The name of the song playing is “The Light of the Seven.” It’s a haunting, evocative piece from a penultimate scene in last season’s final episode of Game of Thrones, beginning with delicate, well-timed notes from a piano. It is a masterpiece of tension, fear and ultimately fury.
It was also a good choice for the hackers.
The cellos come in less than a minute later, ominous, a portent of something sinister to come. When the children’s chorus comes in, alight with orchestral violins and pipe organs, the voices are a stark counterpoint to the building violence on screen that ends in a crescendo of green fire enveloping the pompous, religious enemies of the Queen of the Seven Kingdoms, Cersei Lannister.
Hackers who stole key pieces of some of HBO’s crown jewel properties used that musical score for dramatic effect just weeks ago as they detailed their demands over a roughly five-minute video, using Game of Thrones – one of the most popular shows on the planet – as leverage. To view the video, please click here.
To read an ACFCS sidebar piece to this story covering cyber countermeasures, please click here.
“We confess that HBO was one of our difficult targets to deal with but we succeeded. (It took about 6 months),” according to the video obtained by Mashable. “Also, we obtained full scripts and cast list of your (and our) very popular TV series; Game of Thrones S7.”
In the latest HBO hack, the group is requesting a ransom of an implied $6 million to $7.5 million, or as the note calls their “six-month salary in Bitcoin,” or else the dark net denizens would release the full 1.5 terabytes of data.
But HBO apparently had full episodes and seasons (the series is currently a few episodes into season seven) in a more secure location. The series, as the namesake implies, chronicles the efforts of several houses to take control of the Iron Throne, adapted from a storied book series by George R.R. Martin.
“You concealed GOT7 very carefully so we can't find it due to lack of time although we are so close,” the group stated in the video. “Instead, we produced some tiny mini-series of GOT 7 for you which be able to shock the entire world!!! What we got from GOT 7 not only put an end to fate of this season but also corrupts your idea and efforts to season 8.”
The hack follows similar breaches of Netflix, Sony, ICM, WME, UTA and a production company that affected content from ABC, NBC, FX and Disney. Hackers in recent years have also punctured many of the country’s largest banks, retailers, healthcare firms and even a site with data on U.S. government personnel.
But if there is a bright spot in a hack that could hurt such a beloved franchise, cybersecurity experts say the breach could be used as a teaching tool. It may help governments, organizations and individuals to realize that cybercriminals see data of all kinds as potentially even more valuable than standard credit and debit card information – leading to stronger global cyber defenses.
“We have vulnerabilities in the U.S. and people don’t realize that because we are so gullible,” said John Walsh, Chief Executive of SightSpan, a global risk management firm.
“The government worries about attacks on nuclear power plants or the electric grid, but those are relatively safe. China, however, as just one example, is invading every day, hacking into engineering firms, law firms and accounting firms and, yes, entertainment business as well.”
Hopefully getting governments, companies and even individuals to think about their own cyber safety as a result of the hack will help them also come to a profound but sobering realization. “This is a new kind of war and we are at war right now,” Walsh said. “Data right now is more valuable than money because, if done right, hackers can use it again and again.”
That would be an interesting turnabout on the axiom of fact informing fiction. In this case, an online assault by virtual world brigands against a fantasy kingdom could potentially lead to better cyber swords and shields in the real world.
AML rules creating ransom payment challenges?
The unknown cyber gang behind the HBO hack seems to unintentionally mention how stronger anti-money laundering (AML) rules being implemented by banks globally are making it harder for them to find institutions and virtual currency exchanges that will handle the Bitcoin ransom demand.
“Do the bitcoin job quick,” the group says. “Some banks in USA have problems in exchanging bitcoin and caused trouble in past. We don't accept sentences like: we want to pay but banks are lazy and don't cooperate. Its your problem. Give some bucks, they do like slaves.”
The HBO hack “underscores the vulnerability of companies large and small, particularly hackers targeting and obtaining high value content,” said Joseph DeMarco, a partner at New York-based DeVore & DeMarco and the former Assistant US Attorney for the Southern District of New York, heading the computer hacking program.
“And that high value content can come from an entertainment company or a bank or a healthcare provider,” he said.
“The fact of the matter is that information has value and people are out there looking for ways to steal it,” DeMarco said. “All companies need to have robust data security, good access controls, encryption and employ the most sophisticated countermeasures for protecting the crown jewel intellectual properties in the best way possible.”
Such measures are required for persistent and determined hackers.
For instance, the hacking group tied to the HBO breach claimed they do two operations a year, netting as much as $15 million in total and that HBO marks their 17th target. Only three have failed to pay and “were punished very badly and 2 of them collapse entirely.”
Even so, while the group is doing its best to be menacing and demands to be taken seriously, the scrolling text in the video is filled with atrocious spelling and grammatical errors, meaning the group is clearly foreign, from hacker nests in likely locales including Russia, China or Eastern Europe – the usual suspects.
Winter is coming – for HBO
The breach allegedly includes a veritable cornucopia of proprietary loot, including future episodes and scripts of the epic fantasy phenomenon, along with what the various actors get paid and even their phone numbers – something leaked a few days ago as proof of the digital haul.
While the video yields few clues about how the group got in to HBO, it mentions in passing that the group pays $500,000 annually for the use of “zero day exploits,” a term describing an unknown or undisclosed software vulnerability that hackers can exploit to breach computer programs, steal data, or use malware to infect additional computers or an entire network.
The video ends with a look at two potential futures for HBO, and a warning seemingly straight from the mouth of one of the show’s most popular dark and brooding characters.
