Security researchers have warned that hackers could be preparing attacks on other major film studios in the wake of the Sony Pictures cyber-attack that paralysed the company’s computer systems and resulted in the leak of several unreleased films.
Sean Sullivan, senior adviser and researcher at the security company F-Secure, said that he believes the purpose of the Sony hack was extortion. “If it was just hacktivists, they’d have released everything all at once,” he said. “But these releases, it’s like they’re shooting hostages. One thing one day, another the next. This is a really different tactic from what we usually see.”
The hackers behind the Sony attack emailed five top Sony Pictures executives on 21 November, three days before they began leaking the files, and demanded monetary compensation.
The email – headed “Notice to Sony Pictures Entertainment” – warned: “We’ve got great damage [sic] by Sony Pictures. The compensation for it, monetary compensation we want. Pay the damage, or Sony Pictures will be bombarded as a whole.” The executives appear to have ignored the message, which did not have any contact information, deadline or details about amounts or actions wanted.
On 25 November the hackers paralysed Sony Pictures’ computer systems, forcing the company to send some staff home while others had to use pen, paper and fax machines across its international offices. The studio could only watch while films such as Brad Pitt’s Fury, scheduled for a Christmas DVD release, were leaked to file-sharing networks.
But over the past few days the hackers, who appear to have gained access to the computers of every executive at the film studio, have released the entire email stores of executives, including the first, garbled, threat.
The pattern of disclosures
On Thursday they posted links to files containing every email to and from Sony Pictures’ top lawyer Leah Weil, including some which showed her annoyance at claims by Aaron Sorkin that he could not release the script of a film about Steve Jobs to Lisa Brennan, Jobs’s daughter, because the studio owned the copyright – a claim that infuriated Weil. The pattern of disclosures convinced Sullivan that other companies may be at risk.
He said that Sony’s network could have been infected through a “watering hole” attack – where malware is planted on a site used by staff from different companies in the same business sector. In January 2013, an Eastern European gang used that method to target 40 companies including Facebook, Apple and Twitter through an independent iPhone development site.
He warned that other studios should take any future extortion threat from hackers seriously. Graham Cluley, an independent security expert, said that the warning email “wasn’t the height of professionalism” – but added that Sony’s experience is “a warning shot for any studio”.
However there is still widespread disagreement among security researchers about the motives and origin of the hackers. So far they have revealed little about themselves, posting brief notes and links on Pastebin – a site favoured by hackers to “dump” material – writing in garbled English that suggests it is not their first language.
Attempts at extortion
There is also deep disagreement on whether the attackers are in North Korea, and want to block the release of the film The Interview, which lampoons Kim Jong-Un, the communist country’s leader. Sullivan believes references to “the terrorist film” in the hackers’ demands are a smokescreen for attempts at extortion, though Cluley said some of the imagery used by the hackers recalls the “Dark Seoul” attacks of spring 2013, where systems in South Korea were targeted by the North.
The leaked emails, released by a group calling themselves “Guardians of Peace”, also showed that the new James Bond film could cost $300m (£191m), making it one of the most expensive films of all time, according to senior executives at Sony. Messages sent last month to Bond producer Barbara Broccoli from Jonathan Glickman, the president of MGM studios, show that MGM and Sony Pictures, who will co-finance and distribute the film, were attempting to scale back a budget which then stood at “the mid-$300m”.
In an exchange which copied in Sony co-chair Amy Pascal, Glickman requests that cuts be made by scaling back action sequences. Broccoli, however, refused to trim the number of carriages to be used in a train chase, and insisted certain scenes be shot in Rome rather than London, despite inflated costs. In a separate message to Glickman, Pascal expresses her anxiety, writing: “It’s insane and you know with no script this movie is gonna go overbudget.”
The start of shooting on Spectre, the 24th James Bond film, was announced last week at Pinewood studios. The emails also reveal that new cast member Andrew Scott will be paid $1m less than would have been paid to Chiwetel Ejiofor, that the character Blofeld will make a return as predicted, and that the plot features a “lesbian bad lady”.
Further embarrassment for Sony
This fresh round of leaks looks to further embarrass the studio following disclosed communications earlier this week in which Pascal and producer Scott Rudin speculated that president Barack Obama would prefer films featuring African-Americans.
Both have since apologised, with Pascal saying: “Although this was a private communication that was stolen, I accept full responsibility for what I wrote and apologize to everyone who was offended.”
Those emails followed the first, and still so far most damaging, round of leaks, which documented the breakdown in relations between Pascal and Rudin, who had previously collaborated on films such as The Social Network and Captain Phillips.
In the course of their exchanges, Rudin called Angelina Jolie “a minimally talented spoiled brat” with a “rampaging ego”. He also called Megan Ellison, the successful producer of films such as Foxcatcher and Inherent Vice, a “bipolar 28-year-old lunatic”.