Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

Feds Indict Iranian Over 'Game of Thrones' Hacks

Iranian National Charged With Extortion, Leaking Unreleased Episodes
Feds Indict Iranian Over 'Game of Thrones' Hacks
The Night King from the HBO series "Game of Thrones." (Photo: HBO)

A 29-year-old Iranian man has been charged with a $6 million extortion attempt against entertainment company HBO after he allegedly stole scripts for unaired episodes of the popular show "Game of Thrones" and other confidential information.

See Also: Justifying Your Hybrid Cloud Network Security Investment

Behzad Mesri is accused of compromising accounts for HBO employees that allowed him to gain deep access into the company's systems. Mesri claimed to have obtained 1.5 terabytes of information, including unaired episodes of "Ballers," "Barry," "Room 104," "Curb Your Enthusiasm" and "The Deuce."

Mesri is charged with one count each of wire fraud, computer hacking and interstate transmission of extortionate communication and three counts of threatening to impair the confidentiality of information, according to the indictment, which was unsealed Tuesday in U.S. District Court for the Southern District of New York.

If convicted, Mesri could face a maximum of 24 years in prison. But Mesri lives in Iran, and the U.S. does not have an extradition treaty with the country.

"Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice," says Acting Manhattan U.S. Attorney Joon H. Kim.

The U.S. Department of Justice has increasingly issued indictments on computer hacking-related charges against those living in countries such as Russia or China, which also don't have extradition agreements with the U.S. Those indictments may never result in prosecutions if those accused stay in those places, but it also makes it difficult for them to travel to countries that do have agreements with the U.S.

Extortion Attempt

Source: FBI

The attack against HBO was one of several high-profile extortion attempts this year. The target of those schemes is confidential, sensitive or simply embarrassing data that is held for a ransom, usually payable in virtual currency.

Although the FBI advises against paying ransoms, in some cases, organizations view paying as a cost of doing business. But they're also hedging that a hacker who has committed a crime will uphold their end of the deal and not publicly release the data.

HBO's situation spilled out publicly. Mesri is alleged to have emailed the news media as he continued to pressure HBO into paying. A Twitter account was used to tease proof of the compromise. In early August, HBO disclosed that it had been targeted.

Mesri allegedly demanded $6 million in bitcoin, the virtual currency that has surged in price in recent weeks. Starting in May, Mesri compromised "multiple user accounts" and used the access to gain access to HBO's servers, according to the indictment.

After compromising the data, Mesri sent emails in late July to HBO executives, employees and others with a "non-negotiable" ransom demand, the indictment says. He also allegedly threatened to erase data on "80 terabyte hard drives."

Mesri allegedly sent an email to HBO executives claiming he had obtained scripts and final video files. According to the indictment, the email contained this image of the Night King from the series "Game of Thrones."

The incident for which Mesri has been charged is different from another one that resulted in the release of one episode of "Game of Thrones."

On Aug. 15, police in India arrested four men, three current and one former employee who worked for Prime Focus Technologies, in connection with that separate incident. That company was a contractor of Star India, a broadcasting company that carries HBO programming. The men were accused of using their insider access to steal the episode (see Authorities: 4 Insiders Leaked 'Game of Thrones' Episode).

Website Defacements

U.S. prosecutors alleged that Mesri was part of an Iran-based hacking group called the Turk Black Hat Security team. That group defaced websites, and Mesri is believed to have used the pseudonym "Skote Vahshat."

Prosecutors also believe Mesri did work for the Iranian government, which experts say has well-developed offensive cyber capabilities.

"Mesri was a self-professed expert in computer hacking techniques and had worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems and Israeli infrastructure," the indictment reads.

Source: Department of Justice

Sour Deals

HBO didn't pay the ransom and now has seen an indictment get lodged against the alleged perpetrator. Other entertainment companies, however, haven't been so lucky.

The post-production facility Larsen Studios in Hollywood saw its systems get breached in December 2016. The attackers identified themselves as being part of The Dark Overlord hacking group. As reported by Variety, Larsen gave the attackers $50,000 in bitcoins in an attempt to satisfy their demands.

But the group failed to honor its agreements, claiming that it discovered Larsen Studios had been in contact with the FBI, and then released some of the stolen data. That included season five for the hit Netflix TV series "Orange Is the New Black," which had yet to be released.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.