Blackhat Movie Shows Viewers What Cyber-Attacks Look Like

Posted on by Fahmida Y. Rashid

Cybercrime is practically on the news every day—infected computers looting individual bank accounts, distributed denial-of-service attacks, hacked social media accounts, and data breaches. So clearly the time is right for a movie about hacking, right?

blackhat movie audience

There are plenty of reviews already for Michael Mann’s latest action thriller Blackhat, so there is no need to repeat what they say here, here, and here. The plot has promise: a “black hat” hacker cripples a nuclear reactor in China and causes a meltdown in a Stuxnet-like attack. The same attacker manipulates trading systems and wreaks havoc with the stock market. The Chinese government asks the FBI for help, and they turn to Nick Hathaway, played by Chris Hemsworth, for help. Hathaway, currently serving time in prison for bank fraud, is released in order to hunt down the criminal behind the two incidents.

The initial attack in the opening scenes of the movie does a great job showing audiences exactly how much damage one can cause in the real world with a few keystrokes. It’s just a little light on the circuit board…but the consequences are disastrous. It’s just the rest of the plot that gets so confusing and the master plan, when unveiled, is a bit of a letdown. 

The movie gets security right, somewhat (which is no surprise since Kevin Poulson was one of the consultants). There are a few minor missteps, like calling a Web address an IP address, but let’s give the movie credit for being spot-on for most of the big things. Google’s security princess Parisa Tabriz called it "the most accurate information security movie I've seen." 

And that’s the saving grace of this movie. Security teams repeatedly remind employees to not open attachments to change their password—and now movie-goers see what can happen if you fall for that phishing attempt. Organizations frequently remind users to not let people plug in USB drives into computers nilly-willy, and the movie shows exactly how social engineering makes it possible for someone to infect your computer with a USB drive.

Blackhat shows mainstream audiences that cybercriminals aren’t just loners sitting in the basement—the criminal underground is well-funded and highly structured, with money mules and low-level members in charge of infecting computers. Cyber-crime is global, with the movie touching proxy servers in Ukraine, hosting providers in Jakarta, money mules in Macao, and infected computers in Los Angeles, to name just a few locations.

Blackhat isn’t an amazing action movie, but movie-goers get a chance to see real security—not the fancy special effects that general stand for hacking in Hollywood—and real consequences that security threats can have on the physical world. Cyber-attacks have messy real-world effects. That’s a lesson we need to remember.

With people still buzzing about the attack on Sony, and Twitter accounts for various organizations being hijacked—such as the New York Post and U.S. Central Command (to name two)—information security managers can take the opportunity to discuss security with their users. Use the examples from real news reports, or even the movie, to illustrate what can go wrong and to explain what to do to minimize risk of attack. It makes sense that cybercrime is in our movies and TV shows. Let’s make sure we are talking about what is accurate and possible so that we can take appropriate steps.

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

security awareness professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community