Details are leaking out about yet another hack of a major content production and distribution company. HBO on Monday announced it was the victim of a significant data breach that could involve the exfiltration of up to 1.5 TBs of information. While the investigation into the extent of the compromise and the actors behind it are ongoing and currently in the nascent stage there are a couple things we can say about what this hack isn’t.
The current comparison to Sony is a false corollary. Sony was the victim of a Nation State (North Korea) seeking retribution for an action taken by the company (the production of The Interview). The primary motivation of the attackers in that case had to do with damaging the company. The data exfiltration and subsequent release seemed to have more to do with the smoke screen of trying to create a new “hacktivist” group to throw off attribution than to actually steal the data. The fact that the data happened to be significantly damaging to the brand’s reputation was likely an added, happy happenstance from the attacker’s perspective.
Every early indication we have from the HBO intrusion doesn’t fit that narrative. Without access to the raw data and forensic investigation it is impossible to concretely state what the intention of this actor set was. What we can say is that so far this incident is unique. While Sony is an edge case when it comes to compromises of the entertainment industry, the lack of a financial motivation also makes this an interesting case. In the recent compromises of Disney and Netflix, a ransom note was associated with the theft of the data. The financial motivation was clear, if unmet. In the case of HBO, there appears to be no ransom and thus no clear motivation.
There are several possible motivations that range from troubling for HBO to potentially catastrophic. Below we will shortly outline each and discuss briefly their plausibility.
- The Egotist – A person or group who wants to demonstrate their prowess and/or establish their bonifidies within hacking forums. This is plausible due to the small online presence the group claiming credit for the hack appears to have. Additionally, the fact that the data is being released in a piecemeal fashion prolongs the news cycle associated with the hack.
- The Uber Fan/Information Freedom Hacktivist – An individual or group that wants to have access to the data because they want to liberate the information and just can’t wait for next week’s episode. This is unlikely because if freedom of information was the primary factor the initial dump would have been a lot larger and the teasing with scripts and the executive’s accounts would not be included.
- Retaliation – HBO’s recent attempt to crack down on the piracy of Game of Thornes in particular has the potential to motivate some hackers to retaliate due to a social justice perspective. Additionally, the controversy around their new show Confederate would fall into this category. In this case the hack would be motivated to not only share content but also to damage the reputation of the company to demonstrate consequences for clamping down on the piracy or being perceived to propagate an unwanted message. If this was the motivation it is likely that embarrassing information will be feed to the news cycle as a type of deterrence and retaliation. If this was the motivation, one would expect to see a splashier messaging campaign associated with it to make sure that the connection to the anti-piracy was clear. Also, the mail exchange would be an ideal target of this type of campaign. If that was not compromised it makes this a less likely scenario. A deterrent or retaliation only is effective if the recipient understands why the action is being taken.
- Industrial Espionage – The releasing of information could, like in the Sony example, be a smoke screen for different nefarious purposes. Having access to that amount of data likely includes pre-production information and financial data, in addition to other sensitive documents. This would be a treasure trove for a competitor looking to one up HBO. Given the potential merger between AT&T and Time Warner this has some plausibility to the theory. The lack of sensitive company information being leaked has the potential to support this as a motivation, but the lack of a compromise of the mail server would be a large oversight if this was the main motivation. Once data becomes public it loses its competitive intelligence value. However, proving this as a motivation is also significantly difficult without knowing where the stolen data was routed to.
- The Enablement Campaign – With well over 100 million TV subscribers and over 2 million HBO Go subscribers, HBO has a significant distribution network directly to network devices. It would be possible for an intruder to not only steal information but use the compromise to insert data into HBO’s streaming content. If they coupled a malicious payload with a zero-day exploit for Silverlight or another streaming media player that delivers HBO content to devices, you would theoretically have an auto delivered, trusted, exploitation of 10s of millions of devices. The plausibility of this is exceedingly low as the sophistication required to pull off an operation like this would be exceptional. However, as we continue to see a convergence of trusted streaming content pushed directly to computers it is only a matter of time before someone pulls off an operation in this manner.
Those investigating this breach will slowly uncover forensic evidence that leads to a clearer picture of who and why this intrusion happened. While we currently do not have enough information to answer those questions, we do have enough to say who likely wasn’t responsible and motivations not likely at play. This is not another Sony style attack, there appears to be no malicious nation state actor attempting to cause direct harm to the company. Furthermore, this does not appear to be a financially motivated attack due to the lack of a ransom note. It is possible that the same group that went after previous distribution companies is at work here and they just gave up on trying to get the companies to pay. But it is unlikely that the intruder in this case is expecting to gain monetarily from the theft and threat of distribution of content.