Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,669 --> 00:00:03,168 BEN: It was one of the most devastating attacks 2 00:00:03,270 --> 00:00:04,236 in corporate history. 3 00:00:04,338 --> 00:00:06,538 VOICE: This is voice of Korea. 4 00:00:06,640 --> 00:00:08,741 We've never seen an attack like this before. 5 00:00:08,843 --> 00:00:10,809 BEN: It forced a major Hollywood studio 6 00:00:10,911 --> 00:00:12,411 to shut its networks down. 7 00:00:12,513 --> 00:00:13,679 Security hands you a memo, 8 00:00:13,781 --> 00:00:15,814 and it says there was a system disruption. 9 00:00:15,916 --> 00:00:18,751 The US government was quick to blame North Korea. 10 00:00:18,853 --> 00:00:23,922 And we can confirm that North Korea engaged in this attack. 11 00:00:24,025 --> 00:00:26,925 But hackers and computer experts questioned the narrative. 12 00:00:27,028 --> 00:00:29,328 It's not even a warm gun. 13 00:00:29,430 --> 00:00:31,063 It's barely a gun. 14 00:00:31,165 --> 00:00:33,132 Was it really North Korea, or was it someone else? 15 00:00:34,402 --> 00:00:44,410 ♪ 16 00:00:54,388 --> 00:00:56,955 It all started on November 21st, 2014, 17 00:00:57,058 --> 00:00:59,691 when Sony executives got an extortion email 18 00:00:59,794 --> 00:01:02,027 from an unknown group , the so-called God'sApstls. 19 00:01:03,531 --> 00:01:05,264 Sony reported it to the FBI. 20 00:01:05,366 --> 00:01:07,866 But three days later, all hell broke loose 21 00:01:08,002 --> 00:01:10,202 when a group calling themselves the Guardians of Peace 22 00:01:10,304 --> 00:01:12,304 appeared on Sony Computers. 23 00:01:13,574 --> 00:01:16,408 Sony Pictures co-chairs Amy Pascal and Michael Lynton 24 00:01:16,510 --> 00:01:20,245 scrambled to contain the damage, but it was too late. 25 00:01:20,347 --> 00:01:22,514 Over the next three weeks, a mountain of data 26 00:01:22,583 --> 00:01:25,317 including movies, salaries, and private corporate information 27 00:01:25,419 --> 00:01:27,953 was dumped onto the internet. 28 00:01:28,055 --> 00:01:29,922 But what really captured everyone's imagination 29 00:01:30,024 --> 00:01:32,591 were the private emails of Sony top dogs. 30 00:01:32,693 --> 00:01:34,827 Everybody is suddenly reading Amy Pascal's 31 00:01:34,929 --> 00:01:36,995 personal emails and professional emails, 32 00:01:37,098 --> 00:01:40,265 which were also in many instances very embarrassing. 33 00:01:40,334 --> 00:01:43,001 As the editor-at-large of The Hollywood Reporter, 34 00:01:43,104 --> 00:01:46,004 Kim Masters remembers the cringe across Tinseltown. 35 00:01:46,107 --> 00:01:48,941 There was a sense of instant fear throughout Hollywood 36 00:01:49,043 --> 00:01:51,443 because everybody knew, first of all, 37 00:01:51,545 --> 00:01:53,245 that they were probably vulnerable. 38 00:01:53,347 --> 00:01:55,681 I think simultaneously a lot of executives 39 00:01:55,783 --> 00:01:57,483 in the industry thought, "Yeah, but I don't know 40 00:01:57,585 --> 00:01:59,284 if I put some of this stuff in an email." 41 00:01:59,386 --> 00:02:01,653 Producer Scott Rudin called out Angelina Jolie 42 00:02:01,755 --> 00:02:03,789 for being a spoiled brat. 43 00:02:03,891 --> 00:02:07,126 Sony exec Clint Culpepper bad-mouthed Kevin Hart. 44 00:02:07,194 --> 00:02:10,929 Worst of all, Pascal and Rudin gossiped about what flicks 45 00:02:11,031 --> 00:02:14,333 the first black president of the United States might be into. 46 00:02:14,435 --> 00:02:16,502 It was so extreme and so emotional, 47 00:02:16,604 --> 00:02:19,037 and sometimes in some cases so inappropriate. 48 00:02:19,140 --> 00:02:22,007 But the breach went beyond salacious emails. 49 00:02:22,109 --> 00:02:23,976 Sony employees watched helplessly 50 00:02:24,078 --> 00:02:26,345 as their social security numbers, medical records 51 00:02:26,447 --> 00:02:28,847 and more were released online for everyone to see. 52 00:02:30,951 --> 00:02:32,484 I met someone who was on Sony's lot 53 00:02:32,586 --> 00:02:34,153 the day the attack went down. 54 00:02:34,255 --> 00:02:36,522 She was a senior coordinator for the studio's digital TV 55 00:02:36,624 --> 00:02:39,658 department, and eventually quit because of the hack. 56 00:02:39,760 --> 00:02:42,327 Celina was the only Sony employee I spoke to 57 00:02:42,429 --> 00:02:44,663 who was willing to go on camera. 58 00:02:44,765 --> 00:02:46,298 When did you find out your personal information 59 00:02:46,400 --> 00:02:47,533 was actualy leaked though? 