How Hollywood Got Hacked: Studio at Center of Netflix Leak Breaks Silence

How Hollywood Got Hacked: Studio at Center of Netflix Leak Breaks Silence (EXCLUSIVE)

By Senior Silicon Valley Correspondent

This story first appeared in the June 20, 2017 issue of Variety.

Larson Studios president Rick Larson and his wife and business partner, Jill Larson, didn’t recognize the number that sent them these two short text messages via their personal cell phones two days before Christmas last year, so they simply ignored them. “We didn’t really think much of them,” said Jill Larson.

Little did they know that the messages were part of Hollywood’s biggest security breach since the Sony Pictures hack of 2014. But in an exclusive interview with Variety, the Larson Studios principals are breaking their silence on an incident that threatened the existence of their family-owned audio post-production business. An incident that led them to quietly wire more than $50,000 in extortion money to a group of hackers, only to see some of the most valuable works of their clients, including 10 unreleased episodes of Netflix drama series “Orange Is the New Black,” leak online.

Both Larsons got another message from the same number on Christmas Eve. “Why are you ignoring me, check your email for a message that will change your life,” that vaguely threatening message read. They still weren’t too concerned — but quickly changed their minds when the email arrived a day later. A hacking group calling itself the Dark Overlord told them it had broken into Larson’s server, and was threatening to leak all of the company’s data.

Larson Studios chief engineer David Dondorf and director of digital systems Chris Unthank left their families on Christmas morning and rushed to the studio to examine the hackers’ claims. “Once I was able to look at our server, my hands started shaking, and I almost threw up,” Unthank remembered. The hackers had stolen and deleted all of the data, just as they had threatened in their letter. They demanded ransom payments via the crypto-currency Bitcoin to return what they had stolen. Unthank and Dondorf unplugged everything, and Dondorf immediately called the FBI.

Hackers leaked 10 episodes of “Orange Is the New Black” more than a month before the show was to premiere when Netflix refused ransom demands.

But the authorities weren’t much help on Christmas morning. “They were, I think, sympathetic, a bit overwhelmed,” recalled Jill Larson, vice president and head of administration at the company, which has been in business in Hollywood since 2002. The FBI asked for a form to be filled out, and it was. But forms don’t tell you how to respond to ransom demands from hackers with sinister names. So Larson Studios hired private data security experts to find out what had happened — and what to do next.

They eventually pieced together how the attack had unfolded. The Dark Overlord had been scanning the internet for PCs running older versions of Windows that it could easily break into, and happened to stumble across an old computer at Larson Studios that was still running Windows 7. “They were basically just trolling around to see if they could find a computer that they could open,” Dondorf explained. “It wasn’t aimed at us.”

Next, the company significantly beefed up its security, and also closely examined what had been stolen. “We took a large part of January trying to figure out what exactly they had,” Jill Larson said. This involved extensive communication with the hackers entirely via email. “Before we were willing to pay any kind of extortion, we wanted some proof.”

The Larsons didn’t immediately decide to pay the ransom. “It was an evolutionary process,” Jill Larson said. “The Dark Overlord had given us a very short window to respond. They were threatening us with actually releasing ‘Orange Is the New Black’ before New Year’s. So the feeling was that we needed to at least initially agree to cooperate and buy time.”

Meanwhile, the security company hired by Larson was looking into the Dark Overlord’s past attacks. The hacking group had targeted a number of healthcare facilities and other businesses in the previous months. “It was Gorilla Glue before us, and a children’s charity right after,” Dondorf said. Past reports seemed to suggest that paying up actually worked. “They would return the materials, destroy the materials, and it was over. This was the way they work,” said Rick Larson.

When the hackers finally delivered proof, at the end of January, of what they’d stolen, including dozens of titles from major studios such as Netflix, ABC, CBS and Disney, Larson did two things: It filed an official police report, and it decided to pay. “We had a trust from our clients to protect their intellectual property, and the best way to do that with these people was to pay them,” or so the thinking was at the time, Rick Larson recalled.

The hackers had demanded a payment of 50 Bitcoin, which equaled a little more than $50,000 at the time. “Buying and sending Bitcoin is not the easiest thing in the world, we found out,” explained Jill Larson. First, she had to wire the money to Coinbase, a kind of internet bank for Bitcoin transactions. That led alarm bells to go off at Larson’s regular bank, which urged the company to talk to the FBI one more time.

On Feb. 6, Jill Larson and Unthank met with special agent John Palmieri, a cyber-crime specialist from the agency’s Los Angeles field office. Palmieri advised them against paying, and told them that the FBI’s recommendation is to not communicate with extortionists. “But they also understand that individual businesses make what is their best decision for their business,” said Jill Larson. “The FBI was aware that we were going to do this.” An FBI spokesman declined comment for this story.

