Skip to content
CBCyber Breaches
Search
WiperResolved

Sony Pictures Entertainment hack

A North Korean wiper attack tied to the release of 'The Interview' destroyed roughly half of Sony Pictures' IT estate and leaked terabytes of internal documents, emails, and unreleased films.

Victim
Sony Pictures Entertainment
Loss
$100.0M
records
1.0M
users
47.0K
SectorMedia
CountryUnited States
Threat actorLazarus GroupGuardians of Peace (cover persona)DPRK RGB
Named attackersPark Jin Hyok

On 24 November 2014, the morning before Thanksgiving, employees at Sony Pictures Entertainment in Culver City logged in to find a stylised skull on every workstation and a message from a previously-unheard-of group calling itself "Guardians of Peace". Behind the cover persona was North Korea's Lazarus Group, which had detonated a destructive wiper across roughly half of Sony's IT estate and exfiltrated terabytes of internal data ahead of the destruction.

What happened

Lazarus operators had been resident on Sony Pictures' network since approximately September 2014, gaining access via spearphishing of senior executives and dwelling for months while harvesting credentials and mapping the environment. The U.S. FBI's later analysis suggested credentials had been compromised over the preceding months and stockpiled for the eventual destructive payload.

On 24 November, the operators triggered the wiper. The malware:

  • Destroyed data on ~3,000 servers and ~6,000 employee laptops β€” roughly half of Sony Pictures' total IT estate.
  • Disabled Sony Pictures' internal email, telephone systems, payroll, and most production-related infrastructure.
  • Left employees physically present in the office with no working computers and reduced to using paper documents and personal phones for over a week.

In parallel, Guardians of Peace began leaking the exfiltrated data online:

  • Five unreleased films including "Annie", "Fury", and "Mr. Turner" (Sony reported $5M in resulting lost revenue).
  • Internal emails between executives, agents, and producers, including embarrassing remarks about actors and senior Hollywood figures.
  • Personal data on 47,000 current and former employees β€” names, social security numbers, medical claims, family details.
  • Unreleased scripts and contract documents.

The Interview

The attack was widely interpreted as retaliation for "The Interview", a Sony comedy depicting the assassination of North Korean leader Kim Jong Un, due for theatrical release on 25 December 2014. On 16 December, Guardians of Peace published a message warning of 9/11-style attacks against cinemas that screened the film.

The four major U.S. cinema chains β€” AMC, Regal, Cinemark, Carmike, Cineplex β€” pulled the film. Sony cancelled the theatrical release. Public criticism, including from then-President Obama, prompted Sony to reverse the decision and release the film through a limited theatrical and streaming distribution.

Impact

  • Direct IT remediation cost: ~$35M.
  • Lost revenue, business interruption, and class action settlements: ~$50M+ over subsequent years.
  • Personal data class action settlement: $15M to current and former employees in 2015.
  • The Interview's lost theatrical release and re-release via on-demand was estimated at $30M in foregone revenue.
  • CEO Michael Lynton and several senior executives stepped down within the following two years.

Attribution

The U.S. FBI publicly attributed the attack to North Korea on 19 December 2014 β€” at the time, the most explicit U.S. government cyberattack attribution to a state actor on record. In September 2018, the DOJ unsealed an indictment naming Park Jin Hyok, a Lazarus operator, as a participant in the Sony attack along with WannaCry (2017) and the Bangladesh Bank SWIFT heist (2016). The forensic case linked all three operations via shared malware code and command-and-control infrastructure.

Why it matters

Sony Pictures is the first widely-known nation-state cyberattack on a private company for political reasons, and remains the canonical case for destructive-cyber-as-coercion. It also established a template Lazarus has reused at scale since: long dwell, credential staging, destructive wipe, public extortion-with-political-framing. The same operational lineage led to WannaCry, the Bangladesh Bank heist, and over $3 billion in subsequent cryptocurrency thefts.

The incident also reset corporate thinking on:

  • Insider data exposure β€” Sony's email leak is still cited as the most consequential corporate-email exposure in history.
  • Insurance for nation-state attacks β€” the Sony incident was an early test case for what cyber insurance covers when the attribution points to a state actor.
  • Executive-level cyber accountability β€” the CEO turnover post-Sony foreshadowed the SEC's later disclosure rules around material cyber incidents.

Financial impact

Reported costs in USD

Total reported loss
100.0M
USD Β· $100,000,000
  • Business loss$35.0M
  • Remediation$50.0M
  • Fines & settlements$15.0M

Timeline

  1. Lazarus operators establish foothold in Sony Pictures' network via spearphishing of senior staff, with credentials reportedly harvested over the preceding months.

  2. Senior Sony executives receive a 'Guardians of Peace' extortion email demanding monetary compensation; the email is dismissed as spam.

  3. On the morning before Thanksgiving, the destructive wiper triggers across Sony's network. Employees arrive to a skull image on every workstation and a message from 'Guardians of Peace'.

  4. Wiper destroys data on roughly half of Sony Pictures' servers and 75% of staff laptops. Email, payroll, voicemail, and most internal systems go offline.

  5. First batch of stolen documents leaks online, including five unreleased films and internal emails.

  6. Personal data of 47,000 current and former Sony employees published. Salary details, social security numbers, medical claims, and personal correspondence are exposed.

  7. 'Guardians of Peace' threatens 9/11-style attacks against cinemas screening 'The Interview'. Major U.S. chains pull the film.

  8. FBI publicly attributes the attack to North Korea.

  9. U.S. DOJ unseals indictment of Lazarus operator Park Jin Hyok for the Sony attack along with Bangladesh Bank (2016) and WannaCry (2017).

Sources

  1. justice.govhttps://www.justice.gov/opa/press-release/file/1092091/dl
  2. fbi.govhttps://www.fbi.gov/news/press-releases/update-on-sony-investigation
  3. reuters.comhttps://www.reuters.com/article/us-sony-cybersecurity-cost-idUSKBN0LB1XK20150207

Related incidents