60 00:02:47,635 --> 00:02:50,002 We got a memo saying that unfortunately 61 00:02:50,104 --> 00:02:52,804 a cyber hack attack happened, and they got everybody's 62 00:02:52,907 --> 00:02:55,007 information, and-- but they didn't specify who. 63 00:02:55,109 --> 00:02:56,742 They just basically-- anybody that ever worked 64 00:02:56,844 --> 00:02:59,044 for Sony at anytime in their lifetime possibly 65 00:02:59,146 --> 00:03:01,480 had a chance of their stuff being hacked. 66 00:03:01,582 --> 00:03:03,582 So if you could just break down specifically how 67 00:03:03,684 --> 00:03:05,918 you went about finding your name and finding out that 68 00:03:06,020 --> 00:03:08,086 you were, you know, personally affected by it. 69 00:03:08,189 --> 00:03:11,590 I literally went to Google and searched "Sony hack 2014", 70 00:03:11,692 --> 00:03:13,926 and then I saw just like a tree directory, 71 00:03:14,028 --> 00:03:15,494 like old school style DOS, 72 00:03:15,596 --> 00:03:17,396 and you saw just different file names. 73 00:03:17,498 --> 00:03:20,566 And they named the files like "Celina's offer letter", 74 00:03:20,668 --> 00:03:24,369 and they were named specifically what that document was. 75 00:03:24,471 --> 00:03:26,605 So it wasn't hard to find out your information 76 00:03:26,707 --> 00:03:28,073 was put out there. 77 00:03:28,175 --> 00:03:29,441 What were some of the things that were going down? 78 00:03:29,543 --> 00:03:31,276 Like, 'cause obviously you can't use computers. 79 00:03:31,378 --> 00:03:32,911 That's everything. 80 00:03:33,013 --> 00:03:34,513 Did everything just revert to like the stone age? 81 00:03:34,615 --> 00:03:35,781 Like what happened? 82 00:03:35,883 --> 00:03:37,416 We started saying we're working "analog". 83 00:03:37,518 --> 00:03:39,117 You literally had to write stuff out. 84 00:03:39,220 --> 00:03:42,120 But yeah, there was a lot of drinking and partying 85 00:03:42,223 --> 00:03:44,289 and eating, 'cause that's all you could do. 86 00:03:44,391 --> 00:03:46,558 And I mean, Sony already paid for their Christmas party, 87 00:03:46,660 --> 00:03:48,961 so we had it, and it was huge, and it was awesome. 88 00:03:49,063 --> 00:03:52,130 And then Michael Lynton and Amy Pascal stood up 89 00:03:52,233 --> 00:03:55,133 and gave a speech, and then Amy Pascal kinda 90 00:03:55,236 --> 00:03:56,602 challenged the hackers. 91 00:03:56,704 --> 00:03:58,303 Challenged the hackers? How? 92 00:03:58,405 --> 00:04:01,607 In her speech, she was like oh, this wasn't gonna get us down. 93 00:04:01,709 --> 00:04:04,142 Like, "We're gonna beat you guys," and all that stuff. 94 00:04:04,245 --> 00:04:06,545 Pascal's defiance didn't save her, 95 00:04:06,647 --> 00:04:08,547 and she was eventually forced to resign. 96 00:04:08,649 --> 00:04:11,083 But from early on, the real question everyone asked 97 00:04:11,185 --> 00:04:14,219 was why would hackers target Sony Pictures? 98 00:04:14,321 --> 00:04:16,154 The media had an answer... 99 00:04:16,257 --> 00:04:18,090 You want us to kill the leader of North Korea? 100 00:04:18,158 --> 00:04:19,057 Yes. 101 00:04:19,159 --> 00:04:20,659 Wha? 102 00:04:20,761 --> 00:04:22,327 ...a movie starring Seth Rogan and James Franco with a plot 103 00:04:22,429 --> 00:04:25,631 hinging on assassinating the real life leader of North Korea. 104 00:04:25,733 --> 00:04:27,899 President Kim Jong-un! 105 00:04:28,002 --> 00:04:30,802 The Interview was, you know, just a raunchy stoner comedy. 106 00:04:30,904 --> 00:04:32,804 I don't think anybody would argue it was high art 107 00:04:32,906 --> 00:04:34,806 or Oscar material. 108 00:04:34,908 --> 00:04:37,009 With The Interview set for a Christmas release, 109 00:04:37,111 --> 00:04:39,745 a rambling message posted online threatened 110 00:04:39,847 --> 00:04:41,847 terrorist attacks on the movie's premiere 111 00:04:41,949 --> 00:04:44,983 in any theatres daring to screen the film. 112 00:04:45,052 --> 00:04:46,918 Sony Pictures pulled the movie. 113 00:04:47,021 --> 00:04:50,656 We had no alternative but to not proceed 114 00:04:50,758 --> 00:04:53,925 with the theatrical release on the 25th of December. 115 00:04:54,028 --> 00:04:57,195 And then, out of nowhere, President Obama named the perp. 116 00:04:57,298 --> 00:05:00,198 The FBI announced today that... and we can confirm that 117 00:05:00,301 --> 00:05:04,369 North Korea engaged in this attack. 118 00:05:04,471 --> 00:05:06,204 It was the first time a president has blamed 119 00:05:06,307 --> 00:05:08,940 a nation state for a major cyber attack on American soil. 120 00:05:10,244 --> 00:05:12,210 The US retaliated with sanctions. 121 00:05:12,313 --> 00:05:14,212 The White House didn't discuss the evidence, 122 00:05:14,315 --> 00:05:17,549 but the FBI came forward with some details. 