How Technically Accurate is Blackhat the Movie?

This weekend Michael Mann’s latest movie Blackhat, starring Chris Hemsworth, Tang Wei, Viola Davis, Holt McCallany, and Wang Leehom, was released. Given the high profile mainstream media coverage of attacks and data breaches over the past few years, it’s not surprising that Hollywood is capitalizing on cyber-crime trends.

We were curious about how accurately the movie would portray this technical subject matter, so we sent one of researchers to watch the movie and assess whether the writers and producers did their homework.

Below is Alon Nafta’s review of technical scenes that were central to the plot and whether they are based on fact or fiction. Warning, spoiler alert!

Blackhat scene: A hacker uses malware to control water coolant pumps in a nuclear plant by modifying the Programmable Logic Controller (PLC) code to stop cooling the reactor, causing it to explode.

Fact or Fiction?

Fact: PLC modification has been demonstrated before by the infamous Stuxnet malware. In that scenario, PLCs were indeed modified in such a way that caused severe damage to Iranian centrifuges.

Blackhat scene: The good guys investigate the Chicago Stock Exchange attack, and establish that it was breached by exploiting the IT administrator’s USB drive to deploy malware. In brief computer screen glimpses viewers are able to see an autorun.inf file, hinting the use of the notorious Windows Autorun, which many malware use as an attack vector.

Fact or Fiction?

Fact: Autorun can be and still is widely used as an attack vector. USB drives are widely used as an attack vector for numerous types of malware.

Fiction : The IT administrator claims the USB device is his authentication key to the banking system, hinting this may be a YubiKey. First, YubiKey dongles don’t support fingerprints. Second, dongles and most types of OTP devices are not USB storage devices, and don’t support Autorun. Additional comments: Autorun isn’t as effective as it used to be, since both the operating system and antivirus solutions are well aware of the potential risks involved and often block or alert about Autorun usage.

Blackhat scene: The good guys hack into the NSA by emailing someone inside the agency a malicious PDF file that installs malware that then steals his password via keylogging.

Fact or Fiction?

Fact: Spearphishing emails, and leveraging PDF exploits specifically, work.

Fiction: Hard to believe you can send a fake email to an NSA employee’s internal email through Internet without access to the NSA’s internal network.

Blackhat scene : The good guys hack into a bank by getting them to open a presentation file from a USB drive.

Fact or Fiction?

Fact: Social engineering is widely used. Exploits in well-known presentation software (or USB drives) work as well.

Fiction: The instant link between hacking into the security guard’s laptop and the internal financial network, which actually contains the banking data. These networks are often physically separated and isolated one from each other.

Additional scenes where we feel Hollywood took dramatic license with the good guys’ abilities include:

  • They were able to pull satellite shots the adversaries bought, by hacking into their directory at their hosting provider.
  • They analyzed malware in a weird looking hex editor. Real life malware researchers use disassemblers and debuggers.
  • They hacked a 512 GPG key in about 10 seconds by hacking into the NSA super-secret Black Widow infrastructure.

It’s clear the movie makers hired competent technology consultants and we were pleasantly surprised by the accuracy of the film’s more technical scenes. Especially the depiction of social engineering, spearphishing emails, USBs and the exploitation of legitimate files used in the film’s targeted attack scenes. At the end of the day a movie is meant to entertain, but what Blackhat the movie makes clear is the importance of protection on the endpoints to effectively stop these type of attacks.