Sony Should Have Seen the Hack Coming: Report

The Interview Sony Hack
Michael THURSTON/AFP/Getty Images

Fortune magazine, in a detailed examination of the cyber-hack that crippled Sony Pictures, is asserting that the studio was poorly prepared for the attack and should have seen it coming.

The studio has told the magazine that the assertions are untrue.

The magazine released on Thursday the first installment of a three-part story on the Nov. 24 hack. Fortune’s Peter Elkind spent six months reporting on the story and interviewed more than 50 current and former Sony executives, cyber-security experts and law enforcement officials for the article, “Inside the Hack of the Century: What Really Happened. Why Sony Should Have Seen It Coming. And Why It Should Terrify Corporate America.”

“Looking back, it’s hard to understand how Sony Pictures could have been so ill-prepared for an electronic invasion,” Elkind wrote. “It was part of a tech company that sells digital products — films, TV shows, videogames, and ­music — readily subject to online theft. Angered by Sony Corp.’s heavy-handed tactics to protect intellectual property, hackers have long targeted the company’s various divisions.”

The article also asserted that the Sony Information Security Department was not secure at the time of the attack. Fortune spoke with Tommy Stiansen, chief technology officer of threat-intelligence firm Norse Corp., which met with Sony three weeks prior to the attack to pitch their services. “Their Info Sec (information security department) was empty, and all their screens were logged in. Basically the janitor can walk straight into their Info Sec department,” he told the magazine.

Elkind also wrote, “While there is no way to know whether Sony’s attackers would have prevailed over even impeccable cyberdefenses, it’s clear that Sony, which failed to employ several basic safeguards, didn’t put up much of a fight. The company had ample reason to have bolstered its defenses: For years, culminating with its release of ‘The Interview,’ Sony Corp.’s business decisions have made it a virtual piñata for cyberassailants. And North Korea had been blamed for high-profile devastating electronic attacks in the past. Despite that, the company’s leadership failed repeatedly to take greater precautions.”

Sony spokesperson Robert Lawson told the magazine that such assertions are untrue, citing findings by the FBI and by the studio’s security consultant, Kevin Mandia.

“Any suggestion Sony Pictures Entertainment should have been able to defend itself against this attack is deeply flawed and ignores essential findings and comments made by the FBI and Kevin Mandia — the two parties most knowledgeable of the nation state threat and the evidence in this investigation.”

“Joseph Demarest, then assistant director of the FBI’s cyber-division, could not have been clearer when he told a U.S. Senate hearing that ‘the malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government,’” Lawson wrote.

The article noted that Sony Pictures CEO Michael Lynton has insisted the studio was well prepared for a conventional cyber-attack and has repeatedly characterized the hack as “highly sophisticated.”

In a written statement on behalf of Lynton, Sony spokesman Lawson insists that the “extremely knowledgeable” experts who consulted with Lynton “gave no hint or warning of the possibility of a cyberattack.”

The article noted that Lynton spoke with Daniel Russel, assistant secretary of state for East Asian and Pacific affairs, and that conversation included no mention of hacking risk, according to a note Lynton prepared. But it also noted that Bruce Bennett, a North Korea specialist with the Rand Corp. — where Lynton serves on the board—  warned Lynton of the “possibility” of a cyber-attack.

After watching “The Interview,” Bennett sent Lynton a three-page memo assessing the situation even before the Koreans began protesting the film, then had several follow-up exchanges with Lynton. Bennett advised Lynton that the North Koreans frequently made empty threats, and there probably wasn’t much to fear, but he also noted that North Korea would probe Sony’s computer systems.

“Even if North Korea doesn’t know about the film yet, as soon as they do find out about it, they will likely explore Sony’s computer systems to see if Sony is ready to deal with North Korean criticism,” according to passage that Bennett read to Fortune.

Bennett also told the magazine that he also told Lynton the Kim Jong-un regime employed hackers “who could potentially cause damage,” described the 2013 DarkSeoul hacking episode in South Korea and warned, “You need to realize something could happen in that area.”

