Résumé
In November 2014 a group calling itself the Guardians of Peace tore through Sony Pictures Entertainment, and the FBI attributed the attack to North Korea, tied to the studio's comedy The Interview. The attackers had deep, prolonged access: they stole terabytes of data and then ran wiper malware that bricked thousands of computers and servers, forcing Sony off its own network for weeks and back to pen and paper. The leaks were brutal and public, including unreleased films, employee Social Security numbers and salaries, and embarrassing executive emails. Access reportedly began with stolen credentials and a flat internal network that let the intruders roam and stage destruction. It is the case that proved a breach can be about humiliation and coercion, not just theft, and a lesson in segmentation, least privilege, detection, and resilient backups against a destructive, state-backed adversary.
How it happened
On the morning of 24 November 2014, Sony Pictures employees turned on their computers to find a red skeleton and a message from the "Guardians of Peace." By then the attackers had already been inside for months. They had quietly stolen a vast trove of data (the attackers boasted of 100 terabytes, though credible technical estimates put the real figure closer to 11), then triggered a wiper called Destover. It installed a commercial disk driver (EldoS RawDisk) to bypass Windows file permissions and overwrote the master boot records of thousands of computers and servers, rendering them unbootable, the same technique seen in the 2012 Shamoon attack on Saudi Aramco and the 2013 DarkSeoul attacks, which was one of the clues tying it to North Korea. Sony's network went dark, and the company ran on whiteboards, paper, and old fax machines for weeks.
Initial access has never been fully detailed publicly, but it is understood to have come from stolen credentials, after which a flat internal network and powerful administrator accounts let the intruders move freely, map the environment, exfiltrate at leisure, and stage the destruction. This was not a smash-and-grab; it was a patient, well-resourced operation, the signature of an APT.
The motive was a film. The Interview, a Seth Rogen comedy depicting the assassination of North Korean leader Kim Jong-un, had enraged Pyongyang. The Guardians of Peace demanded Sony pull the film and threatened violence against cinemas that showed it. Sony first cancelled the release, then, amid a free-speech backlash, put it out online.
The damage
The leaks were relentless and public. Five films, four of them unreleased, were dumped online. So were the Social Security numbers, salaries, and medical information of tens of thousands of current and former employees, and a trove of executive emails whose candid contents, about stars, rivals, and politics, became weeks of headlines and cost executives their jobs, most prominently co-chair Amy Pascal. CEO Michael Lynton later said he believed Sony had a better-than-even chance of not surviving, having learned that roughly 70% of its servers were destroyed. Sony estimated about $35 million in investigation and remediation costs for the fiscal year, settled an employee class action for up to $8 million, and absorbed lawsuits, reputational damage, and a chilling precedent. It was the first time a foreign government had used a destructive hack and a public leak to try to censor an American company.
Who was behind it
The FBI publicly attributed the attack to North Korea in December 2014, citing overlaps in the malware, infrastructure, and techniques with earlier North Korean operations. Some outside experts were skeptical at first, but the attribution held, and it was corroborated in 2016 by an industry coalition (Operation Blockbuster) that independently tied the attackers, which it named the Lazarus Group, to a decade of North Korean operations. In 2018 the US Department of Justice indicted Park Jin Hyok, a programmer working for the North Korean regime. He was tied to the same Lazarus Group later blamed for the 2016 theft from Bangladesh's central bank and for WannaCry in 2017, making Sony an early chapter in one of the most consequential state-hacking stories of the decade.
Why Sony still matters
Sony broke the assumption that a cyberattack means stolen data and downtime. Here the data theft was almost the setup; the payload was destruction and humiliation, aimed at coercing a company over what it published. It put the destructive side of security on the map, the wiper that makes a breach unrecoverable rather than merely embarrassing, and it showed that a determined APT with a political grievance will burn your environment to make a point. The defences are the unglamorous ones: segment the network, deploy detection that catches mass file operations early, lock down administrator credentials, classify and restrict sensitive data, and keep offline backups a wiper cannot also destroy.
Comment le corriger
- Isolate and rebuild from known-good media; wiper victims must restore, not repair.
- Reset all credentials, especially domain and administrator accounts, and rebuild trust in Active Directory.
- Restore from offline, immutable backups and verify integrity before reconnecting.
- Hunt for persistence and the staging used for data theft and destruction before bringing systems back.
Comment l’éviter
- Segment the network and enforce least privilege so a single foothold cannot reach everything.
- Deploy EDR and monitoring that can catch mass file operations and destructive tooling early.