Coinbase didn’t let Jill Larson pay the entire ransom all at once, so she spent about a week in February buying Bitcoins and sending them to the Dark Overlord, 19 transactions in all. After that, Larson Studios received a final email from the Dark Overlord acknowledging the payment. It seemed like the company had dodged a bullet.

“That obviously is not what played out,” Rick Larson said.

A few quiet weeks ensued. Then, on March 31 came a phone call from the FBI with information that the hackers were using the shows stolen in December to blackmail various Hollywood studios. A few days later, the phones at Larson started to ring, with the security departments of various studios on the other end of the line.

And with that, some hard conversations began. Larson Studios previously hadn’t told any of its clients of the breach. “We were very much under a heavy threat from the Dark Overlord,” said Jill Larson. “One of the agreements was: You don’t tell anybody that this happened, we won’t tell anybody this happened.” She said the hackers even contacted some journalists to ping Larson and ask about a possible incident, just to see whether it would spill the beans. The company kept quiet, and the hackers told the Larsons they had done the right thing.

Now, the studios wanted to know the whole story, and the Larsons told them everything that had happened. Upon hearing the news, some studios decided to take their business elsewhere. But the majority stuck with the company, and instead helped to further beef up its security. “We work closely with the studios,” said Rick Larson. “Some have just been very supportive.”

News of the hack broke in April, when the Dark Overlord publicly tried to pressure Netflix. The hackers first leaked one unreleased episode of “Orange Is the New Black,” and when Netflix didn’t pay, followed up with nine more episodes a month and a half before the show was scheduled to premiere on the service. Netflix declined comment for this story.

Soon after, another email from the Dark Overlord arrived at Larson. “They said they felt they owed us an explanation as to why they had done it,” said Jill Larson. In the email, the hackers argued that Larson Studios had broken the terms of the agreement by talking to the FBI. “So they decided to punish us.”

Little is known about the Dark Overlord, representatives of which didn’t respond to a request for comment for this story. Most security experts assume that it is not the work of one person but a group, which frequently hacks and then blackmails small businesses. It would also go on to leak an ABC show, “Steve Harvey’s Funderdome,” in June.

“Don’t trust hackers,” quipped Rick Larson when asked about lessons learned. Then, he gets serious. Those weeks in January were a confusing and stressful time for the small family business, and the pressure led the company to take actions it now regrets. “With the information that we had, we made the best decisions we could make at the time,” he explained. “Those would not be the decisions that we would make now. They may have been a mistake, and for that, we are humbly sorry.”

Larson Studios has spent months trying to mend relationships with its clients, and strengthening its security. “You’ve got people around here who’ve spent the last six months living, breathing and dying this whole situation,” said Rick Larson. “Lots of lost sleep, and boy, a lot of learning. We probably know way more than we ever wanted to know about this.”

The company spent an estimated six figures on new security measures, some of which were recommended by the studios. Now, it keeps audio and video files separate, so that attackers would never be able to get their hands on both together. Data leaving the house is encrypted by default, networks are separated and computers on premise are locked down. “We now know that we are extremely secure,” Jill Larson said.

That’s not to say that the company didn’t care about security before. Larson’s employees just didn’t know all that much about it. Having a computer running an ancient version of Windows on the network was clearly a terrible lack of oversight, as was not properly separating internal servers from the internet.

“A lot of what went on was ignorance,” admitted Rick Larson. “We are a small company. Did we even know what the content security departments were at our clients? Absolutely not. I couldn’t have told you who to call. I can now.”

In many ways, the hack was a wake-up call for all of Hollywood. Studios had already significantly beefed up security after hackers broke into Sony Pictures in 2014 and subsequently leaked tens of thousands of emails. But security experts had long warned of the lack of security at third-party vendors, of which there are many. Studios regularly rely on outside companies for sound processing, color correction, 3D upscaling and much more. Some of these outside vendors are big players themselves, but many are family businesses like Larson Studios. In the wake of the Dark Overlord’s hack, there is talk about standardizing security for these businesses.

Work on security continues at Larson Studios, which is still undergoing audits commissioned by some of its major clients. The company is struggling with the perception that it is at the heart of all of Hollywood’s security woes. When word about a possible theft of Disney’s new “Pirates of the Caribbean” movie got out last month, plenty of outlets referenced Larson Studios, despite that the company never touched the movie. “We realized that it was time that we get our story out,” said Jill Larson. “No material has been lost or compromised since Christmas morning.”

In the end, there is a realization that the company may never fully be able to put the episode behind it — if only for the fact that security requires constant vigilance. “It’s not over by any means,” said Rick Larson. “However, the light at the end of the tunnel may actually not be a train. We actually may be heading toward something really good. And it hasn’t felt that way over the last six months.”

http://variety.com/2017/digital/features/netflix-orange-is-the-new-black-leak-dark-overlord-larson-studios-1202471400/