Cyber-Espionage Making Headlines Over Past Couple Weeks

Over the last week, at least five separate cyber-espionage-related news events have made headlines ranging from attacks against governments to company-related targets. The primary goal of cyber-espionage is to uncover company or government secrets, such as military plans, blueprints, or coveted intellectual property. SurfWatch Labs has collected CyberFacts on exactly 300 targets tied with espionage so far this year.

In 2016, central government is the top trending industry target of cyber-espionage.

Espionage Targets
In 2016, Central Government, which includes nation-state level government organizations, is the top trending target associated with espionage. 

Several groups have appeared in SurfWatch Labs’ data concerning espionage in 2016. Group 27 – a cyber-espionage group linked with the Seven Pointed Dagger malware campaign that utilizes a remote access Trojan known as Trochilus and has ties to Asia – is the top trending espionage actor in 2016.

Espionage Actors 2016
Group 27 is the top trending espionage actor so far in 2016. 

Recent Espionage Activity

As mentioned above, there have been five espionage-related events that have made headlines over the last week.

North Korea Hacks South Korea

In February 2014, North Korea began targeting about 140,000 computers throughout several South Korean defense contractor firms and government agencies. The attack was discovered back in February of 2016.

Companies that were not defense contractors were also targeted, such as SK Holdings group and Korean Air Lines, but it appears no data was actually obtained. According to researchers, about 95% of the data obtained in the attack by North Korea was defense related. One of the most coveted pieces of information that was obtained were blueprints for the wings of F-15 fighter jets.

North Korea has denied any involvement concerning cyber-espionage attacks on South Korea. However, evidence obtained from these attacks have been traced back to the North Korean capital Pyongyang.

Russians Hack Network of Democratic National Committee

Two separate hacker groups with ties to the Russian government have infiltrated the network of the Democratic National Committee. The names of both groups have been lovingly named “Cozy Bear” and “Fancy Bear.”

The attacks took place at different times. Cozy Bear first infiltrated the database in the summer of 2015 and was monitoring email and chat communications, while Fancy Bear appeared last April and targeted opposition research files. The Fancy Bear group was able to obtain information held on Donald Trump. Information held on Hillary Clinton and several other GOP political action committees were also targeted.

New Sofacy Campaign Targeting U.S. Government

A Russian-linked cyber-espionage group — known as Sofacy — sent a spear-phishing email to a U.S. government official from a compromised computer belonging to another country’s Ministry of Foreign Affairs. The email had a malicious attachment that, if opened, would have loaded two DLL files on the official’s computer.

One of the files contained a Carberp malware variant of the Sofacy Trojan of which the group’s name is derived. The group has also been called Fancy Bear — which is tied to the Democratic National Committee hack — APT28, Sednit, Pawn Storm, and Strontium.

The good news in this attack is that it was full of mistakes. First of all, the RTF document attached to the email didn’t show any content, which immediately pointed to something being wrong. Also, old IP addresses and C&C server domains were used from past campaigns, which was another flag that this email was malicious.

Mofang Chinese APT Group

The Mofang Chinese APT cyber-espionage group has been around since 2012. The group is identified through their ShimRat malware and is unique from other APT groups because they exclusively use social engineering tactics to target computer networks, not exploits. More specifically, the groups’ attack vector of choice is spear phishing.

The bulk of activity displayed from this group has been against the Myanmar government. The group has also been spotted targeting companies in the United States, Canada, Germany, India, and Singapore. Attacks from this group have continued throughout 2015.

Former IBM Employee Charged with Economic Espionage

On Tuesday, a former Chinese employee from the tech company IBM was charged by U.S. authorities with economic espionage for allegedly stealing source code from the company and handing it to the Chinese government.

Xu Jiaqiang, the defendant, offered the code to undercover U.S. FBI agents posing as tech company officials that were seeking software for their company. Jiaqiang was also intending to provide this source code to the Chinese National Health and Planning Commission where he was previously employed.

Jiaqiang’s indictment also brings with it three counts of economic espionage and three counts of trade secret theft. In total, he faces a maximum of 75 years in prison if convicted of all charges.

Q&A: How can Threat Intel Help Your Organization? (Part 2)

Cyber threat intelligence offers an in-depth look at the potential threats and attack vectors facing an organization. Each organization is different, and in these differences there are a variety of ways cybercriminals can exploit a company. Security tools such as firewalls and antivirus software protect against several of these threats, but they cannot protect an organization from everything. This is where cyber threat intelligence plays a crucial role.

