The news that HBO had fallen victim to a hacking effort in July should have set off alarm bells for organizations around the world. The popular maker of original content was just the latest entertainment company to be hit by hackers who have extended their sights beyond expected targets like financial institutions.
The breach of HBO, along with the theft of content like Orange is the New Black and Steve Harvey’s Funderdome earlier this year, shows a newfound focus from cyber vandals on intellectual property — one that should prompts companies in many different fields to shore up their security.
According to the hackers who carried out the sustained effort to break into HBO’s systems, they weren’t driven by “political or financial” motivations — though the group did demand millions of dollars to put a stop to the leaks. Instead, the group would have HBO believe the attack was carried out just to see if it could be done.
HBO’s security held off the hackers, known as little.finger66, for nearly six months before the group finally breached the company’s defenses, leading to leak after leak of valuable data. Thus far, the hackers have released full episodes of shows, scripts, internal documents and contact information of actors on the HBO series Game of Thrones.
“This incident shows hackers will target any kind of information — even entertainment programming,” Ebba Blitz, CEO of AlertSec, told International Business Times. “All information is vulnerable because some hackers are motivated by the thrill of it. They steal because they can, not because the information always has any real long-term value.”
It’s not known exactly how the group breached HBO’s databases. The closest hint the hackers have provided came in a video letter attached to a leak of company documents and communications in which the group claimed to penetrate HBO’s “internal network and other related platforms.”
Filip Chytrý, threat intelligence expert at cyber security company Avast, said there are three likely options the hackers could have exploited to break into HBO’s databases: “by targeting IoT devices connected to HBO’s internal network that could communicate externally, by finding vulnerabilities in HBO’s infrastructure or by creating a scam campaign to trick HBO employees into exposing or opening up a vulnerability.”
While scam campaigns, typically carried out using phishing emails designed to get a victim to download a malicious file or surrender login credentials, are commonly the cause of data breaches, HBO has provided no indication an employee fell victim to such an attack. The company has also publicly claimed its email servers were not breached.
That doesn’t exclude the possibility, and organizations like HBO should always aim to improve best security practices of employees by educating its workforce. Some companies have even taken to preemptively phishing its own employees to raise awareness of such attacks. “A human behind the computer screen is always the biggest security vulnerability,” Chytry said.
As for IoT devices, more security experts are beginning to point to those internet-connected products as potential weak points in security networks. While the devices are connected to the company’s internal network, they also share data with external sources and many have less-than-adequate built-in security protocols.
While the United States government has taken to trying to tighten security requirements for internet-connected products, many still come equipped with an easily guessable default password that make the devices sitting ducks for an attacker. Every unsecure device on a network is a potential point of entry for a hacker.
Ferruh Mavituna, CEO of security firm Netsparker, suggested the attack may have been directed at web applications used by HBO. While Mavituna noted he had no direct insight into the HBO case, he said “the biggest cause of recent data breaches were web application hacks, and more specifically SQL Injection vulnerabilities.”
Such an attack can be especially troubling for an organization, as it means either an application the company built or a third-party service it trusted was far less secure than believed. Mavituna advised using security scanners that can stress test such systems and potentially spot holes in the application.
If an organization is relying upon a third-party for that protection, the task can become trickier. There have been a number of instances in which third-party services, trusted with valuable information, leave that data exposed. Organizations should maintain a dialogue with the providers they work with to ensure steps are taken to secure valuable information.
Sanjay Beri, CEO of cloud security company Netskope, said it’s important for organizations to “safeguard data against misuse and theft by proactively implementing security technologies as a check.” According to Beri, security measures such as access control and anomaly detection can “significantly reduce the risk of costly breaches like this from happening in the future."
One thing that makes these efforts to secure data all the more challenging for HBO and other organizations is the increasingly sophisticated means of attacks used by hackers. Little.finger66 claimed to purchase zero day exploits — security vulnerabilities that have yet to be discovered and patched by software and hardware makers — in order to carry out an attack.
As Sean Smith, the director of architecture for cybersecurity monitoring at rating platform SecurityScorecard, pointed out, zero day attacks add complexity to the effort to defend against hackers because the exploits are unknown until exploited.
“The fact that a zero day may have been involved makes protection tricky, as what looks like an up to date defended system actually has unknown holes,” Smith said. “Securing access to resources internally, rather than just at the perimeter would be the most mitigating defense for a scenario like this.”
The use of such an exploit also suggests the attack wasn’t a fly-by-night operation but rather a “concentrated attack from a determined group,” according to Smith.
He suggested HBO could add additional defenses such as two-factor authentication to its services to prevent unauthorized access from a compromised account. He also said the company could look at it “network perimeter and logs” to determine where the breach may have occurred.
Defending systems will always be a bit of an uphill battle for organizations — especially those which may not be conventional targets. Doing so requires investing time and resources into defenses — systems that won’t generate revenue and can be hard to justify when just looking at the bottom line, but are absolutely necessary to mitigate as much risk as possible.
Even then, it’s possible for those systems to be breached. When that happens, as it did in the case of HBO, just about every expert pointed to encryption as the last line of defense.
AlertSec’s Blitz said “all data needs to be protected with encryption.” Chytry from Avast offered similar advice, saying that organizations “should have everything encrypted on hard drives, ensuring that anybody who has access has a unique decryption key. If there is something amiss or they suspect an attack, they can easily terminate the source of the attack.”