Fortune Magazine released the first installment of a shocking and detailed look into the November 2014 cyber attack that crippled Sony Pictures on Thursday.
Fortune’s Peter Elkind spent six months reporting on the story and interviewed more than 50 current and former Sony executives, cyber security experts, and law enforcement officials. It is entitled, “”Inside the Hack of the Century: What Really Happened. Why Sony Should Have Seen It Coming. And Why It Should Terrify Corporate America.”
Scroll down for some of the most astonishing revelations found in the article:
The Sony Information Security Department Was not Secure
Fortune spoke with Tommy Stiansen, the chief technology officer of threat-intelligence firm Norse Corp. that met with Sony in early November to pitch their services in defending the studio against hackers. Stiansen recalled, “Their [information security department] was empty, and all their screens were logged in. Basically the janitor can walk straight into their Info Sec department.”
A Sony Exec Suggested Featuring Kim Jong-Un in “The Interview”
Early versions of the script employed a fictional character named Kim Il-hwan, according to Interview screenwriter Dan Sterling. He maintains it was a studio executive, whom he declined to name, who originally suggested using the North Korean dictator as the main antagonist. According to the article, Sony executives loved the idea, as they could avoid offending a major film market like China, and North Korea was considered fair game for parody.
Sony Was Warned about North Korea Attack by Security Expert
Sony spokesman Robert Lawson insists that the “extremely knowledgeable” experts the CEO Michael Lynton consulted “gave no hint or warning of the possibility of a cyberattack.”But Bruce Bennett, a North Korea specialist with the Rand Corp.–where Lynton serves on the board–says he did warn the Sony CEO that a cyberattack was “a possibility.”After watching The Interview, Bennett sent him a three-page memo assessing the situation even before the Koreans began protesting the film, then had several follow-up exchanges with Lynton. Bennett’s memo said, “Even if North Korea doesn’t know about the film yet, as soon as they do find out about it, they will likely explore Sony’s computer systems to see if Sony is ready to deal with North Korean criticism.”
Lawson denies this claim, saying in a statement “If [Lynton] had received any kind of warning, his next call would have been to a cyberexpert to ask about it … In their many phone conversations, Bennett never mentioned the possibility of a cyberattack on the studio.”
The Hackers Emailed Sony Three Days Before Attack
The group that claimed responsibility for the attack emailed Lynton, Amy Pascal, and three other Sony executives three days before the attack, demanding a payoff. “We’ve got great damage by Sony Pictures,” the email read. “The compensation for it, monetary compensation we want. Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.” Sony executives forwarded the email to the FBI, according to spokesperson Lawson.
Seth Rogen and Even Goldberg Were Also Warned about Cyber Attack
According to their spokesman, Matt Labov even before Rogen and Goldberg began shooting the film the pair sought the advice of Rich Klein, whose Washington, D.C.-based consulting firm, McLarty, advises Hollywood on sticky geopolitical problems. After reading their script, Klein told Fortune, he advised the filmmakers to expect North Korean “blowback,” possibly in the form of an electronic assault. He advised the two to change their online banking and social media passwords as a precaution.
Rogen and Goldberg Warned Sony About Possibility of Attack
Klein says he also feared that North Korea might unleash a cyber assault on the studio to try to block The Interview’s release. Rogen and Goldberg relayed that message to Sony executives.”We felt that everybody involved in this had to protect themselves–the studio and the filmmakers,’ Klein said. “The North Koreans are pretty aggressive cyberwarriors …. It’s just surprising to me that there wasn’t a more robust sense of alarm and caution.”
Experts Say Sony Attack Was not Particularly Sophisticated
Hackers typically use the simplest means necessary to accomplish their mission, and experts say there was nothing particularly sophisticated about the Sony attack. Ed Skoudis, a “white hat” hacker who teaches cyber defense testing for corporate IT security professionals at the SANS Institute, says the skill level deployed at Sony looks “pretty average.” He puts its perpetrators on par with students in his mid-level classes. “It shows the defenses of Sony were not particularly good,” he said. “I didn’t see the bad guys jumping over any extreme hurdles, because there weren’t any extreme hurdles in place.”
Amy Pascal Said “I Feel Like I’ve Been Raped” After the New Broke
Former Sony Pictures chair Pascal issued a public apology, then sought forgiveness in meetings with Sony employees and the Rev. Al Sharpton, who had threatened to demand her head over the Obama comments. “I feel like I’ve been raped,” she privately told a studio visitor. “And I was blamed for it.”
“It’s Hard to Know How Sony Could Have Been So Ill-Prepared”
Elkind writes, “Looking back, it’s hard to understand how Sony Pictures could have been so ill-prepared for an electronic invasion. It was part of a tech company that sells digital products–films, TV shows, videogames, and music–readily subject to online theft … In effect, once the invaders made it past the network gates they could go anywhere they wanted because Sony hadn’t locked any doors–much in the way that the company had left its information security department open and unattended.”
However, Sony spokesperson Robert Lawson said in a statement that “any suggestion Sony Pictures Entertainment should have been able to defend itself against this attack is deeply flawed and ignores essential findings and comments made by the FBI and
“Joseph Demarest, then assistant director of the FBI’s cyber division, could not have been clearer when he told a U.S. Senate hearing that ‘the malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government,’” Lawson wrote.
Sony’s Lack of Defenses Made It “Virtual Piñata” for Hackers
Elkind wrote, “While there is no way to know whether Sony’s attackers would have prevailed over even impeccable cyberdefenses, it’s clear that Sony, which failed to employ several basic safeguards, didn’t put up much of a fight. The company had ample reason to have bolstered its defenses: For years, culminating with its release of ‘The Interview,’ Sony Corp.’s business decisions have made it a virtual piñata for cyberassailants. And North Korea had been blamed for high-profile devastating electronic attacks in the past. Despite that, the company’s leadership failed repeatedly to take greater precautions.
Sony Attack Should Be a Wake Up Call for Corporate America
“What happened at Sony stands as a landmark event,” Elkind concludes. “It struck terror in boardrooms throughout corporate America, and for all the unique elements in Sony’s situation, the lessons apply to every company… The peril for corporate America seems to be growing even faster than the immense resources now mobilized to combat electronic crime.This one hit home because it showed how attackers could steal even executives’ most precious secrets–and bring a company to its knees.”