The cyber attack on Sony Pictures Entertainment in 2014 was a meticulously planned operation that began with careful preparation well in advance of the publicized attack date. The attackers accessed the Sony network by sending phishing emails to Sony employees and establishing phony websites to harvest credentials.

On November 24, Sony employees were greeted by an image on their computer monitors containing disturbing graphics, somewhat incoherent threats, and multiple suspicious URLs. This was the first visible sign of the attack for many employees, but a group identifying themselves as “God’sApstls” had sent an email to Sony executives the previous Friday, stating “We’ve got great damage by Sony Pictures… Pay the damage, or Sony Pictures will be bombarded as a whole.”

The attackers claimed to have taken a huge volume of data, ultimately, roughly 200 gigabytes was released. They compromised the network to a degree that allowed them to use Sony’s namespace on the public Internet. The attackers were able to maintain a presence on the Sony network to search for weak points and execute a series of attacks to compromise other systems and steal data.

Stealing data was not the only goal. While attackers bent on espionage try to remain undetected, these attackers clearly wanted to cause damage. Once Sony’s data had been exfiltrated, the attackers modified Sony’s computers and servers in a way that maximized disruption. The attack included corruption of the systems’ disk drives by removing the low-level information needed for booting up. This destruction served no espionage purpose, nor did it further the extortion demands; such an action appears primarily intended to inflict financial damage on Sony.

The attack was not just a digital one; it extended to physical vulnerabilities as well. A team from the threat intelligence firm Norse Corp. claimed that they were able to walk directly into the unlocked and unguarded information security office housing unlocked computers with access to private information on Sony’s international network.

The attack timeline was as follows:

  • September 2014: Sony’s network was first breached.
  • November 21, 2014: Sony executives received an email threat from “God’sApstls.”
  • November 24, 2014: Sony employees found their computer monitors displaying threatening messages and graphics.
  • Post-attack: Approximately 200 gigabytes of data was released, and Sony’s systems were extensively damaged.

The attack on Sony Pictures Entertainment was a sophisticated operation that involved both digital and physical vulnerabilities. It demonstrated the potential for significant damage that can be inflicted through well-planned and executed cyber attacks.


The infamous Sony Pictures hack in 2014, which led to the leak of confidential data from the film studio’s network, was attributed to North Korea by both the U.S. government and private cybersecurity experts. The FBI and President Obama publicly attributed the attack to North Korea, a claim that was initially met with skepticism by some in the cybersecurity community. However, the private sector, through recognized credible techniques, also attributed the event to North Korea, bolstering the government’s claim. The attribution was based on similarities and strong evidence linking the Sony attack to previous attacks associated with North Korea. Despite the initial doubts and criticisms, the consensus among experts eventually solidified around North Korean responsibility, demonstrating the complex and often contentious process of attributing cyber attacks

CrowdStrike calls this group “Lazarus.” Lazarus, also known as Hidden Cobra, is known for its sophisticated cyber operations and its alleged ties to the North Korean government.


Based on the description of the attack, we can infer some potential TTPs:

  • Spearphishing (T1192): The attackers sent phishing emails to Sony employees to gain initial access to the network. MITRE URL
  • Drive-by Compromise (T1189): The attackers used fake websites to harvest credentials. MITRE URL
  • Data Destruction (T1485): The attackers corrupted Sony’s systems’ disk drives by removing the low-level information needed for booting up. MITRE URL
  • Exfiltration Over C2 Channel (T1041): The attackers exfiltrated a large amount of data from Sony’s network. MITRE URL

Further Reading: