// overview
What happened
On the morning of November 24, 2014, Sony Pictures employees logged in to grinning red skulls and a message demanding the company comply with unspecified demands or face further leaks. The Destover wiper had already destroyed master boot records on roughly 3,000 workstations and 800 servers.
Over the following weeks, the Guardians of Peace progressively dumped tens of thousands of internal emails, executive salary spreadsheets, unreleased films (Annie, Mr. Turner, Still Alice), passport scans of stars, and detailed HR records — including the social security numbers of every Sony Pictures employee and their dependents.
Investigators connected the attack to Sony's planned Christmas Day release of The Interview, a comedy depicting the assassination of North Korean leader Kim Jong Un. After threats invoking '9/11' against theatres, major chains pulled the film and Sony cancelled the wide release before reversing course days later.
The FBI publicly attributed the attack to North Korea on December 19, 2014. The technical case was unusual: Destover shared code with previous Lazarus malware (DarkSeoul, Operation Troy), and infrastructure overlapped with North Korean state operations. President Obama imposed sanctions on the RGB intelligence agency the following month — the first cyber-attack sanctions in US history.
// timeline
How it unfolded
Sep–Oct 2014
Initial intrusion via spear-phishing of Sony IT administrators.
Nov 24, 2014
Destover wiper triggered; employees see skull message on boot.
Dec 2014
Five waves of leaked data dumped publicly, including all employee SSNs.
Dec 16, 2014
Theatre threats invoking '9/11' against The Interview screenings.
Dec 17, 2014
Major theatre chains pull the film; Sony cancels wide release.
Dec 19, 2014
FBI publicly attributes attack to North Korea.
Jan 2, 2015
President Obama imposes sanctions — first cyber-justified US sanctions.
// damage
Impact and scale
Sony employees arrived at work to find a skeleton on every screen and a ransom message from 'Guardians of Peace.' Internal email troves and unreleased films were dumped publicly for weeks. The attack chilled Hollywood's appetite for politically sensitive content for years and prompted the first US sanctions explicitly justified by a cyber attack.
// affected
Who was hit
- Sony Pictures Entertainment (every workstation and server in scope)
- Every Sony Pictures employee and their dependents (SSNs leaked)
- Actors, agents, and producers with sensitive email correspondence in Sony's mail store
- Theatres that pulled The Interview from screens
// lessons
Key takeaways
- A motivated state actor will sustain access for months to maximise damage at moment of detonation.
- Wiper malware turns a breach into business interruption — recovery is rebuild, not restore.
- Email is permanent: anything you write to a colleague can become public-record source material.
- Attribution is now a policy tool; governments will name attackers and sanction states for cyber operations.
