HBO Hack

I was interviewed on Sky News on Tuesday 8 August discussing the HBO hack.

It’s hard to get all of the interesting points about an issue into a quick news interview; the key points about the story from my perspective are:

  • The stealing and leaking of Game of Thrones scripts before the episodes air gives the criminals their headlines, but HBO are probably far more concerned with the internal documents which have been breached
  • This parallels with the Sony hack a few years ago, in which many embarrassing internal emails were leaked and which ultimately led to the Co-Chair of Sony, Amy Pascal, stepping down
  • In HBO’s case, it seems that thousands of internal documents have been stolen, from personal information of employees through to legal and financial documents of the corporation
  • There are reports that Game of Thrones actors’ personal contact details, including phone numbers and email addresses, have been leaked
  • From reports, we can deduce that one person’s machine has definitely been compromised, a top executive who seems to be the Vice-President for Film Programming. Login details for dozens of her online accounts have been released by the criminals, including possibly her work email
  • I would speculate, as I mentioned in the Sky News interview, that the attack was most likely carried out by a spear-phishing email which compromised the VP for Film Programming, but there are of course many other scenarios which could have facilitated the attack. Film and TV studios work with many third parties, so a third party could have been leveraged as a means of attacking HBO. An episode of Game of Thrones was recently leaked via Star India, one of HBO’s distribution partners, so it is feasible that there is a link here, for example one scenario being that Star India (or another third party) was compromised and used as a vehicle to send a spear-phishing email
  • HBO are claiming that their internal email network has not been fully compromised
  • The criminals are claiming that they have 1.5 terabytes of HBO data, which could just come from compromising one machine
  • The attackers seemingly sent a ransom note to HBO, which has now been made public, in which they ask for ~$6m in bitcoin. They claim that they have spent six months on the attack and that ~$6m represents six months of their income. This is a novel way of calculating a ransom demand, to say the least. Despite this, the criminals also say that the attack was not financially motivated, that they are white-hats and that HBO should see them as partners. Like all good protection rackets, it seems they are trying to frame this as an on-going business relationship.
  • If the attackers really spent six months on the attack, it’s quite surprising that they didn’t get more than 1.5 terabytes of data
  • $6m is a lot of money, especially in bitcoin: only approximately 900 accounts in the world have over $6m worth of bitcoin in them
  • The timing of this attack could be particularly difficult for HBO, coming when AT&T are looking to close their acquisition of Time Warner (who own HBO) for $85bn
  • As an update, since the Sky News piece a few days ago, the attackers have claimed that HBO offered them a $250,000 “bug bounty” as part of their negotiations; HBO seem to be claiming that they made this offer as a delay tactic:

 

By Dr Jessica Barker