Cybersecurity

Details Emerge on Malware Used in Sony Hacking Attack

Arik Hesseldahl
WATCH LIVE
Sony headquarters in Tokyo, Japan.
Kiyoshi Ota | Bloomberg | Getty Images

New details have emerged about the hacking attack against Sony Pictures Entertainment, the motion picture studio which last week came under a withering digital siege that investigators say may have originated from North Korea.

Late Monday the FBI issued a confidential five-page warning to U.S. businesses concerning malicious software, or malware, used to carry out destructive attacks. The warning did not name Sony as a victim of the malware, though it is said to be a direct response to the breach at that company.

More from Re/code:
A keyboard waffle iron for the holidays?
Apple to defend against iPod antitrust suit
You're not watching sports without cable TV

The full text of the warning could not be obtained, but Re/code sources who have seen it shared some of the FBI's observations:

One primary feature of the malware is that it wipes the hard drives of targeted systems. This is at minimum a strong indication of North Korean involvement. Previous attacks attributed to North Korea, including one last year against TV networks and banks in South Korea, have often included wiping software that destroys all data stored on the system.

The malware's creator used the Korean language pack in Microsoft's Windows. Perhaps another hint pointing in North Korea's direction, but not definitive either. However the software was written in such as way as to execute its functions without regard to the languages in use on the system being attacked.

The attackers apparently used compromised computers in Thailand, Italy and Poland to carry out the attacks. The FBI's warning says these systems belonged to parties unrelated to the attackers or the victim.

The malware takes advantage of Windows Management Instrumentation, or WMI, a tool used for managing Windows machines in a large corporate environment. After the malware is introduced and spreads throughout a network, WMI is used to launch it across all the infected machines on a network at the same time. Once its intended functions have been carried out, the malware then wipes the hard drives of the attacked systems.

Sony first came under attack last week when its corporate network was brought to its knees. Employees reporting for work last Monday morning saw on their displays the image of a red skeleton and the text of a message concerning unspecified demands. The Los Angeles Times reported that employees resorted to using pens, paper and fax machines to get their work done. Late Monday, Deadline reported that Sony's systems were back up and running.

The apparent effects of the attack escalated throughout the week. On Friday, sensitive Sony files, detailing business plans, compensation data for employees and contracts with celebrities were said to have leaked to file-sharing sites. On Saturday, video files of five Sony motion pictures — four of which have not yet been released — were leaked to file-sharing sites.

Read More Hackers target C-suite emails for M&A info

On Friday, Re/code reported that Sony was investigating the possibility that the breach might be linked to North Korea. That country has threatened to take action in response to a forthcoming film called "The Interview." The comedy, starring Seth Rogen and James Franco, depicts two celebrity TV journalists who land a rare interview with the North Korean leader Kim Jong-Un and are recruited by the CIA to assassinate him.

North Korea, deeply sensitive to the portrayal of its leaders, has called the film "an act of war" and called its distribution "absolutely intolerable." Seeking to stop its release, the country's government went so far as to ask President Obama to intervene in a letter over the summer.

Incidentally, someone finally thought to ask the North Korean government about this, and if nothing else its response was interesting. Responding to queries from the BBC, a spokesman for the North Korea's mission to the United Nations said, "The hostile forces are relating everything to the DPRK (North Korea). I kindly advise you to just wait and see."

CNBC's parent NBCUniversal is an investor in Re/code's parent Revere Digital, and the companies have a content-sharing arrangement.