The attacks disabled computers, exposed massive amounts of data including unreleased films and employees’ personal information, and ultimately resulted in the cancellation of Sony’s planned release of the film “The Interview,” which features a fictional attack on North Korean leader Kim Jong-Un.
It’s not clear how the attacks were linked to North Korea, though one of the command and control servers for the attack was also used in cyber attacks on South Korea two years ago, and the malware used against Sony is similar to the malware used to target South Korean TV stations and banks in 2013.
The release of “The Interview” was canceled after leading theatre chains refused to show the film in response to an emailed threat from the hackers stating, “We will clearly show it to you at the very time and places ‘The Interview’ be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. … Remember the 11th of September 2001.”
Sony employees have also filed three separate lawsuits against the company seeking class action status in response to the breach, one of which claims that Sony “failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years” and that it “subsequently failed to timely protect confidential information of its current and former employees from law-breaking hackers,” according to the Los Angeles Times.
Douglas Johnson of law firm Johnson and Johnson LLP, which is representing one of the plaintiffs, told Re/code that Sony was fully aware of its own vulnerabilities. “Sony’s Playstation Network has been hacked before, and they knew that some kind of retaliation for this film was coming,” he said. “We think they had a lot of notice to do a better job on their computer security.”
Rapid7 global security strategist Trey Ford told eSecurity Planet by email that the Sony breach is a reminder that cyber attacks are launched with a wide variety of motives. “An attacker may not be driven by monetary gain as Target and Home Depot attackers appear to have been; they may seek to exact retribution, embarrassment, defacement or damage,” he said. “When you consider risk and continuity for your organization, it’s important to note that attackers are not only seeking the theft of credit cards.”
“Companies have a lot more sensitive and valuable data than just credit cards and financial information, and there is potentially a very high cost to the business of the loss of intellectual property and other trade secrets, internal communications, and employee and customer personal information,” Ford added. “We must also be mindful that attackers may not steal information at all and may instead focus on destruction, which could be just as disruptive to your business.”
“The bottom line is that any business could be a target and you must fully assess what you have that might be valuable, and try to understand why you might be attacked,” Ford said. “You need to have a plan to mitigate not just theft, but destructive attacks as well.”