Threat intel gives an organization the ability to identify threats, understand where any lapses in security have already occurred, and gives direction on how to proceed concerning these vulnerabilities. This is a lot of information for any organization to handle on their own, especially since the cyber landscape continues to change.

“The field is constantly growing and evolving; there is no shortage of cyber information, which means it can be very easy to get overwhelmed with it,” said Aaron Bay, chief analyst at SurfWatch Labs. “We sometimes forget to take a peek at what is going on with the rest of the world.”

Yesterday we talked with Bay about the role of the cyber threat analyst. Today we finish our conversation, and focus on how threat intelligence can help organizations.

Why does a company need to implement threat intelligence on top of their existing security?

Having security tools such as firewalls and antivirus software is critical; you have to have them. If you don’t have these tools, you are already at a disadvantage. These security tools are paramount, but the information derived from them can be overwhelming.  From what I have seen, a lot of time companies will simply buy these tools, plug them in and forget about them. From a threat analyst perspective, what we do when we give companies information about threats affecting their industry is show them the known mitigation of the threat. We can only lead the horse to water; we can’t make it drink. But if we can give organizations enough pertinent information where they are asking, “Does my defense actually protect us against this?” that goes a long way.

A lot of the time companies are putting up boundaries to stop threats from getting in, but they might not necessarily know when information gets out. They may be breached, and their information could have been compromised. They could also be attacked at a point they weren’t protecting such as point-of-sale systems. A bank has credit and debit cards, and the bank itself is usually pretty well protected against direct attacks. All of that can be defeated by a skimmer on an ATM. Knowing these attack vectors and knowing this is another way cybercriminals can get to your customers’ data can really help mitigate risks. If we as threat analysts are looking for these attack vectors and alternative methods, then we can help an organizations be better prepared and protected against threats.

Cyber threat intelligence is a relatively new avenue in cybersecurity. Are companies seeing value in this?

Cyber threat intelligence is still a growing field; it is definitely still evolving — as it should be. Threats are evolving, so this field that focuses on these threats is evolving as well. I think, for the most part, everybody is doing the best job that they can. It’s hard for a business to feel like they are getting a return on their investment from IT security in general. When you get that big win, when you catch something that no one else caught, either protecting some data or helping stop something before it became a big deal, then it is easy to see the value of it. For companies, as long as everything is working, the people who make decisions about IT and their infrastructure don’t necessarily want to know what goes into keeping everything running. They just want it to work. If everything is working, it is easy to not respond and spend money on keeping everything running. In their mind, everything is working. It appears that not much has to be done to keep things running, why would they spend more money on it?

How can companies providing cyber threat intelligence improve?

If there is a way to improve our field it is really just to work together as a community to make sure companies understand the value of cyber threat intelligence. I feel like we are doing a good job, but I feel that the industry isn’t ready for the message. These companies are being attacked left and right, and it feels like all we are doing is showing up and telling them they need to be doing security better. To actually translate everything that is going on, distill it and focus it on the company specifically is really the best approach. I am glad that SurfWatch Labs is going down this road. Showing companies why they need to care about this information that is being presented to them is very valuable.  

I also think that internally, for our customers, we sit between business operations and the IT department. We aren’t just supporting IT security or just enabling compliance with the various IT regulations a business must adhere to. A Cyber Threat Intel Analyst should be assisting the translation between business units — and the various IT and cyber risks they face — and helping them understand sometimes how two separate threats are actually part of a larger threat against the company. I believe that is when we can really show our value.

For example, let’s say an attacker breaks into a company and steals credentials to the gaming platform that is hosted by that business. The network defense team should detect that and stop it. If a new attack is being used that has never been detected before and no signatures have been created for it yet, it’s possible the attack may go unnoticed. Soon after this undetected attack, separately, your cyber threat intel analyst discovers that someone dumped some credentials to your game on the dark web or is selling them. If that credential dump is only passed on to a third group such as customer service in order to reset accounts, but the network defense team isn’t made aware, then the source of the leak may not be plugged. Or if the developers are not notified, and the vulnerability came from a bug in the software that the company created, then again the problem will still be there.

