Cyber Incident Victim: Sony
Date:
Nov 2014
Location:
United States of America
Summary
A North Korean government-linked conspiracy involving programmer Park Jin Hyok and others conducted cyber intrusions against multiple entities, including Sony Pictures Entertainment. The attackers employed spear-phishing emails containing malware to compromise the victim's network, exfiltrating confidential data and rendering systems inoperable. This group, associated with the Lazarus Group and operating through front company Chosun Expo, also executed financial thefts including an $81 million Bangladesh Bank heist, developed the WannaCry ransomware, and targeted defense contractors, financial institutions, and critical infrastructure globally using overlapping infrastructure, aliases, and malware variants with shared technical signatures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The criminal complaint filed in the United States District Court for the Central District of California detailed a multi-year conspiracy by North Korean operatives, including defendant Park Jin Hyok, to conduct cyber intrusions against global entities. Between September 2014 and August 2017, the conspirators—operating under the alias "Lazarus Group"—targeted Sony Pictures Entertainment (SPE) in retaliation for its production of the film "The Interview," which depicted a fictional assassination of North Korean leader Kim Jong-Un. The attackers initiated contact with SPE employees through spear-phishing emails containing malicious links and attachments, compromising SPE's network infrastructure. After gaining unauthorized access, they exfiltrated confidential data, including unreleased films and internal communications, and deployed destructive malware that rendered thousands of SPE computers inoperable. The conspirators subsequently leaked stolen materials through fabricated social media accounts such as "Andoson David" and "Watson Henny," which also distributed malware-laden links targeting individuals associated with the film's release. Forensic analysis revealed the use of customized malware families, proxy servers, and dynamic DNS services to obscure the attacks' origins, with infrastructure linked to North Korean IP ranges including 175.45.176.0–175.45.179.255.
The same conspirators executed the February 2016 cyber heist against Bangladesh Bank, resulting in the fraudulent transfer of $81 million using compromised SWIFT credentials, and attempted thefts exceeding $1 billion from financial institutions across 18 countries. Technical overlaps connected these attacks to the SPE intrusion, including shared encryption keys, command-and-control servers, and malware components like the "Brambul" worm and "FakeTLS" data table. The group additionally targeted U.S. defense contractors, energy utilities, and academic institutions using similar spear-phishing tactics and infrastructure. In May 2017, they deployed the "WannaCry 2.0" ransomware, which encrypted data globally and demanded cryptocurrency payments, with forensic links to earlier malware used against SPE and financial targets. Park Jin Hyok, identified through subscriber records and employment history at North Korean front company Chosun Expo, utilized accounts (e.g., [email protected]) that intersected with operational aliases like "Kim Hyon Woo." The FBI investigation, involving over 100 search warrants and international evidence requests, documented Park's work in Dalian, China, for Chosun Expo—a cover for North Korea's Lab 110 hacking unit—prior to his return to North Korea in 2014. The conspiracy caused operational disruptions, financial losses, and data breaches across multiple sectors, with investigative efforts tracing digital fingerprints through malware signatures, account recovery email linkages, and IP address correlations.