123 00:05:17,651 --> 00:05:20,652 Brett Leatherman is an agent in the FBI's cyber division. 124 00:05:20,754 --> 00:05:22,788 Based on what's publically known, 125 00:05:22,890 --> 00:05:24,890 the hack seems to have gone down in four phases. 126 00:05:24,992 --> 00:05:27,993 First: spear phishing, which the FBI said 127 00:05:28,095 --> 00:05:30,195 was likely how the hackers got into Sony. 128 00:05:30,297 --> 00:05:32,831 Somebody within a company or organization would receive 129 00:05:32,933 --> 00:05:36,134 an email that looks like it's a legitimate email 130 00:05:36,236 --> 00:05:39,304 that might contain an attachment or a link to a website. 131 00:05:39,406 --> 00:05:41,573 Once you click on that link, 132 00:05:41,675 --> 00:05:43,475 it would take you then to a website, 133 00:05:43,577 --> 00:05:46,345 or it would launch malware on your computer that would allow 134 00:05:46,447 --> 00:05:48,747 somebody to then compromise your system. 135 00:05:48,849 --> 00:05:50,749 Next, the hackers gained broader access 136 00:05:50,851 --> 00:05:52,250 to Sony's networks. 137 00:05:52,353 --> 00:05:55,354 So they're looking for a user with escalated privileges, 138 00:05:55,456 --> 00:05:59,091 and it could be an admin, or it could be a CEO or CFO 139 00:05:59,193 --> 00:06:03,362 who needs access to your network in an administrative capacity. 140 00:06:03,430 --> 00:06:06,098 So admin credentials are key 141 00:06:06,200 --> 00:06:08,500 in going laterally through a network. 142 00:06:08,602 --> 00:06:11,103 With their almost god-like access to Sony, 143 00:06:11,205 --> 00:06:13,772 the hackers moved to phase 3: data theft. 144 00:06:13,874 --> 00:06:16,274 It probably took them months to steal everything 145 00:06:16,377 --> 00:06:18,443 they eventually released online. 146 00:06:18,545 --> 00:06:21,346 And then came the grand finale: data destruction. 147 00:06:21,448 --> 00:06:23,915 The unique thing about the Sony attack 148 00:06:24,017 --> 00:06:26,284 was the destructive nature of the malware. 149 00:06:26,387 --> 00:06:28,854 The hackers launched malware, or malicious software, 150 00:06:28,956 --> 00:06:30,922 that destroyed Sony computers from within, 151 00:06:31,024 --> 00:06:34,059 wiping data off its systems. 152 00:06:34,161 --> 00:06:35,527 But that still doesn't explain how the government 153 00:06:35,629 --> 00:06:37,829 attributed the attack to North Korea. 154 00:06:41,835 --> 00:06:43,268 BEN: Whoever hacked Sony Pictures' networks 155 00:06:43,370 --> 00:06:45,203 stole sensitive data, then smashed whatever they could 156 00:06:45,305 --> 00:06:46,938 on the way out. 157 00:06:47,040 --> 00:06:49,741 But to this day, one question remains: 158 00:06:49,843 --> 00:06:52,577 How was the US government so sure it was North Korea? 159 00:06:52,679 --> 00:06:55,814 So I can't comment on ongoing FBI investigations. 160 00:06:55,916 --> 00:06:58,483 So why is the investigation ongoing? 161 00:06:58,585 --> 00:07:01,953 A cyber investigation is a long-term effort 162 00:07:02,055 --> 00:07:04,890 to just not only attribute... 163 00:07:04,992 --> 00:07:08,226 if there's a particular country involved, not just attribute 164 00:07:08,328 --> 00:07:11,396 who that country might be, but also to attribute 165 00:07:11,498 --> 00:07:14,332 threat actors behind the actual compromise. 166 00:07:14,435 --> 00:07:17,068 Because there's other groups that are involved 167 00:07:17,171 --> 00:07:19,104 in these kind of attacks. 168 00:07:19,206 --> 00:07:21,773 So there are other groups who kinda jump on the bandwagon 169 00:07:21,875 --> 00:07:23,108 for their own benefit. 170 00:07:23,210 --> 00:07:24,476 And that was the case with Sony. 171 00:07:24,578 --> 00:07:25,811 Possibly. 172 00:07:25,913 --> 00:07:27,345 That may have been the case with Sony, 173 00:07:27,448 --> 00:07:29,848 but in general I think we frequently see that 174 00:07:29,950 --> 00:07:31,383 with major cyber events. 175 00:07:33,187 --> 00:07:35,353 Beyond the FBI, the National Security Agency, 176 00:07:35,456 --> 00:07:37,923 one of America's spy powers, was reported to have evidence 177 00:07:38,025 --> 00:07:40,091 it was North Korea. 178 00:07:40,194 --> 00:07:42,527 But the NSA won't confirm or deny anything. 179 00:07:42,629 --> 00:07:45,363 Well actually, I think the government was more forthcoming 180 00:07:45,466 --> 00:07:47,866 in the Sony hack than is usually the case. 181 00:07:47,968 --> 00:07:50,101 You know, historically the government wouldn't really 182 00:07:50,204 --> 00:07:52,204 attribute it at all to a nation state. 