On November 24, 2014, Sony Pictures employees discovered that the company’s network had been hacked. Attackers stole terabytes of data, deleted the originals off computers, and threatened to release the information they stole. Over the next few months, the hackers posted four previously unreleased films and thousands of documents onto the public web.
Internet users and journalists read through private correspondence covering, among other things, salaries, hiring practices, and performance data. Gossip magazines had a field day sharing executives’ negative views on actors, while news agencies reported on disparate salaries among actors and actresses, as well as the lack of high-paid female leadership within the company.
In December, the hackers demanded that Sony immediately stop plans to release The Interview, a comedy about North Korean leader Kim Jong Un at the risk of a terrorist attack. Sony initially bowed to the threat, scrapping its release date. That decision was criticized by many, including President Barack Obama, for caving to terrorist demands. Eventually, the file was released on schedule to independent theaters and online video-on-demand platforms.
The entire episode was a nightmare for Sony. In the aftermath, nearly all the company’s top management was forced to resign. Former employees who had their social security numbers and medical information shared on the web filed a class-action suit against the company for failing to protect their private data, and at least one producer whose film was released in the hack filed suit against Sony as well. Estimates placed the cost of the attack at $35 million.
Evidence led the US government to believe that Sony was the victim of a nation-state attack stemming from North Korea, and in 2018 the US Department of Justice charged a North Korean national in the attack.
Entertainment’s Biggest Fears
The public nature of the entertainment and streaming industry makes it ripe for ransomware attacks and other cyber threats. After investing millions of dollars into the production of a film, they are willing to pay almost any price to protect their investment. An unauthorized online release can sink box office sales, turning an expected blockbuster film into a ho-hum event that national movie chains won’t carry.
While other types of businesses can hide new product launches until they are ready for public release, entertainment studios begin hyping a new movie long before production starts. Threat actors know about upcoming releases years before they are ready. It gives them time for reconnaissance, allowing them to find network vulnerabilities and strategically go after the biggest films or TV shows.
Production studios are heavily reliant on third-party members of their ecosystem and supply chain. Special effects, sound mixing, and stunts are often done by a third-party production house. Subtitling houses located all over the globe prepare films for international releases, translating the film and adding subtitles directly onto the video footage. A vendor breach, like the one at Larson Studios which led to 10 episodes of Netflix’s Orange Is The New Black being posted on Pirate Bay, is an unfortunate reality for production studios.
Studios are also fearful of internal emails about celebrities reaching the public. In Sony’s case, the public quickly found out that Amy Adams and Jennifer Lawrence made less than their male American Hustle co-stars, and many other celebrities found out some of the comments made about them behind closed doors.
Beyond Movies and TV
Cybersecurity pressures are reaching the music industry as well. Radiohead’s unreleased recordings were stolen by ransomware hackers in 2019, who demanded a $150,000 ransom. Rather than pay the ransom, the band released the recordings for the first time.
In another incident, celebrity law firm Grubman Shire Meiselas & Sacks had 756 gigabytes of data stolen and ransomware uploaded into its system. When the law firm refused to pay the ransom, 2.4 gigabytes of Lady Gaga’s legal files were released to the public.
A Growing Problem
The cyber threats against entertainment and media companies are only growing. In March of this year, Japan’s Toei Animation studio announced that its newest Dragonball movie, Dragon Ball Super, has been delayed indefinitely following a cyberattack at the animation studio.
Many attacks go unreported, as studios prefer to protect their intellectual property and avoid a PR nightmare. When HBO went public about a cyberattack in 2017, hackers claimed the company was its 17th target.
For threat actors, studios are the perfect target. They publicize their most important assets and work in an environment that lends itself to multiple vulnerabilities. Studio executives are highly motivated to pay the ransom on their intellectual property while avoiding negative publicity for the celebrities who work for them.
Suspected Threat Actors
From nation-state attackers to idealist hacktivists, there is no shortage of threat actors in the entertainment space. Movies frequently deal with political or controversial issues. Evidence from the Sony attack points to nation-state attackers from North Korea who were motivated to derail the satirical film The Interview.
Other threat actors are motivated by financial gain. Behzad Mesri , an Iranian national with ties to his country’s military establishment, tried to shakedown HBO for $6 million after claiming that it took him over six months to break through its security, while the Russian based REvil group demanded over $42 million from Grubman Shire Meiselas & Sacks.
Protecting Valuable Assets
While nation-state criminals may have entertainment on their minds, there are a number of things studios can do to protect their intellectual property and critical assets. In our next blog, we will dive into some tips and steps that can be taken in order to ensure that your assets remain safe and secure against potential threats.
To discuss your cyber-security defense requirements, contact a HolistiCyber expert today