What are some of the achievements cyber threat intelligence has accomplished. Is it changing the game?

It is changing the game for sure. Some of the big wins cyber threat intelligence has gotten comes from exposing malicious activity in general. When you can find those hidden gems and expose what is going on those are the big wins. Seeing the new carding efforts and all the things that are going into combating organized crime is very rewarding. The big ones are of course things like uncovering STUXNET, and all of the pieces that went along with that. The Mandiant APT1 report I think spawned a whole new movement with regards to CTI, some good some bad, but it got a lot of people to sit up and take notice, and that’s really what we want.

Final thoughts?

We talked about how new the field of cyber threat intelligence is, but that is also exciting. Being in a field with all of this different stuff going on makes cyber threat intelligence a very exciting field to be a part of and stay focused on. I look forward to the future.   

Q&A: What Does a Cyber Threat Intelligence Analyst Do? (Part 1)

As cybercrime continues to grow and evolve at a rapid pace, organizations are faced with difficult decisions in finding solutions to this problem. Deploying security tools to combat cybercrime is a crucial part of this dilemma, but this brings with it the herculean task of attempting to process massive amounts of data in order to keep up in the game defending against cyber-attacks.

In order to get the most up-to-date and accurate cyber threat intelligence, SurfWatch Labs employs talented analysts with a focus on threat intelligence. These threat analysts are the backbone to a new and developing field of cyber threat intel, providing valuable information to organizations that go well beyond identifying threats.

“Being a threat analyst often requires being a chameleon or wearing many hats,” said Aaron Bay, chief analyst at SurfWatch Labs. “You need to be able to understand the technical side of security, navigate among the various hacker and cybercrime forums on the dark web, understand business risk, and then distill all of that information into valuable intelligence that can be easily understood by business executives. It’s not an easy role, but it is one that is becoming increasingly important to organizations.”

We spoke with Bay to get some insight about the role of a threat analyst and how cyber threat intelligence can benefit organizations.

Tell us a little bit about being a threat intelligence analyst.

Being a threat analyst feels a little bit like a cross between a weatherman, an interpreter and someone trying to find a needle in a haystack. It’s not just about knowing the latest attacks and staying up on the latest jargon. There is a lot of translation that has to take place to get that information to the decision makers in such a way that they can actually make a decision based on it. So being able to speak “cyber” but also being able to translate that to someone who is not a cyber person takes some work as well. Powerful Google-fu is also helpful in this position; even though Google is not the only source, knowing how to find data using it and other tools is invaluable.

Describe your typical day.

mugshot
Aaron Bay, Chief Analyst at SurfWatch Labs

My typical day is probably a little bit different than most cyber threat intel analysts. Because SurfWatch Labs focuses on the bigger picture, we aren’t typically gathering the latest signatures from the latest malware or putting together snort rules for all the new bad stuff that’s been detected by various sensors or honey pots.

I spend a lot of time reading blogs, Twitter, various forums and general Web searching. To support SurfWatch Labs’ customers, a lot of my focus is on them: what they’ve said is most important to them, things they want to stay aware of, constantly looking for information that may be of interest to them in general, keeping track of that and reporting it to them, and then getting their feedback on what we’ve told them to tailor our internal processes so that we constantly evolve and stay current with their needs, as well as stay current with the threats out there.

Is being a cyber threat intel analyst mostly about IT security?

Firstly, I think the term IT Security is becoming archaic. When it is used, the person who hears it or uses it has a preconceived notion about what IT Security is. Computers and routers and switches and firewalls and all things traditionally associated with IT security come to mind. But our businesses and our personal lives have become so connected and dependent on technology, that just calling it “IT” seems to leave out things that should be included, but aren’t.  I have to say that I am not a fan of the term “cyber” or “cybersecurity,” but I can understand the reason for having a new term that’s a little more ambiguous.  

Credit cards used to just be numbers printed on plastic read by zip-zap machines until magnetic strips were created and used to save information in a way that could be read by a computer and transmitted via telephone back to your bank. Forty years later, those are being replaced by sophisticated memory cards that keeps your information encrypted. Do you consider your credit card to be IT? You should. Credit card fraud has been around as long as credit cards, and the more IT we throw at the problem, the more it becomes an IT security problem. I know that banks and organizations like Visa consider this an IT security issue, but most people still do not, I would assume. And that’s just one example.

