Netflix hack: attacker unleashes his rage over failed extortion

Recently leaked 10 episodes of the “Orange Is the New Black” show’s season 5 have demonstrated how vulnerable entertainment companies are in face of hacking.

A newsmaking hack incident as of late April 2017 involving Netflix and a related media company became a serious wakeup call for proprietors of popular streaming video services. A threat actor identifying himself as The Dark Overlord (TDO) ended up carrying out copyrighted materials leakage threats after the compromised organization refused to submit a ransom in exchange for not releasing the content. The worst part of the whole story is that the unsanctioned release occurred more than a month before the show was scheduled for official airing.

By the way, this particular cybercrook had gained notoriety last year for hacking healthcare institutions, most of which are U.S. based, and holding their software source code and patients’ records for ransom. Following a fairly lengthy hiatus, said ill-minded individual, or group of criminals, made quite a reappearance with the latest Netflix breach story.

Before dwelling on the details, it makes sense to first address some significant misperceptions, though. The incident in question isn’t about ransomware proper in the sense that no crypto-backed malicious code was ever involved. Instead, it’s a classic doxing attack, where felons get hold of sensitive content and blackmail the owner by threatening to make it public unless a ransom is paid up. Another important fact is that it’s not Netflix that was actually breached. The original target was a partnering post-production company called Larson Studios, Inc.

The timeline of this defiant blackmail dates back to January 2017. The attackers most likely spotted a security flaw in the systems of the above-mentioned Larson Studios. By breaching its IT infrastructure, The Dark Overlord accessed and pilfered unreleased episodes of “Orange Is the New Black” series, possibly along with several dozens of other shows. According to information TDO provided to DataBreaches.net, the post-production company first opted for the ransom route to sort things out by the end of January. The amount was 50 Bitcoin, which is worth about $80,000 at the time of this writing. However, the target never submitted the cryptocurrency requested by the crooks, neither till the deadline nor afterwards. This turn of events made the attackers switch to negotiating with Netflix.

Later on, having realized that the extortion attempts were futile, The Dark Overlord decided to act. On April 28, he wrote the following on his Twitter page @tdohack3r: “Let’s try to be a bit more direct, Netflix,” also posting links to Pastebin and ThePirateBay pages hosting 10 downloadable episodes from season 5 of the ransomed “Orange Is the New Black” show. Although the episodes are in 720p and have quality issues, the leak is still a big problem for the streaming service.

In another tweet the same day, TDO wrote: “Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we’re all going to have. We’re not playing any games anymore.” A particularly disconcerting thing is the hacker reportedly also stole unaired content for 36 more TV series and films. Incidents like this one should provide food for thought to these types of services. One of the nontrivial nuances is that even though the company’s networks were never breached, the bad guys were still able to find a weak link along the production chain. So partnering organizations should, obviously, do a better job hardening their security.

Perhaps Netflix did the right thing ignoring the hackers’ demands and refusing to fuel the darknet business with thousands of dollars. But, again, the moral of the story for such companies is to safeguard all facets of their activity rather than focus on their own security posture only.