IT Brew Movie Club: ‘Blackhat’ (2015)

At one point in the 2015 cyber thriller Blackhat, hacker Nicholas Hathaway (Chris Hemsworth) examines the malware on a USB drive. The camera lingers on Hathaway’s screen for a few extra seconds to let us know he is typing real commands like cat and autorun.inf.

The movie follows Hathaway as he tries to find the cybervillain responsible for melting down a Hong Kong nuclear plant and disrupting the Chicago Mercantile Exchange.

In an interview with Variety eight years after the movie’s release, director Michael Mann said: “The subject may have been ahead of the curve, because there were a number of people who thought this was all fantasy. Wrong. Everything is stone-cold accurate.”

To that end, Blackhat features its share of autoruns, remote access Trojans (RATs), IP addresses, malicious payloads, and other only-in-IT terms that a cyber defense pro like Paul Taylor, associate director at cybersecurity company NCC Group, deals with day to day. Taylor currently conducts cyberattack simulations for banks.

We spoke with Taylor and Mark Frost, principal security consultant from NCC, about the movie’s accuracies, as well as a few time-specific liberties that Taylor called “Hollywood shortcuts.”

An attack on a nuclear-power plant. In the film, a mysterious adversary compromises a contractor’s laptop with that malicious USB. The drive contains a RAT, which creates a backdoor for a malicious payload that gives the attacker full control of the plant’s machine components (known as PLCs).

RATs are very real malware programs that open a backdoor for someone from afar to gain admin controls—except the software and name itself have largely been replaced today by “C2,” or command-and-control implants, Taylor said. And PLCs have been targeted—one most notably at a Pennsylvania water facility, where the controllers were exposed to the internet with their default passwords.

Critical operational technologies like the cooling system of a nuclear plant, however, would almost certainly be air-gapped, meaning disconnected from the internet, according to Frost and Taylor. “Whilst they deployed that RAT, in theory that wouldn’t really work, because there’s still no internet for it to go out to,” Frost said.

A successful attacker would need to know the code that monitors the heating of the nuclear power plant, Frost told us. “You couldn't be exposed to it straight away, and then run an unknown piece of code. To make that happen, you have to be intimately familiar with how the code’s working, almost to the point where you wrote it,” he said.

Also, a nuclear plant likely has some form of low-tech failsafes. “Is there a visual check that’s not a digital control? Is there literally a thermometer in the room where everybody can see it?” Frost added.

The stock exchange. The RAT, installed on an IT admin’s computer, also leads to havoc in the markets and a spike in soy futures.

In real life, the Chicago Mercantile Exchange and New York Stock Exchange both have specific “circuit breakers” that halt trading when stocks experience unexpected spikes or dips. Any manipulation would have to be slow, sly, and, once again, take time.

“If you want to crash a stock market, once you start influencing the price of a stock, they’re going to notice,” Frost said, also noting that today’s attackers frequently use untraceable crypto when interacting with the markets in some way.

Social engineering. One impressive social-engineering tactic in the film shows Hathaway’s partner Chen Lien (Tang Wei) pouring coffee on a stack of papers. She then walks into a bank and asks the front-desk employee if he can reprint her soaked presentation; he agrees, and the USB with her “presentation” contains its own form of money-shifting malware.

That kind of tactic is familiar to Taylor, who, when pen testing, pretends to be “John from IT” and finds a way to convince employees to give up credentials or download a business-disrupting file.

But Hathaway’s hack “would totally work,” Taylor said. Moving from a front desk to the money-holding parts of an organization, however, is far from instantaneous. From a reception’s PC (in the movie’s example), a hacker would need to escalate privileges somehow and gain access to a computer hosting the target account.

The review. So, yes, RATs, PLCs, and autoruns are real, but perhaps what’s difficult for a movie to capture is all that waiting around: to learn a nuclear plant’s code, to avoid suspicion from financial regulators, to move laterally from a front-desk PC to a critical system.

In the early autorun sequence, too, the command line terms are accurate, but a true malware analysis might take days, according to Taylor.

“Something you can’t capture in films, right, is the level of patience of watching,” Frost said. “It’s not just about doing something damaging or cool or whatever you want to call it. It’s about doing it without being detected.”

For more IT Brew movie club, check out our dive into Hackers and Sneakers.