The Hacking Economy

Inside North Korea's scrappy, masterful cyberstrategy

Sony Pictures Entertainment has canceled the Christmas Day release of "The Interview" amid threats of a widespread attack from hackers, who U.S. intelligence officials say were working for North Korea. But how does a poverty-stricken country with unreliable electricity even accumulate cyber-capabilities to level an international corporation the size of Sony?

Read MoreUS officials: North Korea ordered the Sony hack

File photo of students at the Mangyongdae Revolutionary School, in Pyongyang, North Korea, work on computers.

North Korea is a totalitarian state with a per capita GDP of under $2,000, compared with $22,000 for South Korea. But while average citizens hustle for food and survival, North Korea's all-powerful upper class—with access to cash—has ramped up its digital infrastructure in recent years. The regime's elite cyberarmy has shrewdly learned to execute and recycle quick-and-dirty—yet effective—cyberattacks and malware to prey on high-level targets. They previously have included a bank, university and media websites, according to prosecutors.

"While the regime does not appear to have an advanced cyber-capability, we should never underestimate the potential impact of North Korea utilizing less advanced, quick-and-dirty tactics," said Ted Ross, security research director for enterprise security products at U.S. tech giant Hewlett-Packard.

The full details of North Korea's involvement in the November data breach, according to U.S. officials, aren't yet available. But an audit of Sony Pictures' computer network conducted months before the attack revealed gaps in the way the company monitored its system, as Re/code has reported. It was a window of opportunity, it seems, that North Korean hackers noticed and seized to stunning effect.

The data breach has outed business transactions including the James Bond script "Spectre" as well as personal details about employee health records, bank transactions, Social Security numbers and emails that go back years. Security experts say the Sony breach is an omen about the dangers of modern cyberterrorism in a post 9/11 world—whether the perpetrators are from North Korea or some other rogue state.

Wake-up call for all companies, employees

As the ripple effect widens, the Sony attack is proving to be about much more than leaked, juicy emails among movie stars and Hollywood studio executives. The breach is a warning for all employees and businesses, large and small, to reflect on the storage of sensitive business information, and the treasure trove of employee details housed in human resource departments.

There will be re-evaluations about how companies conduct business including the use of cloud storage computing and "BYOD," or the practice of bringing your personal devices to work, which businesses allow amid cost-cutting.

The hackers obtained some 100 terabytes of data stolen from Sony servers. That's roughly 10 times the entire printed collection of the Library of Congress.

"This incident covers the broad spectrum of your worst nightmare for cybersecurity," said Jason Glassberg, co-founder of Casaba Security, based in Seattle.

Movie posters for the premiere of the film 'The Interview' at The Theatre at Ace Hotel in Los Angeles.
AFP | Getty Images

The movie "The Interview" depicts two American journalists, played by Seth Rogen and James Franco, who secure a rare interview with North Korean leader Kim Jong Un and are tasked with executing him. The film's planned U.S. release on Christmas Day was canceled Wednesday after several large cinema chains said they would not show the film. There are no further release plans including video-on-demand or other platforms.

The North Korean government, meanwhile, has denied responsibility for the data breach. But a spokesman quoted by the North's Korean Central News Agency described the attack as a "righteous deed."

New revelations about North Korea's involvement in the attack, according to U.S. officials, mark a sharp turn for the federal investigation into the hack. But how might North Korea have executed such a spectacular data breach?

Read MoreNorth Korea: More cyberwarrior than you think

For starters, the isolated, communist nation has been pursuing cyberstrategies as far back as the 1980s. It's cheaper than sending men to gather intelligence on perceived enemies. There are at least 3,000 North Korean cyberwarriors, though some reports place that number higher.

