Politics & Policy

Experts Say the Hacker Flick Blackhat Is Kinda Accurate

Chris Hemsworth and Viola Davis in Blackhat (Universal Pictures)
Catastrophic attacks like those in Blackhat would be tough, but far from impossible.

In a week where American Sniper dominated the box office and the critics’ attention, Michael Mann’s cyberthriller Blackhat was by and large overlooked. The film, in which a joint Chinese-American task force pursues a mysterious hacker wreaking havoc on nuclear plants and financial markets alike, has earned decidedly mixed reviews from the critics. It has, however, won near-universal acclaim from actual hackers and security experts, who have praised the film’s technical accuracy and said it’s the best movie of its kind ever made. With that in mind, it’s worth taking a closer look at some of the technology and scenarios presented in the film. Just how accurate are they?

Blackhat opens with an unknown hacker deploying a cyberattack against a Chinese nuclear-power plant that causes its cooling system to overheat and fail, resulting in a meltdown. The attack simultaneously tricks the plant’s diagnostic systems into not registering the cooling units’ failure, so that plant technicians are unaware of any problem until it’s too late. In the aftermath, a cyber-specialist from the People’s Liberation Army spots a piece of code from the attack originally co-written by himself and his former roommate at MIT, Nick Hathaway (Chris Hemsworth), who is currently serving a prison sentence in the U.S. for hacking into banks. The PLA negotiates with the FBI for Hathaway’s temporary release to assist in the investigation, and the two men and their team are soon on the cybercriminal’s trail.

The method by which Blackhat’s mysterious hacker deploys the attack is known as a Remote Access Trojan, or RAT. A RAT is a piece of malware that allows an attacker to have complete remote control over whatever computer or system it infects. Once in the system, a hacker can do anything from browsing and copying files to executing commands without fear of detection. “There’s no window that’s running on [the victim’s] desktop, it’s all kind of happening in the background so you don’t know that your machine has been compromised,” says Dmitri Alperovitch, a co-founder of the cyber-security firm CrowdStrike and a senior fellow at the Atlantic Council.

The trick for the hacker is getting the victim to open the RAT on their computer. One way is through what’s known as a phishing attack, in which the hacker sends an e-mail to an unsuspecting individual pretending to come from a friend, business associate, trusted organization, etc. The e-mail will come with an ordinary-looking attachment — say, a PDF or Word document — that has the RAT “wrapped” or “bound” to it. If the victim can be lured into opening the attachment, then the RAT is installed. “At that point it’s ‘game over!’,” says Michael Gregg, CEO of the network-security company Superior Solutions.

Launching an attack against a power plant, though, would require some significant added steps. For one, the industrial-control systems that most plants use are “air gapped,” that is, not connected to the Internet or to the plant’s IT network. For another, these systems typically use tiny hardware devices called programmable logic controllers (PLCs) that have their own specialized code; they don’t run operating systems such as Windows or Unix that are used by most hackers.

All this would make an attack like the one in Blackhat quite difficult to pull off, but it’s hardly an impossible feat. In fact, it closely resembles the 2010 Stuxnet attack on Iranian uranium centrifuges in Natanz. Using the same mechanism as the plant attack in Blackhat, Stuxnet (widely speculated to have been created by an American-Israeli team) fiddled with centrifuges Iran was using for uranium enrichment. “It made them spin either slightly faster or slightly slower than was needed to produce actual fissionable material,” says Steve Bucci, a cybersecurity expert at the Heritage Foundation. “Eventually, it caused damage to the centrifuges, which are pretty delicate machines.” As with the attack in Blackhat, Stuxnet also spoofed the enrichment facility’s diagnostics so that technicians were unaware of the problem until the damage was already done.

But while the attack in Blackhat was executed almost instantaneously, Stuxnet worked over a period of several months. This has to do with the problem of PLCs mentioned above. The only way for a RAT installed on a plant’s Windows computer or network to infect its air-gapped industrial control system is to wait for the PLCs involved — those that regulate, say, the cooling systems of a nuclear plant or the speed of centrifuges for uranium enrichment — to be temporarily taken off the facility floor and plugged into a Windows machine to be manually reprogrammed and updated. “The RAT they deployed in the Stuxnet attack was very stealthy,” says Alperovitch. It lingered in the background of the infected Windows machines until the time came to reprogram given PLCs with new software. Once those PLCs were connected to the infected Windows machine, the RAT “would surreptitiously insert new code onto them so that they’re programmed with a different software than intended.” After being placed back on the factory floor, they would then behave in the way Stuxnet had programmed them to.

For all the film’s technical accuracy, however, Blackhat’s portrayal of the politics of cybersecurity bears little if any resemblance to reality. The very idea of a joint Chinese-American cyber taskforce — a plot device no doubt intended to draw in a large Chinese audience — is enough to raise eyebrows from experts in the field. When I ask Alperovitch how likely it would be for the U.S. and China to form such a team to tackle a cybersecurity threat, he answers, “About as likely as Hell freezing over.”

He should know. In 2011, Alperovitch alerted much of the wider public to the escalating problem of cyberattacks — especially cyberespionage — in a paper entitled “Operation Shady RAT.” The report documented an unprecedented number of attacks on over 70 different governments, private corporations, and international bodies by a state actor later revealed to be the Chinese government. The paper eventually helped lead to indictments of five members of a cyber unit in the People’s Liberation Army by the U.S. Justice Department in May 2014.

Theft of intellectual property and trade secrets, especially by China, is by far the most frequent cybersecurity problem that affects the U.S. and its companies, doing billions of dollars in annual economic damage but allowing China to speed up its economic development. “The Chinese are continuing to grow their economy based on other people’s R&D,” notes Bucci. “It saves them time and money and gets them the best there is, and if we can’t stop them, they’ll just keep doing it.”

Blackhat, then, is a film as learned in the workings of cyber technology as it is naïve in its portrayal of the politics surrounding it. We shouldn’t harp too much on the latter point, though. After all, when was the last time you expected Hollywood to get its politics right?

— Nat Brown is an associate editor of National Review Online.

Nat Brown is a former deputy web editor of Foreign Affairs and a former deputy managing editor of National Review Online.


The Latest