Blackhat movie: The Good, the Bad, and the Ugly

The movie does, in fact, have some interesting things to say about the kinds of cyberthreats we're now up against

If you still haven't seen the new movie Michael Mann movie, Blackhat, with Chris Hemsworth playing the lead, you won't be getting any new insights into how hackers work.

If you are not a security professional, however, then the movie does, in fact, have some interesting things to say about the kinds of cyberthreats we're now up against, so stop reading and go see it.

Good: The IoT attack was real

Unlike other movies, in which hackers magically crack "several layers of encryption" with their laptops, the attacks in this movie are actually credible hacks.

The central attack, for example, takes down a nuclear power plant. Okay, there was a bit more explosion than when Stuxnet took down a nuclear power plant in Iran, but then again, it is a Michael Mann movie.

"The gist of Stuxnet was to go after programmable logic controllers inside critical infrastructure devices and industrial devices," said Jeff Schmidt, founder at Chicago-based JAS Global Advisors LLC, a consulting firm focusing on technology for critical infrastructure sectors.

"In the case of Stuxnet, it was centrifuges used in preparing uranium," he added. "In the case of this movie, it was water pumps that were used in a nuclear power plant."

This is a real threat. Many industrial control systems were built before the Internet or by companies that focus on hardware, not security software, and are now vulnerable. If your company or organization is putting off spending the money it would take to get this fixed, then maybe this movie will scare you into action.

Bad: ... but the IoT attacks made no sense

Right at the start of the movie, the bad guys go after two targets -- the nuclear power plant, and the Chicago futures market.

The attack on the power plant brings in massive and immediate attention from law enforcement, who immediately launch a coordinated global search.

The attack on the Chicago futures market brings in $75 million. Without the other attack, the bad guys could have taken the money, gone home, and lived happily ever after.

"It reminded me of the old James Bond movies and the cartoons where the bad guy always has the perfect opportunity to kill the hero, and employs some overly complicated Rube Goldberg machine to kill the good guy and it never works," said Schmidt.

Instead, the two initial attacks turn out to part of a setup for a ridiculously complex evil plan that I'm not going to go into here.

"In reality, it's just unnecessary," said Schmidt. "With their skills, there are a lot easier ways to make more money -- and they already did! $75 million in a couple of hours. They could lather, rinse, repeat and make a whole lot of money."

Ugly: ... the criminal hacker is the one genius who can fix things

Plenty of smart people try their hand at hacking and find out that they're good at it, but stop short of actual criminal activity and jail time. Or maybe they just were smart enough not to get caught.

And plenty of other smart people go straight into computer science and forensics and cyber security.

If the FBI needed some bright minds to send against the bad guys, surely there were better options than a criminal who'd written a Trojan back in college and had been stuck in prison for the previous five years after getting caught breaking into a bunch of banks. Not to mention the fact that he'd previously served another year for a bar fight.

In fact, we first meet him at the start of the movie when he's caught yet again, this time for using a cell phone to hack into the prison's commissary accounting.

Really, you want this guy? Really?

Then, instead of keeping him in some secure facility while he offers his advice in return for time off his sentence, the FBI sends him into the field. What? Why?

So, okay, it's unlikely, but maybe this guy has some insights into some code. But since when does that make him qualified to run around alleys and get into shootouts?

Good: The social engineering was real

In one pivotal scene, Hemsworth's hacker, who's named Hathaway, sends an email to an NSA official purporting to be from the official's boss, referring to a conversation that official just had with an FBI agent.

That's an excellent example of a highly targeted spear phishing attack, in which the hacker uses all the knowledge he acquired about the target to create an email that convinces the official to open a document that contains malware.

This happens. The Sony hack reportedly started with a phishing email. People are always clicking on things they shouldn't -- even people who you'd think would know better.

Later on in the movie, a pretty woman talks a bank employee into printing something for her from a USB drive -- a drive that also contains malware.

That happens, too.


Bad: The social engineering is normally just the start of an attack

But it's a big step from infecting a computer at the bank's periphery to actually being able to initiate wire transfers out of bank accounts.

It's not necessarily impossible, but banks have been adding a lot of checks and balances in recent years. Not only would it would take more than a few minutes to get to the core financial systems, but even once into an account, it takes more than a few clicks to initiate a wire transfer.

Maybe movie criminals do business with different kinds of banks, but in my experience, wire transfers require paperwork, a lot more information than just the destination bank account, and take a couple of days to go through.

Though I do have to give this bank props for not transferring the money one dollar at a time, the way most other movie banks seem to do, while showing a progress bar and a convenient "abort" button that makes the money go back again -- but also one dollar at a time.

Meanwhile, the NSA has been upping its security as well. The system Hathaway was after should have been a lot harder to get to.

"Such a system would not be on the Internet with just user name and password authentication," said Schmidt. "Even if the system was connected to the Internet, some strong authentication would be required. The fact that our hero could just log into the system from China via the Internet, that would not happen."

Good: The terminology was real

Thanks to the consultants who worked on the movie there was a lot of accurate terminology in the movie, from the Unix code used, to the discussions of remote access Trojans and Onion routers, to the programmable logic controllers.

When Hathaway communicates with the bad guys, he does so through a server.

"He's on a Bash shell, that was real," said Derek Manky, global security strategist at Sunnyvale, Calif.-based Fortinet Inc. "That was pretty surprising to me that they used real commands and that was a real way to communicate. Other movies don't use that -- it's usually fantasy interfaces with message that pop up on the computer."

The IP addresses weren't realistic -- some of the numbers went above 255.

"But I'm pretty sure they did this intentionally, not to advertise anyone's IP addresses," Manky said.

Bad: Real hackers prefer IRC

The Unix write tool is old-school terminal-to-terminal, said Schmidt.

"It's not totally off-base, but it's not the tool that the bad guys and good guys use to talk in real life," he said. "It's almost always over IRC."

IRC -- Internet relay chat -- allows for both group discussion channels and private messages, and, though it dates back to the early days of the Internet, back before the Web, it is still being used for communication.

"IRC is a great way to do that anonymously and pseudoanonymously," said Schmidt. "Most of the big botnets, their command and control leverages IRC. When you're negotiating a ransom, its almost always over IRC ... and nowadays over Twitter."

Ugly: Banks aren't people?

Hathaway is the movie's protagonist, so there's always an excuse for what he does. He robbed banks because he couldn't get hired with a conviction on his record. And, as he points out in the movie, he didn't steal from people. Just banks.

Oh, so that makes it okay.

I was not happy with the movie's ending. However, I console myself with the fact that given his inability to avoid getting caught -- even the NSA found him out immediately -- Hathaway will be back in jail in no time.

Join the CSO newsletter!

Error: Please check your email address.

Tags JAS Global Advisors LLCsecurityblack hatadvanced persistent threatsIoTentertainment

More about FBIFortinetHathawayInc.MannNSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts