threatintel
actor tracker
Named attack · kill-chain walkthrough

Sony Pictures Hack

North Korea's coercive cyber response to a Hollywood comedy

Lazarus Group (DPRK) — 'Guardians of Peace' personaNovember 24, 2014 (public detonation; intrusion began earlier in 2014)High confidence

Attributed to North Korea by the FBI on December 19, 2014, based on overlapping infrastructure and code with the 2013 DarkSeoul attacks. The 2016 Operation Blockbuster multi-vendor report (Novetta, Kaspersky, Symantec, Palo Alto Networks) reinforced attribution by tracing shared malware code across Sony, DarkSeoul, and other DPRK operations. On September 6, 2018, the DOJ indicted Park Jin Hyok, a North Korean national linked to the Lazarus Group, for his role in the Sony attack and other operations including WannaCry.

In response to Sony Pictures' film 'The Interview' — a comedy depicting the assassination of Kim Jong-un — North Korea's Lazarus Group penetrated Sony's network months in advance, exfiltrating an estimated 100 TB of data before detonating the Destover wiper on November 24, 2014. Skull imagery appeared on Sony workstations bearing the 'Guardians of Peace' (#GOP) tag. Destover used the same EldoS RawDisk driver technique as the Shamoon wiper to overwrite MBRs and obliterate raw disk sectors, rendering thousands of Sony machines unbootable. Unreleased films, executive emails, employee Social Security numbers, and salary records were leaked publicly. The FBI attributed the attack to North Korea within three weeks; a 2018 DOJ indictment named a specific North Korean operator.

scene 00 / 08
Lazarus GroupDPRK — RGB"Guardians of Peace"#GOP personaspear-phishT1566.001Sony Pictures execcredentials harvestedmalicious attachment openedT1078 · valid accountsMotive: "The Interview"Kim Jong-un assassinationcomedy. DPRK UN letterobjecting — June 2014Destover backdoorHTTP/HTTPS C2 beaconigfxtrayex.exe · diskpartmg16.exenet_ver.dat (target config)MITRE S0084 · T1071.001DPRK C2 infrashared w/ DarkSeoul2013 overlapsmonths of dwellintrusion began wellbefore Nov 24, 2014Windows SCM servicemimics legitimate driver namesurvives reboot · months of dwell timeT1543.003 · T1036.004~100 TB staged & exfiltrated~38 million files over weeksunreleased films · exec email · HR/PII~47,000 employee SSNs & salaries"The Interview" · "Annie" · "Fury" leakedT1005 · T1039 · T1048 · T1560cf. Shamoon (2012)Saudi Aramco wipesame EldoS driverpattern, diff. actorEldoS RawDisk driverlegitimate signed kernel driverbypasses OS write-protection on MBRsame technique as Shamoon (2012)T1014 · T1036 · T1553.002Nov 24, 2014MBR overwrittenraw disk sectors zeroedEldoS RawDisk writeT1561.002T1485Sony workstation screenHacked by #GOPGuardians of PeaceT1491.001thousands of machinesworkstations + serversunbootable · unrecoverableSony → fax + whiteboardsNov 24, 2014GOP extortion demands"cancel The Interview" ultimatum · drip-leak of films + exec emailSony reversed cancellation after Obama criticismT1491 · coercive information operationFBI — Dec 19, 2014Director Comey:North KoreaDarkSeoul infraoverlap · code sim.Op Blockbuster2016Novetta + KasperskySymantec + Palo Altoshared codebaseDOJ — Sep 6, 2018Park Jin HyokindictedSony · Bangladesh ·WannaCry — one actor
  1. Phase 01 · Initial AccessTA0001

    Spear-phishing emails and credential harvesting gave Lazarus an initial foothold inside Sony's network

    • Lazarus operators sent targeted spear-phishing emails to Sony Pictures employees with malicious attachments or links, a technique consistent with the group's playbook documented across DarkSeoul and subsequent campaigns.
    • The intrusion is assessed to have begun months before the November 24 detonation date, allowing operators ample time to map the network, escalate privileges, and stage the exfiltration pipeline.
    • The DPRK's public motive was established as early as June 2014, when North Korea sent a letter to the UN objecting to 'The Interview' and demanding Sony halt production — giving investigators a documented timeline for when an operation may have been authorized.
    • Credential harvesting tools were used to collect Sony employee usernames and passwords, enabling lateral movement without exploiting additional unpatched vulnerabilities.
    Techniques
    T1566.001 · Phishing: Spearphishing AttachmentT1566.002 · Phishing: Spearphishing LinkT1078 · Valid Accounts
    Sources
  2. Phase 02 · ExecutionTA0002