“Winter is coming – HBO is falling,” or “Winter is Coming – HBO is standing & Everlasting,” the hackers stated in the video, a nod to the current King of the North of House Winterfell, Jon Snow – or Stark or Targaryen – depending on how far you are in the books or show.
And as in Game of Thrones, having a battle-ready mindset can help companies realize attacks with virtual flaming arrows can come from anywhere and at any time, meaning operations must better segment their data so only individuals with the highest clearances can access the most valuable or sensitive data.
“In the show, the Lannisters are the most cunning house,” Walsh said. “Companies need to realize hackers are just like that. Whatever weaknesses you have, they will exploit them. And anyone can be a target. Sometimes hackers will just get into a place just to see if they can. Don’t look for logical answers when it comes to hacking because some attacks are done as a source of pride.”
In an ironic twist, the hackers are clearly fans of the show, expressing little to no enmity or vitriol toward HBO.
That is a departure from previous hacks against media and technology companies. The hack of Sony, for instance, allegedly done by North Korea, was widely believed to be in response to a movie called “The Interview” deriding and satirizing the country’s leader, an affront the rogue regime could not endure.
The main reason for the hack: “Our motives isn't political nor financial,” the group said. “(Even we hate trump like other Americans do) Its like a game for us, we enjoy to get data. Money isn't our main purpose,” according to the group.
Going further, the note evinces the delusions of grandeur common to hackers with self-inflated views of themselves.
In some instances, the group asks to be “partners” in global distribution of HBO shows and that the entire hack is something cable executives should be thanking them for as helpful “penetration testing” and publicity at a fraction of their normal advertising budget.
“We don't want to endanger HBO's situation nor causing to lose its reputation,” the hacker collective said. “We want to be your partner in a tiny part of HBO's huge income. HBO spends 12 million in 2017 for Market Research and 5 million for GOT7 advertisements. So consider us another budget for your advertisements!”
Enter the threat matrix: reputational harm
The group also lauded HBO for its media contributions to highlight social issues, but only to show how far the mighty could fall.
“HBO is pioneering in TV programming worldwide and doesn't want to lose this situation,” the group said. “More than that, HBO is promoting democracy, women rights, freedom and justice in the world and losing this leadership will be painful and catastrophic.”
The hackers also tried to up the fear factor by stating other competitor companies could exploit HBO’s inner knowledge if the data was released, with fans and investors running for the exits.
“Leakage will be your worst nightmare; your competitors will know about your current & future strategies, your inner circle inside HBO & senior staff will be thrown into chaos, your views specially fans became very upset and they blame you rather than us!, downfall in stocks will be predictable and so on,” according to the group.
The song choice by the hackers in the video – the group doesn’t give a name, but one calls himself “Mr. Smith” – further drives that point home and is clearly meant to send a message to HBO that if they don’t follow through and pay the ransom, the group will go scorched earth on the media powerhouse.
Such a conflagration would likely mirror what Cersei Lannister herself did in that final Game of Thrones episode where she used a gathering of her enemies in the Holy Sept of Baelor at a trial meant to persecute her as a way to blow up the entire edifice – literally and figuratively burning down her political, physical and ideological foes in one fiery fell swoop.
To view the full scene from the actual show from the episode “Winds of Winter,” please click here.
The hack comes at a particularly sensitive time for HBO, whose parent Time Warner, is awaiting proper regulatory approval to sell itself to AT&T Inc. in what is expected be a more than $85 billion deal announced in October.
The Guardian and other publications reported on Tuesday that hackers had posted some stolen HBO files online, again demanding the Bitcoin ransom to prevent additional releases, according to Reuters.
Entertainment Weekly reported last week that hackers had stolen the data and leaked online a script or treatment for an upcoming episode of “Game of Thrones,” along with yet-to-be-broadcast episodes of the series “Ballers” and “Room 104.”
Why attack the Seven Kingdoms? Because we can
But with so many targets for hackers tied to organized criminal groups, rogue and recalcitrant nation states and hacktivists, it begs the question: why HBO and why “Game of Thrones,” a fantasy series of political intrigue where four main houses scheme, plot and fight to sit on the Iron Throne?
The answer is not an easy one and forces you to get into the mind of a hacking group where purely money is not always the true end. Hackers are not like the mafia mobsters of old, shunning the light to ply their deals in darkened back alleys.
Some hackers will take down a company, bank or site simply for the challenge and fun of it – to say they could. In essence, bragging rights.
One of the reasons hackers would attack HBO, and try in particular to grab “Game of Thrones,” is because it would be a notorious “feather in their cap,” said Walsh, of SightSpan.
“If you attack a cooking show, who will care,” he said. “But if you go after Game of Thrones, one of the widest-viewed shows on TV, that is front page news around the world. You will have a lot more notoriety. In some parts of the world, these hackers are treated like Rock Stars.”
Such intimidating street cred – even without an immediate financial windfall – can reap even bigger rewards down the line, say cybersecurity experts.
At least in the case of HBO, members of this group, if they want to go straight, now can say they are part of the operation that stole “Game of Thrones,” and brought a media juggernaut to heel, a marketable mark of their virtual skill and something that can be an invaluable asset to companies trying to create more secure virtual vaults that will keep out other their equally brazen ilk.
Conversely, members of this hacking group can also now use this breach as a way to scare other companies they have punctured into paying their requested ransom.
“Do you want to know who we are and how dangerous we are? We are more conniving than the Lannisters,” these hackers could say. “We are more invincible than the White Walkers. We breached your Great Wall. We are the house that won the Iron Throne.”