Or, as one senior official of the US Cyber Command put it at dinner in Washington one night, “How do you turn out the lights in a country that doesn’t have enough power to turn them on?”
Four years before the Sony hack, the United States had tried to answer that question in a secret operation code-named “Nighttrain.” The agency painstakingly drilled into the networks that connect North Korea to the outside world, mostly through China. They tracked down North Korean hackers, some of whom worked from Malaysia and Thailand, hoping to identify and locate members of the North Korean cyber army. And, without telling the South Korean government—its critical ally in taking on the North Korean challenge—the US piggybacked on a South Korean cyber intrusion into North Korea’s intelligence networks.
The purpose of Nighttrain—an operation revealed only in a brief and partial glimpse provided by a few documents in the Snowden trove—remains unclear. As does the NSA’s motivation in going behind South Korea’s back: why hadn’t the United States trusted its South Korean allies enough to join forces with them, openly, in piercing North Korea’s networks? Presumably the operation was intended to glean what it could about the North’s leadership, about its newly formed cyber corps, and of course about its nuclear secrets. It is not clear what the United States actually gained from the effort. But whatever its success or failure, Nighttrain yielded no advance warning of what was about to happen to Sony.
* * *
—
Once the North Korean hackers had burrowed into the Sony networks in the fall of 2014, they littered the company with “phishing” emails, betting that someone at the studio would click on the bait. It didn’t take long for that tactic to pay off. And once inside the system, Kim’s hackers obtained administrator privileges, the ability to roam throughout the system. Over the next few weeks, Sony’s unseen invaders mapped out where people stored emails, how the systems worked, and where Sony locked up forthcoming movies. Soon, the hackers owned the studio’s system.
The North Koreans had been enormously patient. They waited until the right moment to execute each step of the attack. This was a sign of true professionals. As one senior American intelligence official put it to me: “You don’t freelance in the North Korean system.” But even as the North’s hackers slowly broke down the last remaining barriers in Sony’s network and began to crawl around, mapping their attacks, no one in the company noticed. They were the digital equivalents of cat burglars who were extremely careful not to set off a hidden alarm.
Remarkable as it seems today, no one at Sony was even thinking about its computer networks as a vulnerability. It was a stupid mistake, but hardly an uncommon one—many other companies, and the US government, would make it time and again over the next three years.
* * *
—
Days before the 2014 Thanksgiving holiday, Lynton was driving to work in his Volkswagen GTI when he got a phone call from the office. It was David Hendler, the studio’s chief financial officer. There had been a cyber intrusion into the studio’s central computers. No one was quite sure of its scope, Hendler said, but it looked unusual. Maybe, he said, it would prove to be a passing issue that the IT guys could clean up by lunch. But it didn’t look that way; in fact, the studio’s IT department was preparing to take all of Sony Pictures offline to prevent the damage from getting worse.
By the time Lynton arrived at his office in Culver City’s Art Deco Thalberg Building—on the studio lot where Louis B. Mayer once ruled Hollywood—there was no illusion that this attack would be over by lunch. “Clearly, no one had a handle on the scope of the thing,” Lynton told me. And it didn’t look like your ordinary cyberattack. For one thing, across Sony’s campus, thousands of the company’s computer screens were showing an image of Lynton’s head, grotesquely severed.
Disgusting as it was, the picture was merely a distraction. While the computer users were trying to figure out what was happening, their hard drives were spinning away, wiping out whatever data were stored on them. The only employees who saved their information were those with the presence of mind to reach behind their computers and unplug their machines, bringing the hard disks to a halt. Those who stopped and stared at the image lost everything.
Shortly after Lynton arrived, Sony disconnected all of its computer systems around the world. No email. No production systems. No voicemail.
Lynton prided himself on his coolness under pressure; this wasn’t his first corporate crisis. His instinct, typical of most corporate executives, was to keep the problem locked up inside Sony. After all, it would only feed the hackers’ egos to figure out how much damage they had done. But the world would know soon enough.
Lynton alerted the FBI, and they set up camp on the studio lot, where many a movie depicting G-men pursuing bad guys had been filmed over the decades. But no one was spending much time ruminating on the life-imitates-art ironies. Instead, the agents quickly became preoccupied with a group that called itself the “Guardians of Peace,” who began leaking out Sony’s emails a few at a time. Clearly these had been swept up in the hack. And clearly someone involved in their release understood what would prove to be catnip for supermarket tabloids—indicating that whoever was behind the operation had some America-savvy help.
The Sony experience wasn’t a first: the WikiLeaks publication of State and Defense Department cables in 2010 proved how easy it was to grab headlines with confidential communications stolen from a computer system. Over the following few weeks, the Sony hackers doled out emails with embarrassing details about the studio, along with Sony contracts, a few medical records, and plenty of Social Security numbers. The North Koreans had even grabbed five yet-to-be-released movies, including Annie.