    Backdoor implants established persistent command-and-control channels across Sony's corporate network

    • US-CERT TA14-353A documented the use of custom backdoor malware — including components of the Destover malware family — that provided remote command execution and file transfer capabilities.
    • The malware used HTTP and HTTPS for C2 communications, beaconing to attacker-controlled infrastructure to receive commands and exfiltrate data.
    • Operators used the backdoor access to run reconnaissance commands, enumerate network shares, identify high-value targets, and install additional tools — all before the wiper payload was ever staged.
    • Multiple malware components were identified across the operation: a listening implant, a backdoor, and the destructive wiper module — suggesting a modular, multi-stage toolkit consistent with a professional state-sponsored operation.
    Techniques
    T1059.003 · Command and Scripting Interpreter: Windows Command ShellT1071.001 · Application Layer Protocol: Web ProtocolsT1105 · Ingress Tool Transfer
    Indicators
    igfxtrayex.exe — Destover wiper component filename — US-CERT TA14-353Adiskpartmg16.exe — Destover disk-wiping module filename — US-CERT TA14-353Anet_ver.dat — Destover configuration / target list file — US-CERT TA14-353A
    Sources
  3. Phase 03 · PersistenceTA0003

    Destover registered itself as a Windows service named after legitimate system drivers to survive reboots

    • Destover components were installed as Windows services, using names that mimicked legitimate system or driver services to avoid detection by administrators reviewing the service list.
    • The malware maintained persistence across reboots by registering the wiper and backdoor components in the Windows service control manager (SCM), ensuring they restarted automatically.
    • Operators maintained dwell time of months inside Sony's network — the persistence mechanism was sufficiently stealthy that Sony's security team did not detect the intrusion before the wiper was detonated.
    • The service-based persistence approach is consistent with the Lazarus Group's broader TTPs documented in Operation Blockbuster across multiple campaigns from 2009 to 2016.
    Techniques
    T1543.003 · Create or Modify System Process: Windows ServiceT1036.004 · Masquerading: Masquerade Task or Service
    Sources
  4. Phase 04 · Collection & ExfiltrationTA0009

    Operators staged and exfiltrated an estimated 100 TB — unreleased films, executive email, and employee PII

    • Attackers exfiltrated an estimated 100 TB of data (the figure was publicly claimed; security researchers have noted the true volume may be lower, but the theft was unambiguously massive). Approximately 38 million individual files were involved.
    • Exfiltrated data included five unreleased Sony films — among them 'The Interview', 'Annie', and 'Fury' — which were published to torrent sites within days of the November 24 detonation.
    • Executive email correspondence, including sensitive internal communications between senior Sony executives, was published publicly and generated significant media and legal fallout.
    • Employee Personally Identifiable Information (PII) — including Social Security numbers, salary data, medical records, and HR files — for approximately 47,000 current and former employees was exfiltrated and leaked.
    • Exfiltration preceded the wiper detonation by days or weeks, indicating a deliberate sequencing: collect everything valuable, then destroy the environment to hinder forensic response.
    Techniques
    T1005 · Data from Local SystemT1039 · Data from Network Shared DriveT1048 · Exfiltration Over Alternative ProtocolT1560 · Archive Collected Data
    Sources
  5. Phase 05 · Defense EvasionTA0005

    Destover used a legitimate kernel-mode driver (EldoS RawDisk) to bypass OS-level write protections

    • Destover leveraged the EldoS RawDisk commercial driver — a legitimate product for low-level disk access — to write directly to raw disk sectors, bypassing Windows file-system protections that would normally prevent user-mode processes from overwriting the MBR or locked files.
    • Using a signed, legitimate third-party driver to perform destructive operations is a living-off-the-land variant: the malicious act is performed by trusted code, making detection and interception harder at the driver level.
    • The same EldoS RawDisk technique was used in the Shamoon wiper (attributed to Iran, 2012 Saudi Aramco attack), suggesting cross-pollination of destructive TTP development among state actors or shared knowledge of effective low-level wiping methods.
    • Service names were chosen to blend with legitimate Windows system services, and the malware checked for the presence of security tools before detonating to reduce the chance of early detection.
    Techniques
    T1014 · RootkitT1036 · MasqueradingT1562.001 · Impair Defenses: Disable or Modify ToolsT1553.002 · Subvert Trust Controls: Code Signing
    Sources
  6. Phase 06 · Impact — WiperTA0040