183 00:07:53,106 --> 00:07:55,173 Michael Chertoff was the secretary of Homeland Security 184 00:07:55,275 --> 00:07:57,342 under President George W. Bush. 185 00:07:57,444 --> 00:08:00,011 He and former NSA and CIA director Michael Hayden 186 00:08:00,113 --> 00:08:03,014 now run a private consulting firm. 187 00:08:03,116 --> 00:08:05,350 And then you have the government pretty clearly saying 188 00:08:05,452 --> 00:08:07,886 North Korea was responsible for the Sony hack. 189 00:08:07,988 --> 00:08:12,190 And I think that was a decision that the risk of revealing 190 00:08:12,292 --> 00:08:14,960 a little bit about sources and methods was outweighed 191 00:08:15,062 --> 00:08:17,329 by the importance of saying to the bad actors, 192 00:08:17,431 --> 00:08:20,165 "We know it's you, and there's a limit 193 00:08:20,267 --> 00:08:21,733 to our willingness to tolerate this." 194 00:08:21,835 --> 00:08:23,368 So in your expert opinion, 195 00:08:23,470 --> 00:08:24,970 do you think that was a good decision? 196 00:08:25,072 --> 00:08:26,538 I think it probably did make sense. 197 00:08:26,640 --> 00:08:29,040 I think if you look at actually the way North Korea operates, 198 00:08:29,142 --> 00:08:32,878 there is a small group of privileged individuals, 199 00:08:32,980 --> 00:08:36,081 which include people who are-- have technical skills that are 200 00:08:36,183 --> 00:08:39,017 useful to the regime, that are well resourced, 201 00:08:39,119 --> 00:08:41,152 and are quite capable. 202 00:08:41,255 --> 00:08:44,155 I mean, they may not be the A Team, but they're the B Team, 203 00:08:44,258 --> 00:08:46,157 and the B Team can do a lot of damage. 204 00:08:46,260 --> 00:08:49,261 I had an idea who Chertoff's B Team could be: 205 00:08:49,363 --> 00:08:52,697 a North Korean military agency known as Bureau 121. 206 00:08:52,799 --> 00:08:55,133 But North Korea can barely keep the lights on, 207 00:08:55,235 --> 00:08:57,802 so could they really have an elite hacking unit? 208 00:09:00,507 --> 00:09:02,541 - Martyn. - Hi. 209 00:09:02,643 --> 00:09:04,376 - How're you doing? - I'm good, how are you? 210 00:09:04,478 --> 00:09:05,911 Good. (Radio distortion) 211 00:09:06,013 --> 00:09:07,379 Sounds like you're calling... 212 00:09:07,481 --> 00:09:09,548 You're trying to access some aliens or something. 213 00:09:09,650 --> 00:09:11,783 - Almost, North Korea. - Almost. 214 00:09:12,352 --> 00:09:14,419 Martyn Williams is a reporter who's been to North Korea, 215 00:09:14,521 --> 00:09:17,188 and has written extensively on their tech capabilities. 216 00:09:17,291 --> 00:09:19,591 What do we know about Bureau 121, the actual 217 00:09:19,693 --> 00:09:22,527 hacking collective of the cyber warriors of Kim Jong-un? 218 00:09:22,629 --> 00:09:24,029 Like what do we know about them? 219 00:09:24,131 --> 00:09:25,063 Because nobody seems to know anything, 220 00:09:25,165 --> 00:09:27,232 like who they are, what they do. 221 00:09:27,334 --> 00:09:29,501 I mean, welcome to the world of looking at North Korea. 222 00:09:29,570 --> 00:09:32,203 Nobody knows anything about anything in the country. 223 00:09:32,306 --> 00:09:34,539 Very little information gets out, 224 00:09:34,641 --> 00:09:37,075 except what you can hear on the radio. 225 00:09:37,177 --> 00:09:39,411 There are snippets that come out through defectors. 226 00:09:39,513 --> 00:09:43,081 It seems that what they're doing is taking the... 227 00:09:43,183 --> 00:09:44,816 the kids that are really good at science 228 00:09:44,918 --> 00:09:47,652 and really good at mathematics from the... 229 00:09:47,754 --> 00:09:50,488 from high school, putting them into good universities, 230 00:09:50,591 --> 00:09:52,657 and then after universities, training them. 231 00:09:52,759 --> 00:09:55,560 Some of that training apparently takes place in Pyongyang. 232 00:09:55,662 --> 00:09:58,163 A lot of it we see taking place overseas. 233 00:09:58,265 --> 00:10:01,099 We've heard that hacking and hackers 234 00:10:01,201 --> 00:10:03,401 are obviously a new focus. 235 00:10:03,503 --> 00:10:05,604 Why do you think that is? 236 00:10:05,706 --> 00:10:07,305 It's much cheaper. 237 00:10:07,407 --> 00:10:11,142 A room full of hackers is way cheaper than a jet aircraft, 238 00:10:11,244 --> 00:10:13,845 or keeping tanks in operation, or submarines, 239 00:10:13,947 --> 00:10:15,347 or things like that. 240 00:10:15,449 --> 00:10:18,984 So if they can start being a power on the internet, then 241 00:10:19,086 --> 00:10:22,654 it's a cheap way of projecting their power across the world. 