The Sony emails attracted an audience that no State Department cables could ever match. After all, the juiciest of State Department cables dealt with complaints about embassy amenities, backbiting office politics in Foggy Bottom. The Sony emails, in contrast, included one from a studio executive who described Angelina Jolie as a “minimally talented spoiled brat.” There was information about salaries at the studio and gossip about the offscreen affairs of actors and producers. There was even a leaked email that appeared to have been from the hackers themselves, sent on November 21, warning that if the studio didn’t pay an unspecified ransom, “Sony Pictures will be bombarded as a whole.” It looked like the email was never read before the attacks. And then there was the most ironic of all: emails from Seth Rogen to studio executive Amy Pascal, complaining about the changes Sony was making to the script of The Interview. “This is now a story of Americans changing their movie to make North Koreans happy,” he complained.
The salacious stuff, of course, overwhelmed most coverage of the destructive power of the attack. In the space of just a few months, North Korea—a country that could barely feed its people—had struck an iconic American studio with the most sophisticated cyberattack since Olympic Games. Sony had been asleep at the wheel. As had the US government.
In retrospect, the Sony hack was a harbinger—a destructive attack that melted physical equipment utilizing only ones and zeros, as Stuxnet had done; a distracting release of private communications that dominated the news and upended careers; and a ransom demand that distracted from the real purpose of the operation. But no one knew all of this at the time. When it happened, the attack seemed like a bolt from the blue, a wild overreaction to a Hollywood comedy from the touchy thirtysomething leader of a paranoid, starving nation that was wasting its hard currency, and its scarce talents, building nukes and missiles.
With 70 percent of its computer power paralyzed, Sony had to search the world for new equipment. Meanwhile, the accounting department decided to dig through the basement to look for the old machines they once used to issue paychecks. Clearly, they wouldn’t be making electronic transfers for a while.
* * *
—
At the White House, the Sony a
ttack raised a series of uncomfortable questions that would bedevil the US government many times over the next few years. From the moment the FBI camped out in the studio lot, the prime suspect was North Korea. But as President Obama’s aides knew, suspecting was one thing. Proving it was another. And even if Adm. Rogers, the director of the NSA, walked into the Situation Room with incontrovertible evidence, how could it be made public without revealing the agency’s sources? And what could you do to retailiate?
“It’s a classic problem,” Michael Daniel, Obama’s cybersecurity czar, said to me during the Sony investigation. “As soon as you declare who was behind a cyberattack, the next question is always: how are you going to make them pay? And there’s not always an easy answer.”
In fact, the NSA was already looking back at the reams of data collected from a series of intelligence operations inside the North’s computer networks, including Nighttrain, in an effort to make a conclusive case that North Korea’s leadership had ordered the Sony attack. Before long they discovered that some of the tools used against Sony had been used in previous attacks mounted by North Korean hackers.
“We found what we were looking for very quickly,” one White House official told me, describing evidence that appeared to provide a direct communications link between the Reconnaissance General Bureau and the actual hackers. Even today, the US government has never revealed its evidence—in the Sony case or in other instances of North Korean hacking—because it does not want to tip its hand about what kind of monitoring may be ongoing. But it seems clear the United States uncovered some intercepted voice communications or written instructions straight from the North Korean leadership.
The evidence was persuasive enough that President Obama was briefed on it almost immediately.
“I never thought I’d be here briefing on a bad Seth Rogen movie, sir,” one of Obama’s aides told him as the plot became clear.
“How do you know it’s a bad movie?” Obama asked.
“Sir, it’s a Seth Rogen movie….” Laughter broke out in the Oval Office.
But the proof only complicated the debate. The United States had lots of plans for how to respond to an attack on critical infrastructure, from dams to utilities. Clearly, the Sony attack was not in that category.
“This was a destructive attack,” said Robert Litt, the general counsel for the director of national intelligence. “But you couldn’t argue that it hit a vital sector of the US infrastructure. It wasn’t exactly taking out all the power from Boston to Washington. So the issue was: is this the government’s responsibility to defend?”
That was only one of the questions hanging in the air as Obama and his aides descended into the Situation Room on December 18. In a spirited debate, some of Obama’s aides argued that whether or not the target was “critical,” the United States had just been attacked.
“I remember sitting there while some of our colleagues argued that this was just like planting a bomb inside Sony, which we definitely would have categorized as terrorism,” said one national-security aide who was sitting along the back bench as the argument raged. “But in this case, there was no explosion—just people operating by remote control to accomplish the same result.”
Ever cautious, Obama came to the conclusion that it wasn’t terrorism; it was more like “cyber vandalism,” as he said a few days later. (He soon came to regret the line.) Obama did not want to escalate. But he also did not want to go through another country’s networks to get inside North Korea.
“The problem,” one participant in the meeting later told me, “was that the only way to go into the North Korean networks was through China, and no one wanted to have the Chinese thinking that we were attacking them or using their networks to attack someone else.”
