An image from the now-defunct Guardians of Peace hacking group's Facebook page.
The extraordinarily wide-reaching data breach of Sony Pictures Entertainment has been dominating tech news headlines ever since the hack was announced last week. And while there has been plenty of speculation about who is behind it—many believe it was North Korea, though a North Korean diplomat has issued a denial—no firm proof to determine the hackers' nationalities has surfaced.
Yesterday afternoon, however, a representative from the hacking group once-known as the Guardians of Peace (GOP) told VICE in an email that they are part of a North Korean cyberwarfare unit. They also asked us to "please go and fuck yourself, your editing team and your country." But more on that later.
For those of you who haven't been following the story, last week computers across the offices of Sony Pictures Entertainment were plastered with an image showing a CGI skeleton taunting all who looked upon it. Overlaid on the image were links to zip files, which included a teaser of what was to come. The zips contained a massive amount of filenames in text format, about 40 million in total, all of which GOP claims to have in its grasp.
After that initial blast of filenames, the real leaks began. At the beginning of this week, full length Sony films were posted online after being stolen in the breach. Two of those movies were leaked well ahead of schedule, even by piracy's standards. One, Fury, is still in theaters. The other, Annie, has not even been released yet.
On top of those motion picture leaks is an incredibly large amount of data (the first blast was 25GBs, compressed) that contains contracts, accounting info, and other internal and confidential files. It seems as if GOP is interested in leaking the totality of Sony Pictures' data, without censoring personal information.
The motive for all of this has widely been suspected to be retaliation for an upcoming Seth Rogen and James Franco comedy, The Interview, where the two stoner-comics are tasked with assassinating the leader of North Korea.
In an article I wrote for our sister tech site Motherboard, I examined the style of malware that's been used to hoover up Sony Pictures' data. This malware being used against Sony Pictures seems to have been inspired by American cyber weaponry—specifically, the malware may have been reverse engineered from super-viruses that were specifically designed to target Iranian computers. For this reason, it's not completely out of the question that Iranian hackers could be involved as well. Stuxnet, the infamous American-Israeli malware that targeted Iranian nuclear computers, has infuriated the Iranians. And "bone-chilling" new information suggests a major cyber-retaliation against America is already underway.
We also know that North Korea's technological resources are slim, and while they do have a cyberwarfare division, it's reliant on outsourced facilities and training. As a much-cited report on North Korea's cyberwar capabilities in re/code states: "In 2004, a North Korean defector revealed that the unit operates primarily out of a North Korea-owned luxury hotel in Shenyang, China..." and that their hackers "get some of their training in China and in Russia."
Plus, North Korea and Iran have been suspected of cooperating on cyber attacks in the past; most notably against Saudi Aramco, a Saudi oil company that suffered a similar attack to Sony Pictures'. Saudi Aramco does major business with the United States, so it was not surprising that when the computers in their internal network were wiped, their screens began displaying an image of a burning American flag.
This attack was described by the New York Times as Iran " firing back" at America for the US's attacks on Iran's cyber-infrastructure. And when I was reporting on this cyberwar chain reaction for Motherboard, and its possible relation to the Sony Pictures attack, I reached out to several email addresses posted by the GOP hackers who allegedly infiltrated the company's systems.
Yesterday, I received four responses from two different individuals.
The first said, simply, "fuck off." I did not immediately respond.
The second email, from the same address, was more detailed. The hacker, at this point, began claiming to be a part of the "North Korean Hacking Team" rather than the "Guardians of Peace."
Please go and fuck yourself and your government.
North Korean Hacking Team
'모든 영광스러운 김정은 우박'
3 December Juche 103"
For those of you who aren't familiar, it's the year 103 in North Korea right now, not 2014. That's based on the birth of Kim Il-Sung in 1912, which is a timekeeping system known as the "Juche" calendar. The Korean text in the email signature, when run through Google Translate, translates to: "All hail the glorious Kim Jong Un."
Then there was a third email, sent immediately after. It read:
Please go and fuck yourself, your editing team and your country. You seriously think we send citizens to Russian logging camps? Fuck no.
North Korean Hacking Team
'모든 영광스러운 김정은 우박'
3 December Juche 103"
The hacker, here, is referring to a VICE documentary in which we investigated North Korea's secret Russian labor camp. Apparently this hacker doesn't like the film. I made an attempt to schedule a proper interview with this individual so they could share more of their perspective on the record, but did not receive an immediate response.
The fourth email I received from GOP, or the North Korean Hacking Team, or "God's Apostles" as they refer to themselves in one instance seen on Pastebin, was a link to even more leaked information. It came from someone who identified themselves as "the boss of GOP," who promised: "...more interesting data will be presented for you."
At this point, it's impossible to say who's in GOP, whether or not they are all North Korean, if they're a mixture of North Koreans and some mercenary hackers, or if it's simply a stunt by an unknown party to make it look like North Korea is involved. Given the suspected cooperation between North Korea, Iran, China, and Russia when it comes to cyberwarfare matters, the nationalities of these hackers is a question that may never have a strong answer.
But as it stands, a hacker whose email address is associated with the GOP—the group claiming responsibility for stealing up to 11 TBs of Sony Pictures' data—is claiming allegiance to the North Korean state.
Update 12/04: A Korean speaker has informed us that while the phrase contained in the hacker's email signature roughly translates to "All hail the glorious Kim Jong Un," the sentence structure is incorrect, which could indicate the author of the email is not a native North Korean.
Update 12/05: The account used by the supposed North Korean hacker is disposable, meaning it can be logged into by anyone.