In December, hackers impersonating an executive at Interscope Records, the record label owned by Universal Music Group, managed to bypass all the latest in digital defenses with a simple email.
In a carefully tailored message, the hackers urged an executive at September Management, a music management business, and another at Cherrytree Music Company, a management and record company, to send them Lady Gaga’s stem files — files used by music engineers and producers for remixing and remastering.
With a click of a button, the files made their way into hackers’ hands, according to three people who are familiar with the episode but are not allowed to discuss it publicly. Executives would not elaborate on the incident, and it is unclear what happened to the files.
The heist — which has not been reported previously — was a classic example of how hackers exploit the weakest link in the extensive chain of vendors, postproduction studios and collaborators that corporations must trust with their most valuable intellectual property.
In Hollywood, cybercriminals have found a lucrative niche: While they may not be able to break into a Universal Studios or a Netflix directly, they have learned that the highest-profile targets are supported by a system of soft targets — content collaborators, remixers, postproduction studios and others — that do not have the same resources, security technology or sense of paranoia. And the hackers have started capitalizing.
Last month, a hacker or hackers using the pseudonym “TheDarkOverlord” leaked unreleased episodes of the Netflix hit series “Orange Is the New Black” after breaching Larson Studios, one in a long line of postproduction players that Netflix relies on to tailor its content for high-definition television.
TheDarkOverlord released Netflix episodes after Larson Studios, and then Netflix, didn’t pay a ransom of 30 bitcoins, roughly $ 45,000. Now, that same hacker has threatened to leak content from Larson’s other clients, including ABC, Fox, National Geographic and IFC, if the studios do not pay.
In a message posted to Twitter, the hacker said: “Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we’re all going to have. We’re not playing any games anymore.” A couple of days later, TheDarkOverlord hinted that the next leaks were imminent: “It’s nearly time to play another round.”
For now, Hollywood studios say they have no intention of paying hackers’ ransom, though they could pay dearly in lost revenue and viewers.
“We see this over and over and over again,” said Oren Falkowitz, chief executive of Area 1, a security company. “The problem is that security firms sell their software to the 1 percent of companies that can afford it, but the real damage continues to come from below.”
The security weaknesses of vendors are increasingly the weaknesses of their clients, no matter how fortified their own networks.
The vast majority of breaches — 80 percent by some estimates — stem from a supplier or vendor, according to RiskVision, a risk intelligence company. At Target, hackers stole tens of millions of credit card details by penetrating a tiny Pittsburgh refrigeration company that had been given access to the retail chain’s network.
Chinese state hackers breached the defense contractor Lockheed Martin through RSA, a company it had entrusted to secure employees’ web connections. Hackers breached an oil company through a PDF of a Chinese takeout menu.
Mr. Falkowitz, other security executives and insurance underwriters say the status quo is untenable. Security companies have promised to protect their clients from cyberattacks, while ignoring the less secure vendors, consultants and distributors in clients’ supply chains.
Area 1 has started extending its services to its clients’ principal vendors as part of its core offering, something that most security companies have been reluctant to do.
“It’s our job to protect your business,” Mr. Falkowitz said. “We’re not going to sell software to every five-person mom-and-pop shop, so why not extend our services to those vendors for free?”
Companies like BitSight Technologies and SecurityScorecard in have developed a rating system that allows corporations and government agencies to evaluate how hacker-friendly vendors and other third parties are.
BitSight uses a scoring system of 250 to 900, similar to a credit score. SecurityScorecard gives grades from A to F.
“You could have the most technically secure organization in the world, but the common denominator is people, and they are always susceptible,” said Jay Kaplan, chief executive of Synack, a security company.
Corporations hire Synack to perform sophisticated “penetration tests” of their networks, and increasingly those of their suppliers. Synack then works with hackers they consider trustworthy, many of them freelancers, to find weaknesses in their clients’ systems.
Some of Synack’s clients — and increasingly some insurance underwriters — have started asking the company to look into possible vendors. When Synack gets a vendor’s permission, it performs a full-fledged penetration test to try to break into its network. When it does not have permission, Synack’s hackers scan for open connections like wide-open ports and servers and easily crackable passwords to get a sense of a vendor’s security.
Most likely, hackers with bad intent are looking to do the same. For years, hackers tried to extort money from companies by taking their websites offline with floods of internet traffic — often during prime holiday shopping — and not letting up until their victims paid. More recently, cybercriminals have deployed ransomware, malware that encrypts data and locks out the user.
Now hackers are resorting to old-fashioned extortion. Last year, TheDarkOverlord — the hacker believed to be behind the attacks against Netflix and Hollywood studios — menaced a midsize investment bank, a glue company, a cancer charity, health care providers and other charities across the country.
In each case, the hacker made what it called a “handsome business proposal”: Pay a ransom, or see files deleted, sold or published online.
In January, hackers breached Little Red Door Cancer Services of East Central Indiana, wiping its servers and backups and demanding that it pay 50 bitcoin, about $ 80,000, to have the data restored.
These days, TheDarkOverlord has focused on the entertainment industry, where it found that it can easily get to Hollywood’s crown jewels — its unreleased content. And there’s more money in Hollywood than in charity.