242 00:10:22,756 --> 00:10:24,589 I wondered what Bureau 121, 243 00:10:24,691 --> 00:10:27,692 the hermit kingdom's military hacking unit, is really like. 244 00:10:27,794 --> 00:10:30,128 So with the help of an interpreter, I made contact with 245 00:10:30,230 --> 00:10:33,031 a defector who claims he was a North Korean army lieutenant. 246 00:10:34,401 --> 00:10:37,636 Jang Se Yul defected to South Korea almost a decade ago, 247 00:10:37,738 --> 00:10:40,105 but still keeps tabs on old friends. 248 00:10:40,207 --> 00:10:43,675 You were working with and you were training with hackers? 249 00:10:50,784 --> 00:10:52,951 Do you know anyone in Bureau 121, 250 00:10:53,053 --> 00:10:54,919 and are you in contact with them? 251 00:11:29,690 --> 00:11:31,856 What's the worst thing that North Korea could do 252 00:11:31,958 --> 00:11:33,558 to the US in the cyber realm? 253 00:12:09,463 --> 00:12:12,130 Mr. Jang said the Sony hack might be a sign 254 00:12:12,232 --> 00:12:14,532 North Korea is preparing for war. 255 00:12:14,634 --> 00:12:16,401 But as I dug into the case, I discovered that 256 00:12:16,503 --> 00:12:18,703 many highly regarded hackers and security experts 257 00:12:18,805 --> 00:12:21,206 doubt North Korea was behind the attack at all. 258 00:12:25,412 --> 00:12:28,079 BEN: Just weeks after Sony Pictures was hacked, 259 00:12:28,181 --> 00:12:31,216 the FBI released vague evidence pointing to North Korea. 260 00:12:31,318 --> 00:12:34,119 But hackers and computer experts almost immediately poked holes 261 00:12:34,221 --> 00:12:36,121 in the FBI's case. 262 00:12:36,223 --> 00:12:37,756 Do I think the North Koreans started it? 263 00:12:37,858 --> 00:12:39,390 No, I don't think so. 264 00:12:39,493 --> 00:12:42,160 One of the most vocal doubters is Marc Rogers, a malware expert 265 00:12:42,262 --> 00:12:44,929 and self-described former black hat hacker. 266 00:12:45,031 --> 00:12:47,665 First of all, the agenda changed substantially 267 00:12:47,768 --> 00:12:49,467 at several points throughout the hack. 268 00:12:49,569 --> 00:12:52,403 That kind of implies multiple different actors to me. 269 00:12:52,506 --> 00:12:54,139 They started out trying to extort money. 270 00:12:54,241 --> 00:12:55,840 I can't see any reason why North Korean hackers 271 00:12:55,942 --> 00:12:57,208 would try and do that. 272 00:12:57,310 --> 00:13:01,246 Then they had kind of a ramble about unemployment 273 00:13:01,348 --> 00:13:03,782 and job losses in Sony. 274 00:13:03,884 --> 00:13:06,751 I don't see how that benefits the North Korean regime. 275 00:13:06,853 --> 00:13:10,155 I think they were attacked by an opportunist, 276 00:13:10,257 --> 00:13:12,123 and then I think that evolved. 277 00:13:12,225 --> 00:13:15,960 You ended up with other groups piling in and exploiting it. 278 00:13:16,062 --> 00:13:20,165 And then as the media started to suggest maybe a potential link 279 00:13:20,267 --> 00:13:23,168 between this hack and The Interview, 280 00:13:23,270 --> 00:13:25,436 I think the hackers latched onto that. 281 00:13:25,539 --> 00:13:28,206 And they ran with it because it was both 282 00:13:28,308 --> 00:13:31,209 a convenient cover for them, and, well, you know, 283 00:13:31,311 --> 00:13:33,111 a lot of hackers like to do things for the amusement. 284 00:13:33,213 --> 00:13:34,445 "For the lulz," as they say. 285 00:13:34,548 --> 00:13:37,282 That's probably what brought North Korea in, 286 00:13:37,384 --> 00:13:39,684 and it was much later on I think that North Korea 287 00:13:39,753 --> 00:13:41,920 actually was involved, if they were at all. 288 00:13:43,256 --> 00:13:46,191 If Marc was right, his theory fit what the FBI had hinted. 289 00:13:46,293 --> 00:13:48,526 Sony might have been the victim of a hacking party. 290 00:13:48,628 --> 00:13:50,829 But who could've been involved? 291 00:13:50,931 --> 00:13:53,665 In 2011, the notorious hacktivist collective Anonymous 292 00:13:53,767 --> 00:13:56,067 attacked Sony websites. 293 00:13:56,169 --> 00:13:58,236 They said they were defending George Hotz, 294 00:13:58,338 --> 00:14:01,072 AKA geohot, the first guy to jailbreak an iPhone 295 00:14:01,174 --> 00:14:03,641 when he was just 17. 296 00:14:03,743 --> 00:14:06,244 This is the world's first unlocked iPhone. 297 00:14:06,346 --> 00:14:07,846 BEN: George. 298 00:14:07,948 --> 00:14:10,248 A few years later, he jailbroke a PlayStation 3. 299 00:14:10,350 --> 00:14:12,483 That didn't sit well with Sony. 300 00:14:12,586 --> 00:14:14,786 Yo, it's geohot! 301 00:14:14,888 --> 00:14:18,923 And for those that don't know, I'm getting sued by Sony! 302 00:14:20,327 --> 00:14:21,693 (Rapping) 303 00:14:21,795 --> 00:14:23,862 Hi, Sony! How are you doing? 