WASHINGTON — American officials have concluded that North Korea was “centrally involved” in the hacking of Sony Pictures computers, even as the studio canceled the release of a far-fetched comedy about the assassination of the North’s leader that is believed to have led to the cyberattack.
Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was debating whether to publicly accuse North Korea of what amounts to a cyberterrorism attack. Sony capitulated after the hackers threatened additional attacks, perhaps on theaters themselves, if the movie, “The Interview,” was released.
Officials said it was not clear how the White House would respond. Some within the Obama administration argue that the government of Kim Jong-un must be confronted directly. But that raises questions of what actions the administration could credibly threaten, or how much evidence to make public without revealing details of how it determined North Korea’s culpability, including the possible penetration of the North’s computer networks.
Other administration officials said a direct confrontation with the North would provide North Korea with the kind of dispute it covets. Japan, where Sony is an iconic corporate name, has argued that a public accusation could interfere with delicate diplomatic negotiations for the return of Japanese citizens kidnapped years ago.
The government is “considering a range of options in weighing a potential response,” said Bernadette Meehan, a spokeswoman for the National Security Council.
The administration’s sudden urgency came after a new threat was delivered this week to desktop computers at Sony’s offices, warning that if “The Interview” was released on Dec. 25, “the world will be full of fear.”
“Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”
Hours before Sony canceled the movie, the four largest theater chains in the United States — Regal Entertainment, AMC Entertainment, Cinemark andCarmike Cinemas — and several smaller chains said they would not show “The Interview” as a result of the threat. The cancellations virtually killed the movie as a theatrical enterprise, at least in the near term, one of the first known instances of a threat from another nation pre-empting the release of a movie.
While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with knowledge of the company’s computer systems, senior administration officials said.
“This is of a different nature than past attacks,” one official said.
An attack that began by wiping out data on corporate computers — something that had been previously seen in South Korea and Saudi Arabia— had turned “into a threat to the safety of Americans,” the official said. But echoing a statement from the Department of Homeland Security, the official said there was no specific information that an attack was likely.
It is not clear how the United States determined that Mr. Kim’s government had played a central role in the Sony attacks. North Korea’s computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.
It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “this was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”
It is rare for the United States to publicly accuse countries suspected of involvement in cyberintrusions. The administration never publicly said who attacked White House and State Department computers over the past two months, or JPMorgan Chase’s systems last summer. Russia is suspected in the first two cases, but there is conflicting evidence in the JPMorgan case.
But there is a long forensic trail involving the Sony hacking, several security researchers said. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributed to Iran — and another last year in South Koreaaimed at banks and media companies.
The Sony attacks were routed from command-and-control centers across the world, including a convention center in Singapore and Thammasat University in Thailand, the researchers said. But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggested that the same group or individuals might have been behind the Sony attack.
The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat, the security researchers said.
The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, the national oil company, where hackers wiped off data on30,000 of the company’s computers, replacing it with an image of a burning American flag.
Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.
At Sony, investigators are looking into the possibility that the attackers had inside help. Embedded in the malicious code were the names of Sony servers and administrative credentials that allowed the malware to spread across Sony’s network.
“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a researcher at AlienVault, a cybersecurity consulting firm.
What is remarkable in this case is that after three weeks of pressure, the attack forced one of Hollywood’s largest studios and Japan’s most famous companies to surrender.
Many attacks have been aimed at stealing credit card data, like the intrusions on the Home Depot and Target networks — and others at disrupting ATMs. An American and Israeli attack known as Olympic Games that targeted Iran’s nuclear program was a rare attack on infrastructure.
Sony has tried to put the best face on the situation, saying it understood that movie theaters had to be worried about the safety of their customers.
But the precedent set Wednesday could be damaging. Other countries or hacking groups could try similar tactics over movies, books or television broadcasts that they find offensive.
The cost of the assault was small: The attackers used readily available tools to steal data and then wipe it off Sony’s machines. Representative Mike Rogers, the Michigan Republican who leads the House Intelligence Committee, said the hackers had “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.
The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.”
But that leaves open the question of what to do about the Sony attack. The North is under some of the heaviest economic sanctions ever applied. A large-scale American cyberattack would require a presidential order, and Mr. Obama has been hesitant to use the country’s cyberarsenal for fear of retaliation.