Rinse and repeat: The north's cyberstrategy

North Korean leader Kim Jong Un attends a session of the Supreme People's Assembly, the country's parliament, in Pyongyang on April 9, 2014.
Kyodo | AP

North Korea's computer network operations and their capabilities pale compared with wealthier, industrialized nations including South Korea, one of the most wired countries in the world. But the North's "regime has made significant progress in developing its infrastructure and in establishing cyber-operations in the past few years," said HP's Ross in an email to

And while the regime's network capabilities are far from modern, the North's cyberarmy has smartly focused on more bare-bones cyberattacks and replicated those tactics effectively. "Attacks and malware attributed to North Korean origin are not particularly sophisticated and recycle similar tactics, techniques and procedures," Ross explains. Malware can include everything from viruses to infected software.

One simple yet efficient cyber tool for the regime has been a distributed denial-of-service, often known as "DDoS" attacks. In a typical DDoS attack, the perpetrator exploits many computers and multiple server connections to create a wide, exponential effect. Such attacks are generally more difficult to thwart than narrower cybertactics.

Tactics used in the Sony hack also seem to mirror what's known about the North including the use of wiper malware. This technique eliminates both the master boot record and all host data, Ross explains. The technology and code behind wiper malware is not particularly complex. But with enough industrious perpetrators cobbling together the code, the end product can be effective malware with multiple trigger points that set off a wave of data contamination.

"This is very similar to the behavior of the malware used in previous attacks attributed to North Korea," said Ross. The North also has been known to use malware that targets South Korean military interests.

Luckily for poor North Korea, low-level cyber-procedures can bring results. James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, speaking at an event Wednesday, said 80 percent of attacks only require basic techniques.

Gaps in Sony's system

Pedestrians walk past Sony Pictures Studios in Los Angeles, Dec. 4, 2014.
Frederic J. Brown | AFP | Getty Images

Beyond specific cyberstrategies, the North's elite unit of cyberwarriors are culled from a young age and nurtured in Pyongyang, North Korea's capital city, according to Heung Kwang Kim, a North Korean defector and former computer science professor. Kim spent nearly 20 years in the regime educating promising students.

Read MoreHow millennials are shaking North Korea's regime

Armed with skilled cyberwarriors and attack strategies, North Korea noted the upcoming release of "The Interview." Sony Pictures' network, meantime, was sitting there with gaps, as Re/code has reported. Then North Korea pounced.

The security audit, from mid-July to Aug. 1, was performed by PricewaterhouseCoopers and found one firewall and more than 100 other devices that were not being monitored by the corporate security team charged with oversight of infrastructure.

When it comes to data security, companies generally focus intently on external data entering and infecting the system. Less attention is paid to how sensitive company information including emails and other documents leave a company network, an area often referred to as "exfiltration."

Sony Pictures "didn't seem to have a coordinated strategy in terms of intrusion detection or exfiltration or data moving out," said Glassberg of Casaba Security.

According to Re/code, a spokesperson for the studio declined to comment on the audit report. A PwC auditor who received the report did not respond to Re/code's interview requests.

Beyond the audit, the sheer breadth and depth of the breach suggest the data, from scripts to employee health information, may have been housed on a small group of servers and not distributed widely. "People are going to be talking about data segregation going forward," Glassberg said.

Sony fallout: What's next?

What now?

Investigators, Sony executives and lawyers are now combing over the wreckage. There are larger diplomatic questions about how the U.S. might respond to the attack.

Read MoreHow the US could retaliate against North Korea

In a cluster of events, the American-produced raucous comedy is the tip of North Korea's growing list of problems and perceived enemies. The regime is facing international scrutiny about human rights violations, which some leaders are now trying to refer to the International Criminal Court.

Read MoreWill Kim Jong Un ever face a war crimes court?

The North Korean regime and Kim, believed to be in his 30s, are watching all of its enemies, including filmmakers. And the regime has responded deftly with its cyberarmy.

"This is a huge wake-up call," says Jason Habinsky, a New York City-based labor and employment partner at Haynes and Boone. "Every company big and small is at risk now. This is like watching a thriller. Or a horror film."

Disclosure: NBC News group is a minority stakeholder in Re/code and has a content sharing partnership with it.