In Hollywood, cybercriminals have found a lucrative niche: While they may not be able to break into a Universal Studios or a Netflix directly, they have learned
that the highest-profile targets are supported by a system of soft targets — content collaborators, remixers, postproduction studios and others — that do not have the same resources, security technology or sense of paranoia.
In a carefully tailored message, the hackers urged an executive at September Management, a music management business,
and another at Cherrytree Music Company, a management and record company, to send them Lady Gaga’s stem files — files used by music engineers and producers for remixing and remastering.
Last year, TheDarkOverlord — the hacker believed to be behind the attacks against Netflix
and Hollywood studios — menaced a midsize investment bank, a glue company, a cancer charity, health care providers and other charities across the country.
Some of Synack’s clients — and increasingly some insurance underwriters — have started asking the company to look into possible vendors.
“The problem is that security firms sell their software to the 1 percent of companies
that can afford it, but the real damage continues to come from below.”
The security weaknesses of vendors are increasingly the weaknesses of their clients, no matter how fortified their own networks.
The heist — which has not been reported previously — was a classic example of how hackers exploit the weakest link in the extensive chain of vendors, postproduction studios and collaborators
that corporations must trust with their most valuable intellectual property.