For a Cyber Threat Intel Analyst to do their job correctly, they need to understand that it really is about IT security, but the scope is usually bigger than most people realize. The analyst needs to be aware of that, but they need to help their employer or customer understand that as well.

What is one of the biggest things to understand about cyber risk?

Typically, cyber threats enter an organization by way of something every user touches: browsing the web, reading their email, opening files, etc. Traditional IT security has been tasked with solving that. But that’s not the only way cyber threats can harm an organization. As soon as you do business with another organization, the scope of your risk increases. You have to send and receive information from them, send and receive money from them. This information is at risk if one organization protects it less than the other. If pieces of the business are outsourced, whatever that is, it’s now at risk to however that third party protects its business or its infrastructure.

Some of this even just comes in the form of what software a business chooses to use for its customer portal, where customers can post questions or the business otherwise interacts with its customers. Any vulnerabilities in that software or where that software is hosted translates to risk to the primary organization. Again, none of this is meant as a reason not to function this way, only as a way to say that these risks need to be understood and monitored. As new threats or attacks or vulnerabilities are discovered, an organization needs to be made aware of them so actions can be made to mitigate or remove them.

What are some cybersecurity trends you are seeing as a threat analyst that are concerning?

The biggest trend I am really starting to see is the continuation of cybercriminals using cyber means to make money.  They steal credit card numbers, people’s personal identities, and the profits from these crimes and frequency of attacks continues to grow. Ransomware is now growing. It’s not growing because people think it is funny to do. It’s growing because people are making a lot of money off of these attacks. In these attacks, cybercriminals don’t care about obtaining information from our computer. All they care about is getting you into paying them money to get back your information. This is a scary trend, because it is really working.

Denial-of-service is still going on; people will pay to conduct denial-of-service attacks or pay ransoms to have these attacks stopped. It will be interesting to see what attack shows up next in an effort to make money.

To encapsulate that trend, it is becoming a lot more organized. In years past, the traditional “organized crime” groups were the only ones really making money off of cyber attempts. Today, however, all parts of cybercrime are becoming more accessible, and as it becomes easier a lot more people are going to be doing it.

Along that vein, attacks that produce the most results are of course going to trend. Ransomware as I mentioned, but a lot of businesses are getting better at detecting and eliminating threats … but don’t quite understand or monitor threats coming from their third-party suppliers, so attacks will start to come from that angle.

What is your biggest fear as a threat analyst?

My biggest fear is people not taking this information seriously or people not thinking it is useful information. I am fearful that people view this information as no big deal, viewing it as just another report and moving on. I hope that companies feel this information is useful, and it is taken seriously instead of thinking they don’t need the information anymore. Some of that could be that an organization doesn’t quite have a mature enough cybersecurity program so it can’t properly digest and protect against what an analyst may be telling them. The failure of the analyst to correctly translate risks and threats and trends into something meaningful could also contribute to the message being lost.

In the next post, Aaron shares his thoughts about how cyber threat intelligence can help your organization.

Despite Drop In Frequency, PoS Data Breaches are Still a Threat

In 2014, point-of-sale (PoS) data breaches against mainstream retail stores like Target and the Home Depot were primary talking points in cybersecurity. In 2016, PoS data breaches haven’t garnered as much attention, with threats like ransomware and more sophisticated phishing attacks taking up the mantle of the leading concerns in cybersecurity.

Over the last two years, the amount of chatter around PoS breaches has dropped dramatically.

Point of sale chatter
The chart above shows all PoS-related CyberFacts from June 2014 – May 2016. Outside of a rise in CyberFacts starting in October 2015 the amount of chatter concerning PoS breaches has remained low. 

PoS breaches still occur, but the frequency of attacks, as well as the targets, have changed. In 2014, department stores were impacted the most by PoS data breaches. Since that time, cybercriminals have turned their attention towards hotels, restaurants and bars. In many instances, a hotel had an associated restaurant or bar’s payment system compromised. The payment card breach against Starwood properties is one example of this activity.

POS chatter by group
Cybercriminals have shifted to new targets with regards to PoS breaches. While Department Stores were a top trending target in 2014, since then, cybercriminals have shifted their efforts to breaching PoS systems at Hotels, Motels and Cruiselines. 