But Obama was animated by one aspect of the attack. What made the Sony strike different, in his mind, was that it was intended as a weapon of political coercion. The constitutional lawyer in him was determined not to let a dictator in a faraway, broken nation kill a movie he found politically objectionable.
Meanwhile, the threats had grown more violent. The Guardians of Peace issued a declaration that the movie’s premiere in New York could be the target of a terror attack: “Soon all the world will see what an awful movie Sony Pictures Entertainment has made,” the statement said. “The world will be full of fear. Remember the 11th of September 2001.”
The 9/11 reference immediately heightened the stakes. Lynton suspended the release of the movie. And Obama, meeting in the Situation Room the day the threat was delivered, realized he could no longer remain silent. If he ignored a crude threat of terrorist action against theaters, he would look weak. He needed to call out the North Korean leadership, blame them for the cyberattack, and make clear what would happen if theaters were attacked. That meant he had to make it clear that the United States had linked the attack and the threats to Kim Jong-un.
But his intelligence officials were adamant that he could not reveal the presence of any implants the United States or South Korea had lurking in North Korea’s systems. In fact, they did not want him to explain in public even the obvious stuff: how they had matched the hacking tools used against Sony to others previously utilized by the North Koreans, specifically by Bureau 121, which ran the country’s army of cyber warriors—though the US didn’t have enough evidence to attribute the Sony attack to Bureau 121 with certainty.
“It was a classic debate,” one participant later told me. “The intel guys didn’t want to say anything—they are wired that way. The political and strategic types wanted to create some cost for the North Koreans.” But the options presented by Rogers—a counter cyberstrike on the North, or going after Kim Jong-un’s accounts around the world—were difficult to accomplish and seemed likely to impinge on Chinese sovereignty. So Obama decided to name and shame the North Koreans and figure out the penalty later.
The next day, December 19, hours before leaving for vacation in Hawaii, Obama stepped into the press room and took the unprecedented step of blaming North Korea for the attack. He vowed that a proportional response would happen “in a place and time and manner that we choose.” Some elements of that punishment would be visible, he said, and some would not be. He used the language of military retaliation, but without the real threat of action.
“We cannot have a society in which some dictator someplace can start imposing censorship here in the US,” he said, leaving no doubt he was directly challenging Kim Jong-un. He also took a shot at Sony for pulling the film out of theaters. American filmmakers and distributors, he said, should not “get into a pattern where you’re intimidated by these kind of criminal attacks.”
Lynton was flummoxed by Obama’s comments; he thought he was being cautious, protecting theatergoers, and he had already vowed to distribute the film one way or another. “I certainly am not planning on caving to the North Koreans,” he told me.
Lynton sent his staff scrambling to find independent theaters to show The Interview. More important, he twisted arms to get a digital release of the movie at the same time it was appearing in the theaters. At the time, that was still extraordinarily rare in the movie business. But this was an extraordinary circumstance. While some online movie distributors balked, Google came through, as did YouTube. On Christmas Day, after opening stockings and gifts, Americans downloaded the movie in living rooms across the country. It was still a ridiculous plot. But at least Kim Jong-un didn’t win. For now.
* * *
—
The Sony attack was hardly the only short-of-war assault on American targets in Obama’s second term, and it certainly wouldn’t be the last. Neither was it perfect. Jim Lewis later concluded that the North Koreans had a few weaknesses of their own. Specifically, they thought they were stealthier than they really were.
North Koreans had not expected the United States to conclude so quickly that Pyongyang was behind the attack, Lewis told me. “Son
y shocked [North Korea] when it discovered that they were not invisible in cyberspace,” he wrote. But inside the White House and the NSA, the attack illuminated weaknesses in American defenses that would only grow more glaring.
The first was a deep confusion—in both the government and the corporate world—about who is responsible for defending against attacks on corporate America.
The issue had come up repeatedly. When the Iranians froze the banking networks of Bank of America and JPMorgan Chase, Obama and his aides were concerned, but they concluded that the denial-of-service attacks didn’t rise to the level of requiring a national response. The attacks were viewed as crimes, not terrorism, and referred to the Justice Department, which ultimately indicted Iranian hackers.
But in early 2014, when the Iranians melted down computer equipment at the Sands Casino in Las Vegas, the administration again did not respond—even though that attack was more damaging and an act of political retaliation. The Iranians attacked the casino to show owner Sheldon Adelson that if he wanted to advocate setting off a nuclear weapon in the Iranian desert, he had better be prepared to see his prize casino go offline. That, too, was treated as a criminal act—to be dealt with in the courts—rather than as an attack on the United States.
In short, until the Sony attack Obama believed corporate America should take responsibility for defending its own networks, just as they take responsibility for locking their office doors at night. That approach made sense most of the time: Washington could not go to DEFCON 4 every time someone—even a state—went after part of the private sector. Clearly, the government could not protect against every cyberattack, just as it could not protect against every car theft or house burglary.
The Perfect Weapon Page 17
