I like to think I’m uniquely qualified to review the movie “Blackhat” due to a blend of experience involving an Excellence Award in eighth-grade shop class, hands-on training running a power plant at a previous job and an affiliation with IBM X-Force. I generally enjoy an excuse to sit in a dark theater, eat popcorn and be entertained. I went into the movie having read an article that stressed the technical accuracy that director Michael Mann was pursuing for the film, engaging an industry consultant to create plausible hacking scenarios.
And that’s the best word to describe this movie: plausible. As we dive into the different scenarios, bear in mind that there will be spoilers.
The opening attack scenario involves the remote compromise of the programmable logic controller on a cooling pump in a nuclear plant near Hong Kong, which masks the actual performance of the equipment, ultimately causing a cooling failure and reactor meltdown. The exploit is launched via an “elegantly” coded piece of software adapted from a remote access tool (RAT) developed by the main characters. The payload downloaded by the RAT was obviously from a different developer because that coding style was “frenetic” when compared to the RAT.
Having just written about a 2014 attack on a German steel mill, which hearkened back to Stuxnet in 2010, I found this SCADA exploit absolutely believable. Reusing and adapting code is a familiar practice for attackers, and investigations frequently compare samples to identify common attack vectors.
Social Engineering in ‘Blackhat’
A good bit of what the movie gets right is the social engineering scenarios. In one example, a recently hired employee is found to have not been what he represented himself to be, mysteriously going on leave shortly after accessing sensitive data. In another, a woman assists in gaining access to banking records by asking a security guard at the front desk of the bank to print a new copy of a report she needs for a meeting. Little does the guard know, the USB drive she hands him with the report is loaded with a bit of malware that lets the remote cybercriminal infiltrate the bank’s network.
I think my favorite example was a bit of spear phishing done by the team to gain access to a National Security Agency system. After getting shot down through official channels to use the system, the team spoofs an email from the manager of the employee that turned them down. This tricks the employee into opening a PDF file (appropriately named “password policies”) that contains a keylogger, letting the team identify the employee’s own login and password.
These are all eminently believable scenarios that play out in the real world. I suppose everyone should work on educating employees to check email headers and not accept USB drives from strangers.
Protecting the Network
One of the most frustrating things about any hacking scenario in a movie or television show is the reliance on firewall technology to protect the enterprise. Firewalls have come a long way, but they are by no means sufficient to protect an entire enterprise network, which can include endpoints, data centers and Web applications. The nuclear plant in question was described as being “massively firewalled,” which is not even a real thing. There are massively scalable firewalls, but multiple firewalls (or putting firewalls really close together in the data center) don’t add all that much protection since bad firewall management policies in the first firewall tend to be repeated on subsequent firewalls.
“Blackhat” redeems itself for this misstep, though, since the network is also described as using intrusion prevention and deep-packet inspection. I offer kudos to the producers for getting up to speed on newer security technologies, although they did not reference a security intelligence system to bring it all together.
A later protection strategy showed a small piece of hardware that generates a one-time password, but it is portrayed as a fingerprint scanner. Its use instilled a character with such confidence that he said his fingerprint was his only password. That would be a great line if biometrics were sufficient in and of themselves; however, there are plenty of examples of researchers fooling fingerprint scanners. Still, it’s a small nitpick among otherwise accurate scenarios.
“Blackhat” gets a lot of the security technology and practice right. When the tech trail runs out, they follow the money, allowing the two streams of clues to complement each other. Where the movie takes technology liberties, they are relatively small.
Even still, the bad guys have trouble hitting the broad side of a barn (demonstrating conservation of the Principle of Evil Marksmanship, even in a movie that strives for accuracy), duct tape is used in the ultimate confrontation and the main characters still take the time for a little hanky-panky in the midst of a nuclear meltdown and looming financial panic. Also, I’ve not known a lot of security analysts who had to issue a beatdown in a restaurant as part of an investigation.
Personally, it was the story elements such as the romance and shootouts that took me out of the realism of the cyberattack scenario, and adherence to technical accuracy was at the expense of pacing and storytelling. It made for an accurate, yet relatively boring movie that would have been better watched at 1.2x speed.
Image Source: Flickr