Fair warning: if you aren’t caught up, there are spoilers for the first episode of the final season of Mr. Robot below.
It’s an alien sensation to be watching the fourth and final season of Mr. Robot as a civilian: having worked as a technical consultant for the first three seasons of the show, most of what unfolded as those episodes aired was already old news. It is satisfying for this season’s events to come as a surprise for change. It is unsurprising, though, to see Elliot and company right back at it, running the same sorts of playbooks we’ve seen serious threat actors use before (and will likely see again).
As this season opens, the world is preparing for the Christmas holiday, having partially recovered from the effects of a cyberattack with devastating digital and kinetic consequences. Elliott, meanwhile, is in a race against time to thwart the plans of Whiterose and her Dark Army. While the premiere lacked some of the nitty-gritty technical shots that we’ve become accustomed to, the targets and tactics were as real as ever. What is striking in this episode is the indirection. Unable to get the information he needs by attacking the Dark Army directly, Elliot focuses instead on the law firm Lomax & Looney in an effort to uncover records about the Dark Army’s shell companies and financial transactions.
This move mirrors the real-world attack against law firm Mossack Fonseca that occurred in 2015, resulting in the disclosure of the now-infamous Panama Papers.
Elliot also employs another noteworthy technique in targeting the firm’s namesake partner Freddy Lomax: rather than attempting to evade the law firm’s defenses, he uses those defenses to create a red herring. Elliot – as Mr. Robot – begins by telling Lomax to click a phishing link that he’s just been sent. Lomax protests by saying, “This isn’t going to get past our IT guys,” to which Elliot replies, “That’s what I’m counting on,” before instructing Lomax to create a local archive of his email inbox on a USB thumb drive.
Though we don’t see it explicitly in this episode, it appears as though Elliot intends to send the law firm’s IT department on a wild goose chase by creating the appearance that the phishing link, not the USB drive, was the method of data exfiltration. Most of the remainder of the episode is Elliot’s race to retrieve the USB drive from Lomax as he’s being tracked by the Dark Army’s hit squad using the Bluetooth Low Energy (BLE) beacon in his office keycard.
As is often the case with Mr. Robot, even when an episode’s human drama overshadows the hacking and security elements, there are valuable security lessons:
The final takeaway is that, unlike Elliot, real-world adversaries don’t have lofty ideals nor do they suffer crises of conscience: They will continue to pursue their objectives without regard for the collateral damage. There are only so many episodes of Mr. Robot left, but the raft of recent and likely future breaches offer enough fodder for a run that could rival Gunsmoke or The Simpsons. Let’s take what art has shown us and use those lessons so there is less to imitate going forward.
James Plouffe (CISSP) is strategic technologist at MobileIron and a former consultant for the TV show Mr. Robot.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.