Sony Pictures Entertainment — Guardians of Peace wiper

What happened

On the morning of 24 November 2014, Sony Pictures Entertainment employees across the company’s Culver City campus found their computers displaying a red skull image and a message signed by a group calling itself “Guardians of Peace”. A destructive wiper had been triggered across the network, overwriting the master file tables of approximately 3,000 personal computers and 800 servers. Drives were encrypted, file systems destroyed, and in many cases the physical boot sectors of machines were overwritten to prevent recovery. Sony’s corporate IT infrastructure — email, file shares, production systems, payroll, HR databases — was rendered inoperable across the board.

Over the following two weeks the attackers released stolen material in waves. Five unreleased Sony films appeared on torrent sites within days. Internal emails between senior executives contained unflattering assessments of Hollywood talent and revealing commentary on business decisions, which entertainment press amplified widely. Salary and bonus spreadsheets exposed compensation data for thousands of employees. Personally identifiable information — Social Security numbers, home addresses, medical records, and performance reviews — on approximately 47,000 current and former Sony employees was published publicly, causing lasting harm to individuals who had no connection to the political content at issue.

The FBI attributed the attack to North Korea on 19 December 2014, citing code similarities to prior Lazarus Group operations, shared infrastructure, and the use of Korean-language tools in the wiper malware. In 2018 the Department of Justice indicted Park Jin Hyok, an employee of a DPRK state-owned IT company called Chosun Expo, as a participant. The 2021 DOJ indictment of three additional DPRK operatives expanded the picture of the unit involved, known internally as Lab 110.

Sony announced it was cancelling the theatrical release of The Interview in December 2014. President Obama publicly criticised the decision. Under intense public pressure, Sony reversed course and released the film via streaming and selected theatres on 25 December 2014.

How it worked

The attackers had been inside Sony’s network for months before the destructive payload was deployed. Their initial access was obtained through spear-phishing emails targeting Sony employees — credential-harvesting emails that gave them footholds in the corporate Windows environment. The intrusion dwell period is assessed to have been at minimum several weeks; investigators found evidence of the attackers using Sony’s internal network infrastructure to move laterally, escalate privileges, and collect data long before triggering the wiper.

The wiper malware, which researchers labelled “WhiskeyDelta” and “Destover”, was purpose-built for the operation. It included components that enumerated and destroyed files across mapped network shares, overwrote the master boot record to prevent system recovery, and attempted to delete itself after execution to complicate forensic analysis. The malware also contained a credential-harvesting module that extracted stored Windows credentials and used them to authenticate laterally across the domain — consistent with an attacker mapping the environment and ensuring the wiper would propagate to as many hosts as possible before triggering.

The exfiltration of data prior to the destructive phase is a hallmark of the broader Lazarus Group operational model. The group collected and staged approximately 100 terabytes of data before the wiper ran. This dual-use operation — steal for embarrassment and geopolitical leverage, then destroy to maximise disruption — combined espionage tradecraft with a destructive payload in a way US defenders had not previously encountered from a state actor targeting a private entity.

Malware technical indicators and infrastructure overlapped with prior Lazarus Group operations in South Korea, including the 2013 “DarkSeoul” wiper attacks against South Korean broadcasters and banks. The FBI advisory published alongside its attribution statement provided technical indicators that enabled the security community to connect the Sony tooling to the broader Lazarus canon.

Timeline

• Months before November 2014 — Attackers conduct spear-phishing campaign against Sony employees; gain initial access to the corporate network and begin lateral movement.
• Early–mid November 2014 — Data staged for exfiltration; approximately 100TB of corporate data copied out of Sony’s network.
• 24 November 2014 — Wiper deployed across Sony’s IT estate. Employees arrive to find machines destroyed. “Guardians of Peace” message displayed on screens.
• 26–28 November 2014 — First wave of leaked Sony films appears on torrent sites.
• Early December 2014 — Internal emails, salary data, and employee PII published progressively. Press coverage intensifies.
• 16 December 2014 — Sony announces cancellation of The Interview’s theatrical release, citing threats against cinemas.
• 19 December 2014 — FBI publicly attributes attack to North Korea.
• 25 December 2014 — The Interview released digitally and in limited theatres following presidential criticism of the cancellation.
• June 2018 — DOJ unseals indictment of Park Jin Hyok (Lazarus Group) in connection with Sony attack, WannaCry, and Bangladesh Bank heist.

What defenders should learn

The Sony attack reframed the threat model for every organisation that could conceivably attract the attention of a state adversary. Prior to Sony, the common assumption was that state actors would steal data for intelligence purposes but would not destroy the commercial infrastructure of a private entity as a coercive act. Sony demonstrated that the line between intelligence collection and destructive retaliation is one that nation-state actors will cross when their political objectives call for it. Any organisation whose content, statements, or commercial decisions could draw state-level political attention should include destructive attack scenarios in its threat modelling.

The operational security failures that enabled the intrusion are instructive. The attackers dwelled in Sony’s environment for weeks before detonating the wiper — a period during which endpoint detection, anomalous lateral movement alerts, and data-exfiltration monitoring should have flagged unusual activity. The absence of visible detection over that dwell period points to inadequate monitoring coverage. Organisations should assume that a determined adversary will achieve initial access eventually; the defensive race is to detect and eject before the payload runs.

Network segmentation and access control were insufficient to contain the wiper once it ran. The malware propagated using harvested credentials across a domain environment with broad lateral reachability. Segmenting production systems, HR databases, and content storage from the general corporate network with enforced credential boundaries — and limiting domain-wide credential scope — would not have prevented the initial breach, but might have limited the blast radius significantly.

Finally, the public disclosure of employee PII had nothing to do with the geopolitical motive that drove the attack. Tens of thousands of employees’ medical records and Social Security numbers were published because Sony held them, and the attacker chose to weaponise them. The harm to those individuals was a consequence of Sony’s data-retention practices, not of any political decision by the employees themselves. Data minimisation — retaining only what is operationally necessary and purging sensitive employee data on a defined schedule — directly reduces the collateral civilian damage in an attack of this kind.