304 00:14:23,964 --> 00:14:25,930 I haven't seen you in a while. 305 00:14:26,032 --> 00:14:29,000 Uh, you know, suing me was kinda... kinda dick, 306 00:14:29,102 --> 00:14:31,502 but it all worked out in the end, so yeah. 307 00:14:31,605 --> 00:14:33,605 That's what I think of Sony. 308 00:14:33,707 --> 00:14:37,375 The main reason that I got into the iPhone and PlayStation: 309 00:14:37,477 --> 00:14:39,110 it was a cool puzzle. 310 00:14:39,212 --> 00:14:41,946 These companies are spending millions of dollars 311 00:14:42,048 --> 00:14:45,216 to build really cool puzzles for me, and it's real! 312 00:14:45,318 --> 00:14:46,417 This isn't some puzzle 313 00:14:46,519 --> 00:14:48,519 constructed by somebody to solve. 314 00:14:48,622 --> 00:14:51,389 This is a puzzle constructed by somebody to not solve, 315 00:14:51,491 --> 00:14:53,258 and that's why it was so alluring. 316 00:14:53,360 --> 00:14:54,392 That's why it still is. 317 00:14:54,494 --> 00:14:55,760 VOICE: We are Anonymous. 318 00:14:55,862 --> 00:14:57,228 BEN: Sony's lawsuit against George made 319 00:14:57,330 --> 00:14:59,130 a lot of hackers angry, including Anonymous. 320 00:14:59,232 --> 00:15:00,899 VOICE: We do not forget. 321 00:15:01,001 --> 00:15:02,634 BEN: They launched a denial-of-service attack, 322 00:15:02,736 --> 00:15:05,270 sending so much traffic to Sony's websites they crashed. 323 00:15:05,372 --> 00:15:06,938 VOICE: You should have expected us. 324 00:15:07,040 --> 00:15:08,973 BEN: And then someone hacked into the PlayStation Network 325 00:15:09,075 --> 00:15:11,809 itself, gaining access to the credit card information 326 00:15:11,912 --> 00:15:14,379 of 77 million users. 327 00:15:14,481 --> 00:15:16,581 Sony was forced to apologize, 328 00:15:16,683 --> 00:15:19,417 but no one has ever been formally accused of the breach. 329 00:15:19,519 --> 00:15:20,885 It wasn't even about the breach, right? 330 00:15:20,987 --> 00:15:22,420 Companies get breached all the time. 331 00:15:22,522 --> 00:15:24,889 It was really about how Sony responded to it. 332 00:15:24,991 --> 00:15:28,259 Sony responded by taking the PlayStation Network offline, 333 00:15:28,361 --> 00:15:29,928 and it was down for a month. 334 00:15:30,030 --> 00:15:31,796 So now you have 77 million people 335 00:15:31,898 --> 00:15:33,298 who were trying to play Call of Duty, 336 00:15:33,400 --> 00:15:36,367 and being like, "What's going on here, man?" right? 337 00:15:36,436 --> 00:15:38,569 So do I think that the lawsuit 338 00:15:38,672 --> 00:15:40,471 and what happened with me made them a target? 339 00:15:40,573 --> 00:15:42,073 Probably not. 340 00:15:42,175 --> 00:15:45,243 Do I think that what happened in the fallout with Anonymous 341 00:15:45,345 --> 00:15:47,412 and them taking the network offline for... 342 00:15:47,514 --> 00:15:48,913 Maybe, you know. 343 00:15:49,015 --> 00:15:50,348 That's more plausible. 344 00:15:51,851 --> 00:15:53,418 The PlayStation saga isn't the only event 345 00:15:53,520 --> 00:15:55,019 that might've pissed hackers off. 346 00:15:56,222 --> 00:15:58,456 In 2005, security experts found suspicious software 347 00:15:58,558 --> 00:16:02,026 on CDs produced by Sony BMG, the company's music division. 348 00:16:04,130 --> 00:16:07,332 I went to see Dan Kaminsky, a legend among hackers. 349 00:16:07,434 --> 00:16:10,168 He's famous for finding and helping fix a major flaw 350 00:16:10,270 --> 00:16:12,036 in the internet's backbone. 351 00:16:12,138 --> 00:16:14,772 He also played a pivotal role in uncovering the BMG fiasco. 352 00:16:16,109 --> 00:16:18,609 So if you took that disk that was just supposed to be music, 353 00:16:18,712 --> 00:16:20,979 it would install a little program on your computer, 354 00:16:21,081 --> 00:16:22,947 and that program did two things. 355 00:16:23,049 --> 00:16:25,917 First, it made it so your computer could no longer 356 00:16:26,019 --> 00:16:31,356 copy music, and second it hid, 'cause it was pretty sure 357 00:16:31,458 --> 00:16:33,992 that this was not what the user wanted. 358 00:16:34,094 --> 00:16:36,160 And so once it was in, it sure didn't want the user 359 00:16:36,262 --> 00:16:37,862 to hit the uninstall button. 360 00:16:37,964 --> 00:16:39,731 And somebody figured out, 361 00:16:39,833 --> 00:16:41,733 "Hey, wait a second, what is this software on this, 362 00:16:41,835 --> 00:16:43,801 what's supposed to be an audio CD?" 363 00:16:43,903 --> 00:16:46,537 They looked at it, and like this is malware! 364 00:16:46,639 --> 00:16:51,642 What is Sony doing putting out custom malware on CDs? 365 00:16:51,745 --> 00:16:55,146 So what I did was a trick called DNS cache snooping. 