    Destover detonated on November 24: MBR overwritten, raw disk sectors zeroed, thousands of Sony workstations rendered unbootable

    • On November 24, 2014, Destover executed across Sony Pictures' corporate network, overwriting Master Boot Records and wiping raw disk sectors on thousands of Windows workstations and servers using the EldoS RawDisk driver.
    • Victims' screens were replaced with an image of a red skull bearing the message 'Hacked by #GOP' (Guardians of Peace), the persona adopted by the Lazarus operators for this campaign.
    • The wiper overwrote the first few megabytes of each disk drive sequentially, destroying partition tables and file system metadata beyond recovery without full disk reimaging.
    • Sony's internal network was described by responders as effectively destroyed: the company reverted to fax machines and whiteboards for internal communication in the days following the attack.
    • The wiper targeted files across multiple extensions and overwrote them before erasing disk structures, ensuring that even file-level recovery tools could not retrieve content.
    Techniques
    T1485 · Data DestructionT1561.002 · Disk Wipe: Disk Structure WipeT1491.001 · Defacement: Internal Defacement
    Indicators
    igfxtrayex.exe — Destover wiper executable — dropped and executed on target workstationsdiskpartmg16.exe — Destover disk partition/wipe module
    Sources
  7. Phase 07 · Impact — Extortion & LeakTA0040

    The 'GOP' persona threatened further leaks and demanded Sony cancel 'The Interview' — coercive information operations at scale

    • The 'Guardians of Peace' persona issued public statements threatening further data releases and demanding Sony cancel the theatrical release of 'The Interview', explicitly linking the attack to the film.
    • Stolen data was drip-leaked over several weeks via file-sharing sites, keeping Sony in crisis mode and maximizing reputational and business damage beyond the initial wiper detonation.
    • Under pressure from the threats and major theater chains canceling screenings, Sony Pictures initially announced it would not release 'The Interview' in theaters — a decision it reversed after public criticism and presidential pressure from President Obama.
    • The operation demonstrated a novel model of coercive cyber statecraft: combining destruction (wiper), espionage (mass exfiltration), and information operations (public leaks and threats) in a single, coordinated campaign to coerce a private company into a specific business decision.
    • Sony Pictures ultimately released 'The Interview' on Christmas Day 2014 via streaming and in select theaters.
    Techniques
    T1498 · Network Denial of ServiceT1491 · DefacementT1657 · Financial Theft
    Sources
  8. Phase 08 · AttributionTA0040

    FBI attributed within three weeks; Operation Blockbuster confirmed in 2016; DOJ named a specific operator in 2018

    • On December 19, 2014 — 25 days after the wiper detonation — FBI Director James Comey publicly attributed the Sony attack to North Korea, citing specific code overlaps and infrastructure reuse with the 2013 DarkSeoul attacks against South Korean banks and broadcasters.
    • Director Comey reiterated and elaborated on the attribution evidence in January 2015, noting that Lazarus operators had occasionally failed to mask their true IP addresses, revealing North Korean IP ranges during C2 sessions.
    • The 2016 Operation Blockbuster report, produced by Novetta in collaboration with Kaspersky, Symantec, Palo Alto Networks, and other vendors, performed a deep code-similarity analysis across malware from Sony, DarkSeoul, and other campaigns, confirming a shared codebase and development pipeline attributable to a single North Korean threat actor cluster.
    • On September 6, 2018, the U.S. Department of Justice unsealed a criminal complaint against Park Jin Hyok, a North Korean national and member of the Lazarus Group, charging him with conspiracy in connection with the Sony attack, the 2016 Bangladesh Bank heist, and WannaCry — the first criminal indictment of a specific DPRK cyber operator.
    Techniques
    T1588 · Obtain Capabilities
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Lazarus Group (DPRK) — 'Guardians of Peace' persona
Capability
  • T1566.001
  • T1566.002
  • T1078
  • T1059.003
  • T1071.001
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources