former black hat hacker.
First of all, the agenda changed substantially At several points throughout the hack.
That kind of implies multiple different actors to me.
They started out trying to extort money.
I can't see any reason why north korean hackers Then they had kind of a ramble about unemployment And job losses in sony.
I don't see how that benefits the north korean regime.
I think they were attacked by an opportunist, And then I think that evolved.
You ended up with other groups piling in and exploiting it.
And then as the media started to suggest maybe a potential link Between this hack and the interview, I think the hackers latched onto that.
And they ran with it because it was both A convenient cover for them, and, well, you know, A lot of hackers like to do things for the amusement.
"for the lulz," as they say.
That's probably what brought north korea in, And it was much later on I think that north korea Actually was involved, if they were at all.
Marc was right, his theoy t what the fbi had hinted.
Sony might have been the victim of a hacking party.
But who could've been involved? In 2011, the notorious acktivist collective anonymous Attacked sony websites.
They said they were defending george hotz, Aka geohot, the first guy to jailbreak an iphone When he was just 17.
This is the world's first unlocked iphone.
Ben: George.
A few years later, he jailbroke a playstation 3.
That didn't sit well with sony.
Yo, it's geohot! And for those that don't know, I'm getting sued by sony! Hi, sony! How are you doing? I haven't seen you in a while.
Uh, you know, suing me was kinda Kinda dick, But it all worked out in the end, so yeah.
That's what I think of sony.
The main reason that I got into the iphone and playstation: It was a cool puzzle.
These companies are spending millions of dollars To build really cool puzzles for me, and it's real! This isn't some puzzle Constructed by somebody to solve.
This is a puzzle constructed by somebody to not solve, And that's why it was so alluring.
That's why it still is.
A lot of hackers angry, including anonymous.
Voice: We do not forget.
Ben: They launched a denial-of-service attack, Sending so much traffic to sony's websites they crashed.
Ben: And then someone hacked into the playstation network Itself, gaining access to the credit card information Of 77 million users.
Sony was forced to apologize, But no one has ever been formally accused of the breach.
It wasn't even about the breach, right? Companies get breached all the time.
It was really about how sony responded to it.
Sony responded by taking the playstation network offline, And it was down for a month.
So now you have 77 million people Who were trying to play call of duty, And being like, "what's going on here, man?" right? So do I think that the lawsuit And what happened with me made them a target? Do I think that what happened in the fallout with anonymous And them taking the network offline for Maybe, you know.
That's more plausible.
The playstation saga isn't the only event That might've pissed hackers off.
In 2005, security experts found suspicious software On cds produced by sony bmg, the company's music division.
I went to see dan kaminsky, a legend among hackers.
He's famous for finding and helping fix a major flaw In the internet's backbone.
He also played a pivotal role in uncovering the bmg fiasco.
So if you took that disk that was just supposed to be music, It would install a little program on your computer, And that program did two things.
First, it made it so your computer could no longer Copy music, and second it hid, 'cause it was pretty sure That this was not what the user wanted.
And so once it was in, it sure didn't want the user To hit the uninstall button.
And somebody figured out, "hey, wait a second, what is this software on this, What's supposed to be an audio cd?" They looked at it, and like this is malware! What is sony doing putting out custom malware on cds? So what I did was a trick called dns cache snooping.
I do this scan, and like A half million networks had seen this thing.
And so I took that information, Got flown out to sony bmg headquarters, and I'm like, "hey guys, so here's what you did, And here's it all over the world.
" Is it that kind of behaviour though That has made them a target? It certainly didn't make them any friends.
Given sony's history as a major hacking target, Did north korea really attack sony pictures? Or was it just a freelance hacker? Ben: Some of the smartest hackers in america Were telling me they didn't believe north korea Attacked sony, and that lot of people might've hd The motive to do it.
But kurt baumgartner thinks north korea really is to blame.
Kurt analyzes malicious code and comes up with defensive Solutions for one of the world's biggest security companies.
He showed me how the sony hack bears a striking resemblance To darkseoul, a 2013 cyber attack on south korean banks Which was widely blamed on north korea.
So what we've got here are two different html pages That are basically threats from the attackers.
So on one side, this is the 2013 darkseoul attack, And the audio from their video.
And then over here, we have basically the sony hack.
Right, really sophisticated.
It does seem like the graphic arts team of a hermit nation.
It's pretty low Pretty low tech.
There were other similarities Between darkseoul and the sony hack.
The word "security" is actually misspelled in the exact same way In the code used in both attacks.
In this case, it was pretty clear to us That the same shared code base has been used in both events.
And both the sony and darkseoul attacks were wiper events; They wiped or destroyed data from their victim's systems.
These types of attacks are extremely rare.
They just don't happen.
There might be five major wiper attacks in But the skeptics say the similarities kurt showed me Don't actually add up.
When we talk about the similarities here, darkseoul, That was attributed to a group of south korean hackers Which they called the darkseoul gang, And was never formally linked to north korea.
The reality is it boils down to just a few fragments of code In each of the pieces of malware.
It's not nothing that the software is related.
It's just not wildly compelling.
It's not a smoking gun.
It's not even a warm gun.
It's not it's barely a gun.
A tube-shaped object! Malware has a history of being shared.
And once that code gets out there, You will end up with multiple variants That all have the same parentage.
They all look very similar, But they're being run by different people.
The malware's code did contain ip addresses, Which indicate a computer's location.
The fbi says they were linked to north korea, But that's not conclusive either.
Could you fake your ip being in north korea? Break into a machine in north korea.
Break into a machine in russia Breaking into a machine in north korea.
Breaking into russia breaking into north korea.
These are all things you totally can do! Bouncing around the world happens in milliseconds.
And so people ask, "is it north korea that did this?" This is a thing that four people could do.
Four out of 7 billion.
This isn't an attack that requires nation state intent.
It's an attack that requires a couple of guys being bored.
My sources were telling me that the attack on sony pictures So maybe the company hould've had better security.
Ultimately it doesn't matter whether the hackers came from North korea or north dakota.
What matters is that sony could see this attack coming, Tthew preusch is an attorney o represented sony employees In a class action lawsuit against the studio.
Sony just didn't do what a reasonable company should've Done to protect the private information on its system.
It should've been stored in a way that was encrypted, And that was segregated from other information So it was much, much harder for the hackers to find.
Sony pictures declined to comment on these allegations, And settled the lawsuit out of court.
But it's undeniable that employees' private And exploitable data will live online forever.
Have you ever received an apology from sony? That you weren't protecting yourself already to begin with.
So I mean, I didn't do anything wrong but show up to do my job, Thinking this corporation knew exactly what they were doing.
And then finding out that they don't is really I mean, it sucks that we're collateral damage, but I mean, that's how war is, and so this is basically what it is.
It's like a nerd war now.
The sony hack claimed the job of an executive, And a stoner flick lost its christmas release.
But the real victims are sony's employees.
Whether it was north koreans or bored hackers, All the competing theories about who did it prove one thing: Definitively attributing a cyber attack Can be almost impossible.
And in a world where it's not only easy to hack a corporation But easy to hide, all of us are vulnerable.