Why Cyber Attackers Target the Media and Entertainment Industry

Julie Cullivan, CIO & SVP-Business Operations, FireEye

Few industries shape public opinion the way the entertainment and media industries do. From films that make a political statement to news reports covering a particular angle on a story, these outlets have the capacity to significantly influence public perception.

This puts them squarely in the cross hairs of advanced persistent threat (APT) groups and hacktivists determined to further their own political agendas. Whether it is a criminal intent on stealing data, someone seeking to promote a cause, or a nation-state group intent on influencing content, these cyber attackers share one thing—the goal of disrupting the entertainment and media world by any means necessary.

And they have plenty of ways to do that. FireEye has tracked several groups and the technology they’ve used to compromise organizations within the entertainment and media sectors. Targeted malware gives them remote access to email and files containing confidential information like public releases, mergers and acquisitions, personally identifiable information (PII), and creative intellectual property. Whether it’s accessing journalists’ sources or hijacking websites to sway public opinion, these sophisticated attackers are using some of the latest Trojans, worms, botnets, and other variants to get the information they seek. The tools they use are often difficult to detect, challenging to block, and flexible enough to be used in many attacks.

Who’s Behind Cyber Attacks?

We have observed at least a dozen advanced threat groups impacting these industries in the past several years—most appear to operate from Russia, China, and Syria. Sometimes the threat actors seem to be acting out of retribution; other times they seem to want to block stories that are critical of their sponsoring government. Regardless, they pose significant risk to the targeted parties.

For example, the suspected Russian group known as APT28 painstakingly created emails infected with malware targeted at a journalist who covers issues in the Caucasus region. An email addressed the reporter by name and claimed to be from the Chief Coordinator in the US-based Reason Magazine’s “Caucasian Issues Department,” which doesn’t exist. The goal of the attack isn’t completely clear but the attackers could have used it as a way to monitor public opinion, identify dissidents, spread disinformation, or simply to facilitate further targeting. In this case, the targeted reporter would be a prime source of information for Moscow.

“Any media organization involved in negotiations with foreign state-owned companies would likely be put at risk”

China-based groups have exploited news organizations’ networks for an early glimpse of stories that might put their countries’ leaders, firms or the Communist Party in a bad light. The New York Times and The Wall Street Journal both revealed in 2013 that China-based threat groups were monitoring them, likely to determine the sources for several non-favorable articles written about the country. A threat group suspected to be based in China disrupted access to websites associated with Hong Kong pro-democracy protests.

These are the more well-known attacks we’ve tracked, but there are others. FireEye has observed threat groups targeting entertainment and games software companies, Internet publishing, broadcasting and search portals, magazine publishers and television stations. They’ve stolen everything from user credentials and address books to executive communications and negotiation details—all to further their varied and various causes.

Looking forward, the development of new technologies will probably spur activity from threat groups targeting related intellectual property and proprietary information capable of providing associated state-owned companies with a rapid competitive advantage.

Organizations should also be aware of how the increased popularity and use of social media will likely lead to continued targeting of providers and platforms by APT groups, cybercriminals, and hacktivists. These groups often aim to facilitate further targeting through social engineering, or promote their own views through disrupting services, defacing webpages of reputable media organizations, and hijacking social media.

On the business side, any media organization involved in negotiations with foreign state-owned companies would likely be put at risk, as associated state-sponsored threat actors would probably target such companies to gather intelligence that would provide their associated company with an insider advantage.

While the methods and motives vary, one thing remains constant: the media and entertainment sectors are being targeted for the wealth of opportunity they provide. Outlets without the security to protect themselves will continue to draw the interest of advanced threat groups intent on carrying out their mission. A network that is hacked and taken off air stands to lose more than revenue—the cost of its reputation could prove to be unrecoverable.

These industries that enjoy such freedoms of expression often represent exactly what an APT group wishes to constrain; it’s the very thing they stand for that makes them such enticing targets.

We hear so much about the tangible costs of hacking – the billions of dollars lost, the personal information stolen, the businesses struggling to recover after a breach. What’s less evident is the daily impact it poses to each of us. Cyber crime erodes our privacy in a very personal way: to think that someone out there, somewhere, could access our most personal information with a few simple clicks. When threat actors compromise our news sources, websites and social media— the tools we use each day to get and share information—the impacts on our freedom of speech and our way of life become all too clear. You can’t put a price tag on peace of mind.