After making their initial media splash on 31st July, those behind the attack on HBO have done their best to stay in the limelight, releasing material on a regular basis and hinting that the pace will continue. Most recently, the group released to the media unseen episodes of the comedy cult classic Curb Your Enthusiasm, which makes its return to the airwaves in October, but it is the leaking of the hit fantasy show Game of Thrones that has really garnered the group the most attention.
In response, HBO has made it clear they have little patience for the hackers, most recently issuing a somewhat terse statement affirming: “We are not in communication with the hacker and we’re not going to comment every time a new piece of information is released.”
The network went on to add that it has no intention of playing the hacker’s “game” to help them generate more media attention and that it will be business as usual for all of their productions.
While HBO is clearly planning to stick to their guns on this one, corporations with vast amounts of valuable intellectual property should be taking the opportunity to consider what their own response strategy would be in the event they become a hacking victim. Responding to a data breach that involves blackmail always poses some tough questions that have to be made with limited intel. The longer they wait to decide, the more information they will have, but the higher the risk of more damaging leaks as the attackers get restless.
Should you ever pay the ransom?
If we take the claims of the hackers at face value here, we have three major questions to ask:
How good were the hackers? If they were very skilled and managed to hide their traces well, the forensic effort is going to be a very long and ultimately incomplete job. HBO may never know the totality of the breach. Without knowing the totality of the breach, HBO executives will have to make a decision about how valuable the leaked data is to them (both from an actual investment perspective and a brand damage perspective) without having any real confidence in the particular nature of the missing data. So far the "taste" is not that bad, which likely would reduce a willingness to pay.
How honest are the hackers? It's a funny question, but paying a ransom would require significant trust that the hackers won't take the money and then release the information anyway or resell it to a competitor. This is a question that no one will have good insight on and will essentially be a gut instinct based decision. As they say, there is no honour among thieves, and refusing to comply with ransom demands is usually the right call. We have seen many cases of companies paying a ransom to unlock ransomware, only to find the hacker can’t or won’t comply – or simply re-encrypts the data at a later date.
How damaging is the information that is available to the hackers?
This ties to the first question, but no one knows all the emails and documents that are sitting in their network. An audit of senior emails and other documents that may have damaging or embarrassing information will help inform the risk calculation of whether it makes more sense to pay and pray or hold firm and weather the storm of the media should the "worst case" scenario of leaks happen.
Answering questions 1 and 3 takes time and the longer the "negotiating" process is drawn out, the more likely it is that they will be able to make a more informed decision. The hackers are likely aware of this scenario as well, so it is no surprise we have seen an increase in leaks as they try and spur HBO on to comply with them. Whether they do have anything damaging enough to force the network to pay them off remains to be seen.
So who carried out the attack?
While the investigation into the extent of the compromise and the actors behind it is ongoing and currently in the nascent stage there are a couple things we can say about what this hack isn’t.
An immediate and very popular take on the attack was to compare it to the huge data breach suffered by Sony Pictures in 2014. The desire to compare two major attacks on media giants is understandable, but it’s a false corollary. Sony was the victim of a Nation State (North Korea) seeking retribution for an action taken by the company (the production of The Interview). The primary motivation of the attackers in that case had to do with damaging the company. The data exfiltration and subsequent release seemed to have more to do with the smoke screen of trying to create a new “hacktivist” group to throw off attribution than to actually steal the data. The fact that the data happened to be significantly damaging to the brand’s reputation was likely an added, happy happenstance from the attacker’s perspective.
Every early indication we have from the HBO intrusion doesn’t fit that narrative. Without access to the raw data and forensic investigation it is impossible to concretely state what the intention of this actor set was. Although strangely, whilst not initially issuing a public ransom, the hackers later made it clear they wanted “six months’ salary” to cease the leaks – claiming their yearly salary was $12-15m.
The odd approach to the ransom and demands mean there could be several motivations at work here that range from troubling for HBO to potentially catastrophic. Below we will outline each and discuss briefly their plausibility.
The Egotist – A person or group who wants to demonstrate their prowess and/or establish their bonifidies within hacking forums. This is plausible due to the small online presence the group claiming credit for the hack appears to have. Additionally, the fact that the data is being released in a piecemeal fashion prolongs the news cycle associated with the hack, as pointed out by HBO themselves. The decision to focus on leaking one of the most popular shows on TV is also a strong indicator of motivation.
The Uber Fan/Information Freedom Hacktivist – An individual or group that wants to have access to the data because they want to liberate the information and just can’t wait for next week’s episode. This is unlikely because if freedom of information was the primary factor the initial dump would have been a lot larger and the teasing with scripts and the executive’s accounts would not be included.
Retaliation – HBO’s recent attempt to crack down on the piracy of Game of Thrones in particular has the potential to motivate some hackers to retaliate from a social justice perspective. Additionally, the controversy around their new show Confederate would fall into this category. In this case the hack would be motivated to not only share content but also to damage the reputation of the company to demonstrate consequences for clamping down on the piracy or being perceived to propagate an unwanted message. The initial announcement by the group carried the menacing statement “HBO is falling”, which seems to point to malicious intent.
On the other hand, if this was the motivation it is likely that embarrassing information will be feeding to the news cycle as a type of deterrence and retaliation tactic. If this was the motivation, one would expect to see a splashier messaging campaign associated with it to make sure that the connection to the anti-piracy was clear. Also, the mail exchange would be an ideal target of this type of campaign. If that was not compromised it makes this a less likely scenario. A deterrent or retaliation is only effective if the recipient understands why the action is being taken.
Industrial Espionage – The releasing of information could, like in the Sony example, be a smoke screen for different nefarious purposes. Having access to that amount of data likely includes pre-production information and financial data, in addition to other sensitive documents. This would be a treasure trove for a competitor looking to one up HBO. The potential merger between AT&T and Time Warner adds some plausibility to the theory. The lack of sensitive company information being leaked has the potential to support this as a motivation, but the lack of a compromise of the mail server would be a large oversight if this was the main motivation. Once data becomes public it loses its competitive intelligence value. However, proving this as a motivation is also significantly difficult without knowing where the stolen data was sent to.
Those investigating this breach will slowly uncover forensic evidence that leads to a clearer picture of who and why this intrusion happened. While we currently do not have enough information to answer those questions, we do have enough to say who likely wasn’t responsible and motivations at play. This is not another Sony style attack, and there appears to be no malicious nation state actor attempting to cause direct harm to the company. Furthermore, the way the ransom was communicated seems to indicate that either finance is not the main motivation or that the group is learning on the fly.
Whatever the motivation, media companies and others with high value IP should certainly be taking note and ensuring they have a strategy in place to deal with a similar attack. Following on from similar attacks on other companies like Netflix, the industry has a good track record on not paying ransom demands, but every company should be aware of their position, what refusing to pay a ransom could really cost them, and how to build a more sophisticated defense to prevent that cost.
Ross Rustici, Senior Director, Intelligence Services, Cybereason
Image Credit: Welcomia / Shutterstock