- Protect administrative credentials with MFA, tiering, and just-in-time elevation.
- Classify sensitive data and restrict and monitor access to it; assume email and HR data are prime targets.
- Keep tested, offline, immutable backups so a wiper cannot also destroy your recovery path.
Références
- https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
- https://www.fbi.gov/news/press-releases/update-on-sony-investigation
- https://securelist.com/destover/67985/
- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
- https://en.wikipedia.org/wiki/2014_Sony_Pictures_hack
Vulnérabilités liées
Tout OpSec →- CRITICALOPSEC-MIDNIGHT-BLIZZARD-2024
In January 2024, Microsoft revealed that Russia's foreign-intelligence service, the same APT29 behind SolarWinds, had been reading the email of its senior leadership. The way in was almost insulting in its simplicity: a forgotten, non-production test account with a weak password and no MFA. The attackers guessed the password by spraying common ones across many accounts, then pivoted through a forgotten over-privileged application to grant themselves access to corporate mailboxes, including those of executives and the security and legal teams. It is the lesson that your security is only as strong as the account you forgot about, and that even Microsoft's perimeter fell to a missing MFA checkbox.
- CRITICALOPSEC-MGM-CAESARS-2023
In September 2023, two of the biggest names in Las Vegas, MGM Resorts and Caesars Entertainment, were brought to their knees, not by a sophisticated exploit, but by a phone call. The Scattered Spider group simply called the companies' IT help desks, impersonated employees, and talked the support staff into resetting their multi-factor authentication, handing the attackers a way in. From there they deployed ALPHV/BlackCat ransomware. Caesars paid about $15 million; MGM refused and took a roughly $100 million hit as slot machines, hotel keys, and check-in systems went dark for days. It is the lesson that the help desk is part of your attack surface, and that the most advanced MFA is undone by a human who can be convinced to reset it.
- CRITICALOPSEC-LASTPASS-2022
LastPass is a password manager, the digital vault tens of millions of people trusted with every password they have. In 2022 attackers got into it, and the breach unfolded in a way that turned a developer's home computer into a path to those vaults. A first intrusion stole source code. The attackers used it to identify and target one of only four engineers who held the keys to production backups, planting a keylogger on his home PC through an unpatched flaw in, of all things, his Plex media server. With his master password captured, they exfiltrated backups of customers' encrypted password vaults. The encryption held, but anyone with a weak master password was now exposed to offline cracking at the attacker's leisure. It is the lesson that a vault is only as strong as the master password protecting it, and that your blast radius includes your engineers' home machines.
- HIGHOPSEC-TWILIO-2022
On 7 August 2022, Twilio, a company whose entire business is sending text messages and verification codes for other companies, was breached through text messages. Attackers ran an SMS phishing campaign against Twilio's own employees, texting them fake "your password expired" alerts from numbers that looked like Twilio IT and linking to convincing fake login pages. Several staff entered their credentials, handing over access to internal tools and the data of more than 200 customers, and rippling downstream to users of the secure-messaging app Signal. It was one strike in a sprawling campaign, dubbed 0ktapus, that phished around 130 companies the same way. It is the lesson that phishing-resistant MFA exists for a reason: ordinary credentials and codes can always be talked out of a human.
- HIGHOPSEC-TWITTER-2020
On 15 July 2020, the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, and Apple all tweeted the same thing: send Bitcoin and I will send back double. It was a scam, and it ran from inside Twitter. Attackers had phoned a handful of Twitter employees, posed as IT, and talked them out of their credentials, which gave access to an internal admin tool that could take over any account on the platform. The mastermind turned out to be a 17-year-old. It is the lesson that a powerful internal "god-mode" tool is only as secure as the most socially-engineerable employee who can reach it.
- CRITICALOPSEC-MARRIOTT-STARWOOD-2018
In November 2018 Marriott disclosed that the Starwood guest-reservation database had been breached. The headline number moved as the investigation went on, from an initial 500 million down to a refined estimate of around 339 million guest records, including 5.25 million unencrypted passport numbers. The most striking detail was the dwell time: attackers had been inside the Starwood system since July 2014 and went undetected for more than four years, straight through Marriott's 2016 acquisition of Starwood. Marriott inherited the compromised infrastructure without knowing intruders were already in it, and only an internal security tool flagging an unusual database query in September 2018 finally surfaced the breach, which US government sources attributed to Chinese state-linked actors. It led to a $52 million multi-state settlement and a 20-year FTC security order. It is the lesson in mergers-and-acquisitions cyber due diligence, dwell-time detection, and protecting and encrypting sensitive records.