{ "id": "d7bc1ebb-7e98-4433-9bd6-53c8233374ea", "created_at": "2026-04-06T00:16:38.644515Z", "updated_at": "2026-04-10T03:38:20.163339Z", "deleted_at": null, "sha1_hash": "23a0c8bb31256e0dd8898ad99617759197561543", "title": "The Hack of Sony Pictures: What We Know and What You Need to Know", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 211870, "plain_text": "The Hack of Sony Pictures: What We Know and What You Need to\r\nKnow\r\nArchived: 2026-04-05 15:24:18 UTC\r\nA week into Sony Pictures’ devastating hack attack, a series\r\nof leaked internal documents and spreadsheets containing information and data of the company’s employees and\r\nsenior executives have been leaked to the public. Based on initial reports, Sony shut down their entire corporate\r\nnetwork after a threatening message, along with a skull graphic, appeared on their computer screens. The message,\r\nsent by a hacker group who call themselves \"Guardians of Peace\" (#GOP), warned that it was \"only the\r\nbeginning,\" and that they will continue until their \"request be met\". Shortly after the news broke out about the\r\nSony hack, there were rampant claims of the involvement of North Korea who used a certain “wiper” malware.\r\n[More: How did the hackers drop the \"warning\" wallpaper into Sony's office computers? Read An Analysis\r\nof the “Destructive” Malware Behind FBI Warnings from the Security Intelligence Blog]\r\nLike most breach stories, we learn more about the nature of the hack as time passes, and though the ongoing\r\ninvestigation provided us with a few solid details, most of the headlines around the hack have focused more on\r\nwho did it rather than what was obtained. Meanwhile, researchers have determined the destructive malware that\r\nlaunched the attack. From a security standpoint, it's critical to record all aspects of the incident and respond\r\nurgently and accordingly. In light of the attack, we’ve rounded up important dates and events to provide an\r\noverview of what happened, what was stolen, and who the people are behind the hack.\r\nNovember 25  - First reports of the attack on Sony Pictures network hit social media\r\nNovember 28 – Tech news site Re/code reports that North Korea is being investigated for the attack\r\nNovember 29 - Copies of unreleased movies, believed to be rips of DVD screeners from Sony Pictures,\r\nappear on file sharing sites\r\nDecember 1 - Documents released, revealing salaries of Sony Pictures executives\r\nDecember 2 - Leaked documents reveal personal information of Sony employees and other internal Sony\r\ncorporate documents (more pay details, name, birth dates, social security information) to the public. FBI\r\nalso releases warning about destructive malware\r\nDecember 3 – Re/code claims that North Korea would be \"officially named\" behind the attacks\r\nDecember 5 – Threatening emails sent to Sony Pictures employees; FBI confirms that they're investigating\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know\r\nPage 1 of 3\n\nDecember 6 –  North Korea releases a statement calling the attack \"righteous\", but denies involvement\r\nDecember 8 – Investigations reveal that the hackers used the high-speed network of a hotel in Bangkok,\r\nThailand to leak confidential employee data to the Internet on Dec 2. \r\nDecember 16 – Hackers sends threats of additional attacks, with references to Sept 11, 2001, if the movie\r\nThe Interview was released. \r\nDecember 17 – US officials conclude that North Korea ordered the cyber attacks on Sony Pictures'\r\ncomputers. Theater chains announce they will not show the film, and Sony cancels the movie's release. \r\nDecember 19 – FBI releases an official update on their investigation, concluding that the North Korean\r\ngovernment was responsible for the attack.\r\nThe recent attack reminds IT administrators to learn from such incidents and think ahead in terms of securing their\r\nnetwork infrastructure. Organizations should look into the developments of the Sony attack, and learn from it to\r\nbe able to defend their own networks accordingly.\r\n[More from the Security Intelligence Blog: A look into the malware variants that could be linked to the\r\nincident, including one that disables the antivirus application]\r\nIndividuals should also be vigilant; as investigative reports of controversial attacks continue to flood the news, bad\r\nguys could use this as a social engineering lure to trick users into clicking on suspicious links in spam mails and\r\nsocial media posts. As such, we advise users to be careful regarding the links they click and the stories they follow\r\nonline, as cybercriminals are quick to play on people’s curiosity especially when it comes to major news\r\nbreakouts.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructure\r\nComplexity and Visibility Gaps in Power Automate\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2\r\nAzure Control Plane Threat Detection With TrendAI Vision One™\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026\r\nRansomware Spotlight: DragonForce\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision One\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know\r\nPage 2 of 3\n\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutions\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know" ], "report_names": [ "the-hack-of-sony-pictures-what-you-need-to-know" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434598, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23a0c8bb31256e0dd8898ad99617759197561543.pdf", "text": "https://archive.orkl.eu/23a0c8bb31256e0dd8898ad99617759197561543.txt", "img": "https://archive.orkl.eu/23a0c8bb31256e0dd8898ad99617759197561543.jpg" } }