Sony Pictures: The Guardians of Peace

On the morning of November 24, 2014, employees arriving at Sony Pictures Entertainment’s Culver City headquarters switched on their computers and were greeted by an image they would not soon forget: a red skeleton, blazing across their screens above the words “HACKED BY #GOP” — the Guardians of Peace.

Alongside the skeleton was a countdown timer, ticking toward zero, and a threat to release everything Sony had tried to keep secret.

They weren’t bluffing.

Threat Actor Profile: Lazarus Group (Bureau 121)

Designation: Lazarus Group (Mandiant); Hidden Cobra (US Government); Zinc (Microsoft)
Attribution: Democratic People’s Republic of Korea (North Korea); Reconnaissance General Bureau, Bureau 121
Origin: Pyongyang, North Korea; operating since at least 2009
Primary Mission: A uniquely versatile threat actor with both destructive/geopolitical and financially motivated operations—North Korea uses cybercrime to fund its sanctioned state programs
Known Tradecraft: Wiper malware, destructive operations, long dwell-time espionage, cryptocurrency theft, SWIFT system exploitation, supply chain attacks

Notorious Operations:

• Sony Pictures (2014): Nation-state destructive attack against a private American company; Destover wiper; mass data exfiltration and publication. Estimated $35M+ in damages.
• WannaCry (2017): Global ransomware outbreak using the EternalBlue exploit (originally developed by the NSA’s Equation Group, leaked by Shadow Brokers). Infected 300,000+ machines in 150 countries in 72 hours; crippled the UK’s National Health Service, Telefónica, Deutsche Bahn, and dozens of other critical organizations. Caused an estimated $4–8 billion in global damages.
• Bangladesh Bank SWIFT Heist (2016): The most audacious bank robbery in history. Lazarus operators compromised the Bangladesh Central Bank’s connection to the SWIFT financial messaging network and attempted to transfer $951 million from the bank’s Federal Reserve account. Five transactions totaling $81 million succeeded before a spelling error in a sixth transaction (“fandation” instead of “foundation”) triggered a freeze. The funds were laundered through casinos in the Philippines.
• Cryptocurrency Exchange Attacks (2017–present): Lazarus Group has been attributed with the theft of over $3 billion in cryptocurrency assets through exchange compromises, DeFi protocol exploits, and social engineering of developers—providing direct hard-currency funding for North Korea’s weapons programs.
• 3CX Supply Chain Attack (2023): A sophisticated supply chain compromise targeting a VoIP software provider, echoing the SolarWinds playbook.

A Nation-State Goes to the Movies

The catalyst, investigators would later determine, was a film. The Interview — a satirical comedy starring Seth Rogen and James Franco — depicted the CIA recruiting two journalists to assassinate North Korean Supreme Leader Kim Jong Un. The film’s production had reportedly drawn direct warnings from the North Korean government through diplomatic channels.

When those warnings went unheeded, Pyongyang allegedly authorized the most destructive cyber attack ever to strike a private American company.

The group executing the attack was called the Guardians of Peace. Security researchers quickly recognized the fingerprints beneath the paint: Lazarus Group, a prolific and sophisticated threat actor operating under the direction of North Korea’s Reconnaissance General Bureau, specifically its cyber warfare unit designated Bureau 121.

The attack was not impulsive. The Lazarus operators spent months inside Sony’s network before detonating their payload. They mapped the infrastructure, catalogued the valuable data, established persistence across hundreds of systems, and only then — when they were ready — unleashed their wiper.

Destover: The Digital Arsonist

The weapon was a piece of malware called Destover — a custom-built disk wiper crafted for mass destruction. Where most malware seeks to hide and persist, Destover’s purpose was to announce itself and obliterate.

Destover was deployed across Sony’s Windows network on the morning of the attack, executing on hundreds of machines simultaneously. Its operation was methodical and devastating:

1. It terminated running processes to prevent interference with its destructive routine.
2. It overwrote the Master Boot Record (MBR) of infected machines—the critical sector that tells a computer how to start—rendering systems unbootable.
3. It recursively wiped files across the file system, overwriting data with random garbage to prevent recovery.
4. It deleted shadow copies and system restore points, eliminating any possibility of local recovery.

The destruction was theatrical in its totality. Sony employees were locked out of their own systems en masse. Network shares were inaccessible. Months of work, years of internal communications, entire project workflows — gone, erased at the block level.

The Exfiltration: Everything Burned

But Destover was only the finale of an operation that had been running quietly for weeks. Before the wipers fired, the Guardians of Peace exfiltrated a staggering volume of sensitive data:

• Unreleased films: Five Sony Pictures movies, including Annie, Fury, and Still Alice, were dumped onto torrent sites before their theatrical releases.
• Executive salaries: Compensation data for thousands of Sony employees, including top executives, was published and reported globally.
• Internal emails: Tens of thousands of emails between executives were leaked, revealing candid and embarrassing private communications—including racially charged jokes about then-President Obama attributed to co-chair Amy Pascal, which ultimately cost her her job.
• Personal employee data: Social Security numbers, medical records, and personal information for roughly 47,000 current and former employees.
• Business plans and contracts: Negotiation strategies, talent deals, and confidential business agreements with directors, actors, and studios.

The breadth of the exfiltration was unprecedented for an attack against a private company. The Guardians of Peace used the stolen data as a weapon not just for destruction, but for humiliation — leaking documents in calculated drips to maximize media coverage and reputational damage.

---

Attack Chain: Sony Pictures — Guardians of Peace

graph TD
    A["🇰🇵 Lazarus Group\n(DPRK Bureau 121)"] --> B["Geopolitical Trigger\n'The Interview' Film\nNorth Korean Diplomatic Warnings Ignored"]
    B --> C["Operation Authorization\nReconnaissance General Bureau\nPyongyang"]

    C --> D["Initial Access\nSpear-Phishing / Credential Theft\nSony Employee Accounts"]
    D --> E["Foothold Established\nSony Pictures Internal Network"]

    E --> F["Long-Dwell Reconnaissance\nWeeks of Silent Mapping"]
    F --> G["Privilege Escalation\nDomain Admin Credentials"]

    G --> H["Data Exfiltration Phase\n(Pre-Wiper)"]
    H --> H1["5 Unreleased Films\nIncl. Annie, Fury, Still Alice"]
    H --> H2["47,000 Employee Records\nSSNs, Medical Data, Salaries"]
    H --> H3["Tens of Thousands\nInternal Executive Emails"]
    H --> H4["Business Plans, Contracts\nTalent Deals, Strategy Docs"]

    G --> I["DESTOVER Wiper\nDeployed Across Network"]
    I --> J["Process Termination\nKills Running Services"]
    J --> K["MBR Overwrite\nMachines Rendered Unbootable"]
    K --> L["Recursive File Wipe\nData Overwritten with Garbage"]
    L --> M["Shadow Copy Deletion\nNo Local Recovery Possible"]

    M --> N["🔴 Hundreds of Machines\nSimultaneously Destroyed"]
    N --> O["Nov 24 2014 – 'GOP' Skeleton\nDisplayed on All Screens"]

    H1 --> P["Films Dumped to\nPublic Torrent Sites"]
    H2 --> Q["Employee Data Published\nOnline by Guardians of Peace"]
    H3 --> R["Exec Emails Leaked to Press\nAmy Pascal Resigns"]

    O --> S["FBI + US Gov Investigation"]
    S --> T["Attribution: North Korea\nLazarus Group / Bureau 121"]
    T --> U["Obama Admin Imposes\nSanctions on DPRK (Jan 2015)"]
    T --> V["DOJ Indicts North Korean\nOfficers (2018)"]