366 00:16:55,248 --> 00:16:57,081 I do this scan, and like 367 00:16:57,183 --> 00:17:00,385 a half million networks had seen this thing. 368 00:17:00,487 --> 00:17:02,587 And so I took that information, 369 00:17:02,655 --> 00:17:05,189 got flown out to Sony BMG headquarters, and I'm like, 370 00:17:05,291 --> 00:17:08,026 "Hey guys, so here's what you did, 371 00:17:08,128 --> 00:17:10,061 and here's it all over the world." 372 00:17:10,163 --> 00:17:11,596 Is it that kind of behaviour though 373 00:17:11,698 --> 00:17:13,064 that has made them a target? 374 00:17:13,166 --> 00:17:16,067 It certainly didn't make them any friends. 375 00:17:16,169 --> 00:17:19,070 Given Sony's history as a major hacking target, 376 00:17:19,172 --> 00:17:21,305 did North Korea really attack Sony Pictures? 377 00:17:21,408 --> 00:17:23,541 Or was it just a freelance hacker? 378 00:17:26,946 --> 00:17:29,213 BEN: Some of the smartest hackers in America 379 00:17:29,315 --> 00:17:31,215 were telling me they didn't believe North Korea 380 00:17:31,317 --> 00:17:33,251 attacked Sony, and that a lot of people might've had 381 00:17:33,353 --> 00:17:35,086 the motive to do it. 382 00:17:35,188 --> 00:17:38,423 But Kurt Baumgartner thinks North Korea really is to blame. 383 00:17:38,525 --> 00:17:40,792 Kurt analyzes malicious code and comes up with defensive 384 00:17:40,894 --> 00:17:44,295 solutions for one of the world's biggest security companies. 385 00:17:44,397 --> 00:17:46,798 He showed me how the Sony hack bears a striking resemblance 386 00:17:46,900 --> 00:17:50,802 to DarkSeoul, a 2013 cyber attack on South Korean banks 387 00:17:50,904 --> 00:17:52,937 which was widely blamed on North Korea. 388 00:17:53,039 --> 00:17:57,575 So what we've got here are two different HTML pages 389 00:17:57,677 --> 00:18:01,279 that are basically threats from the attackers. 390 00:18:01,381 --> 00:18:06,250 So on one side, this is the 2013 DarkSeoul attack, 391 00:18:06,352 --> 00:18:08,619 and the audio from their video. 392 00:18:08,721 --> 00:18:13,658 (Evil laughing) 393 00:18:13,760 --> 00:18:16,961 And then over here, we have basically the Sony hack. 394 00:18:17,063 --> 00:18:20,565 (Gunshots) 395 00:18:21,935 --> 00:18:23,634 (Laughing) 396 00:18:23,736 --> 00:18:26,170 Right, really sophisticated. 397 00:18:26,272 --> 00:18:29,941 It does seem like the graphic arts team of a hermit nation. 398 00:18:30,043 --> 00:18:32,910 It's pretty low... pretty low tech. 399 00:18:33,012 --> 00:18:34,278 There were other similarities 400 00:18:34,380 --> 00:18:36,114 between DarkSeoul and the Sony hack. 401 00:18:36,216 --> 00:18:39,150 The word "security" is actually misspelled in the exact same way 402 00:18:39,252 --> 00:18:41,786 in the code used in both attacks. 403 00:18:41,888 --> 00:18:44,622 In this case, it was pretty clear to us 404 00:18:44,724 --> 00:18:49,260 that the same shared code base has been used in both events. 405 00:18:50,463 --> 00:18:52,964 And both the Sony and DarkSeoul attacks were wiper events; 406 00:18:53,066 --> 00:18:56,167 they wiped or destroyed data from their victim's systems. 407 00:18:56,269 --> 00:18:58,870 These types of attacks are extremely rare. 408 00:18:58,972 --> 00:19:00,605 They just don't happen. 409 00:19:00,707 --> 00:19:04,542 There might be five major wiper attacks in... 410 00:19:04,644 --> 00:19:06,010 that I know of. 411 00:19:06,112 --> 00:19:07,945 But the skeptics say the similarities Kurt showed me 412 00:19:08,047 --> 00:19:09,647 don't actually add up. 413 00:19:09,749 --> 00:19:11,983 When we talk about the similarities here, DarkSeoul, 414 00:19:12,085 --> 00:19:14,185 that was attributed to a group of South Korean hackers 415 00:19:14,287 --> 00:19:16,020 which they called the DarkSeoul Gang, 416 00:19:16,122 --> 00:19:18,122 and was never formally linked to North Korea. 417 00:19:18,224 --> 00:19:21,492 The reality is it boils down to just a few fragments of code 418 00:19:21,594 --> 00:19:22,894 in each of the pieces of malware. 419 00:19:22,996 --> 00:19:27,398 It's not nothing that the software is related. 420 00:19:27,500 --> 00:19:30,868 It's just not wildly compelling. 421 00:19:30,970 --> 00:19:32,303 It's not a smoking gun. 422 00:19:32,405 --> 00:19:34,906 It's not even a warm gun. 423 00:19:35,008 --> 00:19:36,741 It's not-- It's barely a gun. 424 00:19:36,843 --> 00:19:38,809 A tube-shaped object! 425 00:19:38,912 --> 00:19:42,146 Malware has a history of being shared. 426 00:19:42,248 --> 00:19:44,315 And once that code gets out there, 427 00:19:44,417 --> 00:19:47,018 you will end up with multiple variants 428 00:19:47,120 --> 00:19:48,819 that all have the same parentage. 