The nightmare started with skeletons. On Nov. 24, employees of Sony Pictures Entertainment arrived at work in Culver City, Calif., to find glowing red skulls grinning back from their computer screens. The hackers called themselves the Guardians of Peace, and they promised to spill the studio’s darkest secrets. “This,” they warned, “is just a beginning.”
They had burrowed deep into the studio’s computer networks, pilfering terabytes of sensitive data over what may have been a period of months. Now the torture began. The attackers wiped employees’ hard drives, forcing them to conduct business on whiteboards and paper. They posted salary data and personal records for thousands of employees and leaked executives’ damaging email exchanges. Unreleased movies were uploaded to file-sharing hubs.
For weeks, forensic analysts pored over code and traced IP addresses through countries like Thailand and Italy. U.S. law enforcement concluded that the culprit was North Korea, which was livid over the upcoming release of a Sony movie, The Interview, about the assassination of the Hermit Kingdom’s leader, Kim Jong Un. On Dec. 16, the hackers invoked the Sept. 11 terrorist attacks to warn moviegoers away from theaters showing the film. The next day, as cinemas scrapped screenings, Sony shelved plans to release the movie. The studio “made a mistake,” President Barack Obama said.
North Korean hackers allegedly hitting a U.S. movie studio in retaliation for a Seth Rogen comedy may sound like the zaniest Hollywood script. But the reality of state-sponsored hacks on American corporations can no longer be ignored. “There’s no industry that’s immune to these attacks right now,” says Dmitri Alperovitch of the cybersecurity firm CrowdStrike, which has been tracking a group of North Korean hackers it calls Silent Chollima.
FireEye, the security firm hired to probe the Sony hack, studied the defenses of more than 1,200 banks, government agencies and manufacturers over a six-month period ending in 2014 and concluded that 97% had their last-line defenses breached at some point by hackers. A top FBI official told a Senate panel in December that the Sony hack would have evaded the security of 90% of corporations. “The balance of power,” says former cybercrime prosecutor Mark Rasch, “has shifted from the companies to the hackers.”
Cyberattacks take an immense toll on the global economy, costing up to $575 billion per year. The pace of high-profile hacks has accelerated in recent months as banks, technology firms and retailers such as Target and Home Depot endured strikes that exposed the credit-card details of tens of millions of customers.
Some of these attacks are acts of espionage. The Department of Justice indicted five Chinese military hackers this year for allegedly penetrating the systems of U.S. Steel and Alcoa. Russian-allied hackers have been floated as suspects in a 2014 attack on JPMorgan, the nation’s largest bank, that left some 76 million households vulnerable. Warnings about Iranians targeting U.S. defense contractors and energy firms have increased in recent months.
The North Korean government denies involvement in the Sony scheme. But the hack bears hallmarks of earlier efforts attributed to Pyongyang, including one carried out against South Korean banks in 2013. The code that crippled Sony was compiled on Korean-language computers, and related malware communicated with servers identical to those used in at least one earlier attack.
Some analysts say Sony may have been easy prey. It didn’t encrypt or segregate sensitive information, and it stored passwords in a folder labeled “Passwords.” Former employees have filed class-action lawsuits against the company, alleging negligent security. The scale of the damage is unprecedented. “It’s a milestone event in American corporate network security,” says Kurt Baumgartner of Kaspersky Lab, an Internet-security vendor.
The havoc wrought by the hackers, say security experts, should serve as a wake-up call to U.S. businesses. But hackers are likely to have the upper hand for years to come. “It’s like an army coming toward your house and you’ve got an alarm and a few weapons,” says Avivah Litan, a research analyst at Gartner. “You can’t possibly protect the system.”
This appears in the December 29, 2014 issue of TIME.