The past few years, the major studios and production companies that create movies, broadcast television, streaming content, and even online and video games have been under cyber attack.
There was the 2014 attack on Sony Pictures by the “Guardians of Peace”—which may or may not be a North Korean hacking team—that stole and released then-unreleased Sony productions, personal information of employees, movie stars, and their families, executive salary information, and, worst of all, scads of private emails between employees, agents, and star talent. The fallout was devastating to both Sony Pictures and the entire entertainment industry.
If that was the only cyber attack against Hollywood, that would be bad enough.
There were several, smaller attacks after the 2014 attack on Sony Pictures. Then, earlier this year (2017), yet another cyber attack was perpetrated against a major Hollywood studio and streaming content provider (Netflix) and one of their suppliers, a family owned-and-operated post-production facility (Larson Studios) with limited security staff and budget. These attackers—calling themselves “The Dark Overlord”—stole 10 complete episodes of the Netflix hit show, “Orange is the New Black”, and threatened to release the episodes if Netflix didn’t pay their demanded ransom. Netflix refused to pay, and the episodes were released a month before the expected season premiere date.
And, last June (2017), it was HBO’s turn, as an attacker—calling himself the “Kind Mr. Smith”—somehow infiltrated HBO’s network. The attacker claims they breached the network via malicious emails, (but HBO, the FBI and other authorities have never mentioned how the attackers got in) and stole episodes of and scripts for the hit “Game of Thrones”, in addition to episodes of other HBO shows, financial documents, cast and crew contact lists, an employee’s emails, and credentials for social media accounts. Again, the attacker demanded ransom and HBO refused to pay. In November, an Iranian national was indicted in absentia in U.S. federal court for the cyber attack and theft of 1.5 terabytes of data from HBO – seven times worse than the 2014 Sony breach.
Studios and production houses typically outsource content post-production, oftentimes to post-production facilities around the world. Post-production, referring to the processes after filming or shooting ends, is divided into two areas: Audio, which includes dialogue, automatic dialogue replacement (ADR), Foley, sound effects (SFX), music, voiceover, sound mixing, and more; and video, including editing, telecine, film transfer, visual effects (VFX) including animation, 3D upscaling, motion video including titles, color grading, and more. Raw, digital output from filming or shooting can be sent to one or even several different post-production facilities, typically small- and medium-sized businesses (SMBs) with little IT or security staff or budget. Add to this the scores of different contractors and freelancers working project-to-project on a production, and especially in post-production houses, and you have a recipe ripe for cyber attack and breach.
Attackers will use any means possible to infiltrate and spy on a production or post-production facility’s network. Relying on social engineering to drive effective phishing and spear-phishing email—or even social media—attacks are ways attackers deliver the keyloggers, spyware, droppers, worms, trojans, wipers, backdoors, and other malware to observe and usurp internal processes and user credentials, or to simply “phish-and-fool” employees into divulging credentials.
Once a user’s credentials have been swiped, attackers easily penetrate any network and ultimately steal a finished or near-finished movie, show or game, delete it from the company’s network, and hold it for ransom. Or, maybe even worse, download terabits of data – confidential salaries, sensitive financial information, even internal and external email communications that could prove to be embarrassing or damaging.
The Motion Picture Association of America (MPAA) produces security recommendations for studios to enforce with vendors, including requiring production networks or systems that process and store digital content be air-gapped from Internet access unless a business case requires it; and, if one is required, to control web browsing and limit access to prohibited websites—including webmail—for production environments, while non-production networks must block possible phishing emails and potentially dangerous attachments. Many studios are trying to enforce these recommendations with their vendors.
Standard, detection-based security tools require up-to-date intelligence on malicious websites and methods to make their necessary “good” versus “bad”, “allow” versus “block” decisions.
But, phishing security based on isolation technology avoids the need to distinguish between legitimate and malicious emails and content. Isolation inserts a secure, trusted execution environment, or isolation platform, between a studio, production facility or post-production user’s email and web access, and potential sources of attack. This means no email-delivered malware to snoop on the studio or production facility, phishing attacks that steal user critical credentials, backdoors opened by drive-by downloads, or other malware delivered by watering hole attacks. And, especially no ransomware for stolen content, documents, and emails.
Please join Menlo Security CTO, Kowsik Guruswamy, and executives from Creative Artists Agency, Warner Bros. Entertainment, and NexGuard at the CDSA Content Protection Summit, December 6th, at the Marina del Rey Marriott, for a panel discussion on “Creative Vs. Security: Getting on the Same Side of the Struggle”.
For more information on how isolation stops phishing, ransomware, credential theft, and more before they even start, please read our research report, “The Evolution of Phishing Techniques”.