U.S. accusations and formal charges against North Korea
U.S. government officials stated on December 17, 2014 their belief that the North Korean government was "centrally involved" in the hacking, although there was initially some debate within the White House whether or not to make this finding public. White House officials treated the situation as a "serious national security matter", and the FBI formally stated on December 19 that they connected the North Korean government to the cyber-attacks. Including undisclosed evidence, these claims were made based on the use of similar malicious hacking tools and techniques previously employed by North Korean hackers—including North Korea's cyberwarfare agency
Bureau 121 on South Korean targets. According to the FBI: • "[A] technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korea previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks. • "The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack. The FBI later clarified that the source IP addresses were associated with a group of North Korean businesses located in Shenyang in northeastern China. • "Separately, the tools used in the SPE attack have similarities to
a cyber-attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea." The FBI later clarified more details of the attacks, attributing them to North Korea by noting that the hackers were "sloppy" with the use of
proxy IP addresses that originated from within North Korea. At one point the hackers logged into the Guardians of Peace
Facebook account and Sony's servers without effective concealment. FBI Director
James Comey stated that Internet access is tightly controlled within North Korea, and as such, it was unlikely that a third party had hijacked these addresses without allowance from the North Korean government. The
National Security Agency assisted the FBI in analyzing the attack, specifically in reviewing the malware and tracing its origins;
NSA director Admiral
Michael S. Rogers agreed with the FBI that the attack originated from North Korea. A disclosed NSA report published by
Der Spiegel stated that the agency had become aware of the origins of the hack due to their own cyber-intrusion on North Korea's network that they had set up in 2010, following concerns of the technology maturation of the country. North Korea offered to be part of a joint probe with the United States to determine the hackers' identities, threatening consequences if the United States refused to collaborate and continued the allegation. The U.S. refused and asked China for investigative assistance instead. Some days after the FBI's announcement, North Korea temporarily suffered a nationwide Internet outage, which the country claimed to be the United States' response to the hacking attempts. On the day following the FBI's accusation of North Korea's involvement, the FBI received an email purportedly from the hacking group, linking to a
YouTube video entitled "you are an idiot!", apparently mocking the organization. On December 19, 2014,
U.S. Secretary of Homeland Security Jeh Johnson released a statement saying, "The cyber attack against Sony Pictures Entertainment was not just an attack against a company and its employees. It was also an attack on our
freedom of expression and way of life." He encouraged businesses and other organizations to use the Cybersecurity Framework developed by the
National Institute of Standards and Technology (NIST) to assess and limit cyber risks and protect against cyber threats. On the same day,
U.S. Secretary of State John Kerry published his remarks condemning North Korea for the cyber-attack and threats against movie theaters and moviegoers. "This provocative and unprecedented attack and subsequent threats only strengthen our resolve to continue to work with partners around the world to strengthen cybersecurity, promote
norms of acceptable state behavior, uphold freedom of expression, and ensure that the Internet remains
open,
interoperable, secure and
reliable," he said. On January 2, 2015, the U.S., under an
Executive Order issued by President Obama, installed additional economic sanctions on already-sanctioned North Korea for the hack, which North Korean officials called out as "groundlessly stirring up bad blood towards" the country.
Doubts about accusations against North Korea Cyber security expert Kurt Stammberger from cyber security firm Norse, DEFCON organizer and
Cloudflare researcher Marc Rogers,
Hector Monsegur, and
Kim Zetter, a security journalist at
Wired magazine, have expressed doubt and tended to agree that North Korea might not be behind the attack.
Michael Hiltzik, a journalist for the
Los Angeles Times, said that all evidence against North Korea was "circumstantial" and that some cybersecurity experts were "skeptical" about attributing the attack to the North Koreans. Cybersecurity expert Lucas Zaichkowsky said, "State-sponsored attackers don't create cool names for themselves like 'Guardians of Peace' and promote their activity to the public."
Kim Zetter of
Wired magazine called released evidence against the government "flimsy". Former hacker
Hector Monsegur, who once hacked into Sony, explained to
CBS News that exfiltrating one or one hundred
terabytes of data "without anyone noticing" would have taken months or years, not weeks. Monsegur doubted the accusations due to North Korea's insufficient internet infrastructure to handle the transfer of that much data. He believed that it could have been either Chinese, Russian, or North Korean-sponsored hackers working outside of the country, but most likely to be the deed of a Sony employee. Stammberger provided to the FBI Norse's findings that suggest the hack was an
inside job, stating, "Sony was not just hacked; this is a company that was essentially nuked from the inside. We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history." Stammberger believes that the security failure may have originated from six disgruntled former Sony employees, based on their past skill sets and discussions these people made in chat rooms. Norse employees identified these people from a list of workers that were eliminated from Sony during a restructuring in May 2014, and noted that some had made very public and angry responses to their firing, and would be in appropriate positions to identify the means to access secure parts of Sony's servers. After a private briefing lasting three hours, the FBI formally rejected Norse's alternative assessment. Seth Rogen also expressed doubts about the claims that North Korea was behind the hack. Based on the timeline of events and the amount of information hacked, he believes the hack may have been conducted by a Sony employee. "I've also heard people say that they think someone was hired to do the hack as a way of getting Amy Pascal fired. I don't know if I subscribe to those theories, but I kind of don't think it was North Korea."
Other investigations In response to allegations that the intrusion was the result of an inside job, or something other than a state-sponsored cyber attack, computer forensic specialist Kevin Mandia, president of the security firm
FireEye, commented that there was not a "shred of evidence" that an insider was responsible for the attack and that the evidence uncovered by his security firm supports the position of the United States government. In February 2016, analytics firm Novetta issued a joint investigative report into the attack. The report, published in collaboration with
Kaspersky Lab,
Symantec, AlienVault,
Invincea,
Trend Micro,
Carbon Black, PunchCyber,
RiskIQ,
ThreatConnect and Volexity, concluded that a well-resourced organization had committed the intrusion, and that "we strongly believe that the SPE attack was not the work of insiders or hacktivists". The analysis said that the same group is engaged in military espionage campaigns.
Formal charges The U.S. Department of Justice issued formal charges related to the Sony hack on North Korean citizen
Park Jin-hyok on September 6, 2018. The Department of Justice contends that Park was a North Korean hacker that worked for the country's
Reconnaissance General Bureau, the equivalent of the
Central Intelligence Agency. The Department of Justice also asserted that Park was partially responsible for arranging the
WannaCry ransomware attack of 2017, having developed part of the ransomware software. The Department of Justice had previously identified Park and had been monitoring him for some time, but could not indict him immediately as much of the information around him was classified. The Criminal Complaint was unsealed by the US Department of Justice via a press release in September 2018. ==Legal responses==