429 00:19:48,922 --> 00:19:50,388 They all look very similar, 430 00:19:50,490 --> 00:19:52,557 but they're being run by different people. 431 00:19:52,659 --> 00:19:54,859 The malware's code did contain IP addresses, 432 00:19:54,961 --> 00:19:56,861 which indicate a computer's location. 433 00:19:56,963 --> 00:19:59,230 The FBI says they were linked to North Korea, 434 00:19:59,332 --> 00:20:01,065 but that's not conclusive either. 435 00:20:01,167 --> 00:20:03,434 Could you fake your IP being in North Korea? 436 00:20:03,536 --> 00:20:05,503 Break into a machine in North Korea. 437 00:20:05,605 --> 00:20:07,104 Break into a machine in Russia 438 00:20:07,207 --> 00:20:09,073 breaking into a machine in North Korea. 439 00:20:09,175 --> 00:20:10,374 Break into a machine in China 440 00:20:10,476 --> 00:20:11,943 breaking into Russia breaking into North Korea. 441 00:20:12,045 --> 00:20:15,046 These are all things you totally can do! 442 00:20:15,148 --> 00:20:18,583 Bouncing around the world happens in milliseconds. 443 00:20:18,685 --> 00:20:23,087 And so people ask, "Is it North Korea that did this?" 444 00:20:23,189 --> 00:20:25,690 This is a thing that four people could do. 445 00:20:25,792 --> 00:20:27,592 Four out of 7 billion. 446 00:20:27,694 --> 00:20:32,396 This isn't an attack that requires nation state intent. 447 00:20:32,498 --> 00:20:36,667 It's an attack that requires a couple of guys being bored. 448 00:20:39,072 --> 00:20:41,539 My sources were telling me that the attack on Sony Pictures 449 00:20:41,641 --> 00:20:43,107 wasn't even that sophisticated. 450 00:20:43,176 --> 00:20:45,643 So maybe the company should've had better security. 451 00:20:46,579 --> 00:20:48,246 Ultimately it doesn't matter whether the hackers came from 452 00:20:48,348 --> 00:20:49,914 North Korea or North Dakota. 453 00:20:50,016 --> 00:20:52,583 What matters is that Sony could see this attack coming, 454 00:20:52,685 --> 00:20:54,252 and it didn't do enough to prepare for it. 455 00:20:54,354 --> 00:20:57,121 Matthew Preusch is an attorney who represented Sony employees 456 00:20:57,223 --> 00:20:59,924 in a class action lawsuit against the studio. 457 00:21:00,026 --> 00:21:01,959 Sony just didn't do what a reasonable company should've 458 00:21:02,061 --> 00:21:05,096 done to protect the private information on its system. 459 00:21:05,198 --> 00:21:07,098 It should've been stored in a way that was encrypted, 460 00:21:07,200 --> 00:21:09,900 and that was segregated from other information 461 00:21:10,003 --> 00:21:13,537 so it was much, much harder for the hackers to find. 462 00:21:13,606 --> 00:21:16,440 Sony Pictures declined to comment on these allegations, 463 00:21:16,542 --> 00:21:19,110 and settled the lawsuit out of court. 464 00:21:19,212 --> 00:21:21,078 But it's undeniable that employees' private 465 00:21:21,180 --> 00:21:23,781 and exploitable data will live online forever. 466 00:21:23,883 --> 00:21:25,416 Have you ever received an apology from Sony? 467 00:21:25,518 --> 00:21:26,651 No. 468 00:21:26,753 --> 00:21:28,185 They kinda made you feel like it was your fault, 469 00:21:28,288 --> 00:21:30,988 that you weren't protecting yourself already to begin with. 470 00:21:31,090 --> 00:21:33,824 So I mean, I didn't do anything wrong but show up to do my job, 471 00:21:33,926 --> 00:21:36,127 thinking this corporation knew exactly what they were doing. 472 00:21:36,229 --> 00:21:38,996 And then finding out that they don't is really... 473 00:21:39,098 --> 00:21:40,464 it's really frustrating. 474 00:21:40,566 --> 00:21:44,935 I mean, it sucks that we're collateral damage, but... 475 00:21:45,038 --> 00:21:47,705 I mean, that's how war is, and so this is basically what it is. 476 00:21:47,807 --> 00:21:49,340 It's like a nerd war now. 477 00:21:51,477 --> 00:21:52,810 As the dust settled, 478 00:21:52,912 --> 00:21:54,945 the Sony hack claimed the job of an executive, 479 00:21:55,081 --> 00:21:57,848 and a stoner flick lost its Christmas release. 480 00:21:57,950 --> 00:22:01,118 But the real victims are Sony's employees. 481 00:22:01,220 --> 00:22:03,621 Whether it was North Koreans or bored hackers, 482 00:22:03,723 --> 00:22:06,691 all the competing theories about who did it prove one thing: 483 00:22:06,759 --> 00:22:09,026 definitively attributing a cyber attack 484 00:22:09,128 --> 00:22:10,995 can be almost impossible. 485 00:22:11,097 --> 00:22:13,497 And in a world where it's not only easy to hack a corporation 486 00:22:13,599 --> 00:22:17,101 but easy to hide, all of us are vulnerable. 46546