North Korea Watched the Trailer and Decided This Was a National Security Issue
In 2014, Seth Rogen and James Franco made a comedy about two journalists recruited by the CIA to assassinate Kim Jong-un. It was called “The Interview.” It had a 51% on Rotten Tomatoes and involved a considerable amount of juvenile humor about the supreme leader of North Korea.
At some point, someone showed the trailer to the North Korean government.
They did not find it funny.
What followed was one of the most destructive cyberattacks ever carried out against a private company — and a reminder that your threat model should probably include scenarios you’d never think to put in your threat model.
What Actually Happened
Sony Pictures Entertainment was the target. The attackers called themselves “Guardians of Peace.” US investigators later attributed the attack to the Lazarus Group — a hacking collective working on behalf of North Korea’s intelligence services.
The initial entry was textbook social engineering. Attackers sent carefully crafted spear-phishing emails to Sony employees — messages designed to look legitimate, targeted to specific people, with the goal of harvesting credentials or delivering malware. Some posed as cover letters for job applications. Others appeared to come from trusted contacts. Someone clicked. They got in.
Once inside, the attackers moved quietly through Sony’s network for weeks, mapping what was there, escalating privileges, and collecting data. Over the course of the operation they exfiltrated what they claimed was 100 terabytes of data — unreleased films, salary records, medical information, and five years of internal emails from every level of the organization.
Then they hit the detonator.
The Wiper
The tool the attackers deployed was called Destover — a piece of malware specifically designed not to steal or hold hostage, but to destroy. It overwrote the master boot records of Sony’s computers, rendering them unbootable. It deleted files. It targeted backups. When it was done, affected machines were effectively bricks.
Employees arrived at work to find their computers dead. Not slow. Not crashed. Dead, with an image of a skeleton and a message from the Guardians of Peace on the screen.
Sony’s employees spent weeks working by hand. Whiteboards. Phone calls. Physical printouts. An entertainment company operating one of the largest content libraries in the world, reduced to a pen-and-paper operation because their systems — and their backups — were gone.
The recovery took months.
The Emails
While all of this was happening, the stolen data began appearing online.
The unreleased films were bad enough. Five Sony movies showed up on piracy sites before their release dates, including “Annie” and “Fury.”
But the emails were what made the headlines.
Internal correspondence between Sony executives — including then co-chairman Amy Pascal — contained things that people say in private emails when they believe they’re in private emails. Racist jokes about President Obama. Candid assessments of actors and directors that no one intended to be candid publicly. Salary information showing significant pay gaps. The kind of professional confessional that exists in every executive inbox and that most people would describe as simply human, right up until it’s published on the internet.
Amy Pascal resigned.
The FBI formally attributed the attack to North Korea. North Korea denied it entirely, which surprised no one.
The movie was briefly pulled from theatrical release following threats against theaters. Then, after President Obama publicly criticized the decision as capitulation, it was released on Christmas Day — simultaneously in theaters and on streaming, which at the time was a fairly radical distribution model forced on Sony by the circumstances.
“The Interview” made about $40 million. The breach cost Sony somewhere in the range of $100 million and counting.
What This Means for You
Email is not private. It never was, really — but this is the reminder that landed hardest for a lot of people after Sony. Every email you send inside your organization could, under the wrong circumstances, end up somewhere you never intended. This doesn’t mean you should never write candidly. It means you should think about what you put in writing and remember that “deleted” doesn’t always mean gone.
Backups are only useful if they’re protected. The attackers specifically targeted Sony’s backups. A backup that can be reached by the same malware that’s destroying your primary systems is not really a backup — it’s a second copy of the same vulnerability. Offline backups, air-gapped backups, immutable backups: these exist because this exact scenario exists. If your backup strategy doesn’t account for what happens when someone who’s already inside your network decides to go after it, revisit your backup strategy.
The phishing email is still usually the door. All of this — the wiper, the data theft, the leaked emails, the $100 million in damages — started with someone clicking on something they shouldn’t have. Spear phishing is more targeted and more convincing than the obvious Nigerian prince variety. It’s researched. It uses real names, real context, real-looking sender addresses. The defense is the same as always: train your people to slow down, verify unexpected requests, and never enter credentials via a link in an email.
Your threat model is probably incomplete. Sony wasn’t in the defense industry. They weren’t managing critical infrastructure. They were making movies. The idea that a nation-state would prioritize attacking a film studio over literally anything else in the world would have seemed absurd before November 2014. Now it’s a case study.
You don’t have to anticipate every possible threat. But “we’re too small to be a target” and “we’re not in a sensitive industry” are assumptions worth questioning.
North Korea hacked a movie studio because they didn’t like a comedy. The studio’s backups were destroyed. The emails were published. The co-chairman resigned. The movie came out anyway.
The lesson isn’t that the world is chaotic and nothing is safe. The lesson is that the entry point was a phishing email, the damage was multiplied by accessible backups, and the aftermath was made worse by emails that were never meant to be seen.
All three of those are fixable. The Seth Rogen situation, you’re on your own.