Lawson denied that Bennett had warned Lynton: “If (Lynton) had received any kind of warning, his next call would have been to a cyberexpert to ask about it … In their many phone conversations, Bennett never mentioned the possibility of a cyberattack on the studio.”

The article also said that “The Interview” star Seth Rogen and director Evan Goldberg also received warnings of a possible cyber-attack, according to their spokesman, Matt Labov.

Even before they began shooting the film, Rogen and Goldberg sought the advice of Rich Klein of the consulting firm McLarty. Klein told Fortune that after reading their script, he advised the filmmakers to expect North Korean “blowback,” possibly in the form of an electronic assault, urged them to change their banking and email passwords and closely monitor their Internet accounts, and passed on the name of a cyber-security adviser.

Klein also said he feared that North Korea might unleash a cyber-assault on the studio to try to block the release of “The Interview” and that Rogen and Goldberg relayed that message to Sony executives.

“We felt that everybody involved in this had to protect themselves – the studio and the filmmakers,” Klein said. “The North Koreans are pretty aggressive cyberwarriors … It’s just surprising to me that there wasn’t a more robust sense of alarm and caution.”

Elkind concluded the segment by asserting that the events at Sony should be a warning for the rest of corporate America.

“What happened at Sony stands as a landmark event,” he wrote. “It struck terror in boardrooms throughout corporate America, and for all the unique elements in Sony’s situation, the lessons apply to every company… The peril for corporate America seems to be growing even faster than the immense resources now mobilized to combat electronic crime. This one hit home because it showed how attackers could steal even executives’ most precious secrets – and bring a company to its knees.”

Filed Under:

Want to read more articles like this one? SUBSCRIBE TO VARIETY TODAY.
Post A Comment 1

Leave a Reply

1 Comment

Comments are moderated. They may be edited for clarity and reprinting in whole or in part in Variety publications.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  1. Michael David Moore says:

    I am a former SONY PICTURES IT Department Employee 34 years MGM 1981 to 1987,
    SONY PICTURES 1987 to November 21, 2014. August 2, 2009 I filed a Workers Compensation
    Claim against SPE; having a Nervous Breakdown, I went to the SPE Medical Department Nurse “Theresa Saporito”, I ask to her to put me on a “work related stress disability”.

    My Mental & Psychological at the time was so severe, I could not function. I had been harassed for years by Executive Director Jeff Grover of the Telecommunications Department. I worked in that Department 34 years. The nurse sat next to me in the Human Resources office of Abby Felder, the HR Rep for my department. I told her what had been going on for TWENTY YEARS, how Mr. Grover had HARASSED every single Employee who reported to him. Theresa Saporito, listened for an over an hour and a half, as I told Ms. Felder; things so shocking, she could not believe what she was hearing.

    I told her every one of my co-workers knew we worked for a racist bigot, the racist comments we would hear come out of his mouth, were unbelievable, it was so routine for him, he never gave it a second thought. Abby Felder filled page after page after page in a legal tablet.Everything I told her was covered up, by Sony Pictures.

    September 24, 2009, My Workers Compensation Claim, the only Claim in the History of Workers Compensation. To resulted in an Emergency Meeting which the CEO of what is today’s; “The Worlds Largest Multinational Insurance Company”, this European based Insurance Company at that time Insured, the Sony Corporation and its Subsidiaries. What this CEO told me,in “A RECORDED PHONE CALL”, WAS SUPPOSE TO HAPPEN TO THE SONY CORPORATION, September 25, 2009, at 9:00AM EST, which I stopped from happening by withdrawing my Workers Compensation that I had filed against Sony Pictures Entertainment Inc.

    THE EMAILS SENT BACK AND FORTH BETWEEN CHIEF LEGAL COUNCIL LEAH WEIL, ESQ. AND HUMAN RESOURCES DEPARTMENT HEAD EXECUTIVE VICE-PRESIDENT GEORGE ROSE.
    Those emails are the reason why on November 24, 2014, the hacking of the mainframe was necessary. My Documents,SPE APPLE IPHONE, and Witnesses, will prove beyond a reasonable doubt, was carried out from inside. Michael D. Moore

More Film News from Variety

Loading