New EMV Standards Having an Impact on PoS Cybercrime

Back in October 2015, the United States implemented new EMV standards aimed at protecting against PoS cybercrime. Many big retail stores have adopted the technology, which has helped thwart the amount of payment card cyber-attacks against them.

There have been well-documented problems so far with EMV, from customers not having access to chip-enabled cards to retailers offering customers the option swipe their card rather than force them to use the Chip-and-PIN technology.  Perhaps the biggest problem with the EMV shift is the amount of retail companies that simply do not offer customers payment terminals that accept the new Chip-and-PIN cards.

Despite the problems, EMV has positively impacted PoS cybercrime. However, due to the increased security, cybercriminals are turning their attention to other, more lucrative attack vectors. In 2016, phishing and ransomware attacks have both trended highly.

Latest PoS Data Breaches and Malware

However, cybercriminals haven’t completely turned away from attacking payment terminals. To date, SurfWatch Labs has collected information on 23 industry targets related to PoS data breaches.

In what is probably the most recent of those breaches, security researcher Brian Krebs has reported fraudulent activity involving the Texas-based restaurant chain CiCi’s Pizza. In this event, a cybercriminal posed as a “technical support specialist” for the company’s PoS provider, which allowed access to payment card data. This social engineering technique is one way cybercriminals can circumvent EMV (assuming CiCi’s Pizza utilized these payment terminals).

The old-fashioned malware attack vector is still being utilized as well to conduct attacks on PoS systems. New variants are still being created and continue to evolve. Some of the latest PoS malware families to make headlines include:

  • TreasureHunt PoS
  • AbaddonPOS
  • Multigrain
  • FighterPOS
  • FastPOS

With EMV implementation taking place at new retail locations daily, the amount of PoS-related data breaches is bound to decrease. Protecting customers at the point of physical payment is paramount to retail operations, but organizations can do more. Social engineering and phishing attempts are among the biggest threats facing organizations today, and Chip-and-PIN won’t protect against this threat. Deploying physical security features like firewalls is obviously important, but educating employees about phishing and social engineering tactics is arguably just as important a cybersecurity strategy.

 

 

 

Intentional or Not, Insider Threats Remain a Huge Risk to Businesses

Insiders are one of the most dangerous threats all organizations face, as the players involved in these attacks usually have easy access to an organization’s resources. Taking a look at the recent $81 million bank heist from the Central Bank of Bangladesh, the FBI suspects that this attack was an inside job, with several people who work for the bank playing a key role in the theft. If this attack was perpetrated by insiders — such as employees at the bank or with SWIFT — it would be one of the biggest insider attacks ever conducted and would further validate the dangers of an insider threat to an organization.  

However, not all insider threats have malicious intent.

Some of the easiest and most harmful ways an organization is compromised through insider activity is simple human error. In April the Federal Deposit Insurance Corporation (FDIC) was the victim of a potential data breach after a former employee left the agency with a file containing personal information from 44,000 customers.

This wasn’t the first time FDIC employees have mishandled customer information. In May the FDIC’s chief information and privacy officer Lawrence Gross was called to testify before the House Science, Space and Technology Committee to discuss seven instances of employees accidentally downloading customer details as they were leaving the company.

SurfWatch Labs’ Insider Threat Data

Insider Activity 2016
The FDIC has the most CyberFacts tied to insider activity in 2016.

The motivation for insider data breaches varies, but company data tends to be the most affected, according to SurfWatch Labs’ data.

Insider Activity Tags
Data is the most sought after target from insider threats, with employees naturally being the most common insider threat actor. 

Legal Ramifications of Insider Theft

On May 27, 2016, the U.K.’s Information Commissioner’s Office (ICO) issued a warning to employees about taking client records to a new company. In the warning, the ICO referenced an incident involving a former waste disposal employee who took client information with him to a new job that was a rival company.

The information contained data on clients such as contact details and purchase history. Mark Lloyd, the former employee of Acorn Waste Management, emailed the contacts list from his previous business account to his personal account. Lloyd’s actions violated the U.K.’s Data Protection Act, leading to a guilty plea from Lloyd and costing him over 700 Euros in fines.

Steve Eckersley, the head of enforcement at ICO, provided the following warning to employees about mishandling client records:

“Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not their to take with them when they leave. Don’t risk a day in court by being ignorant of the law.”

Lloyd’s actions were clearly to bring new clients to a rival business, but his actions had bigger implications than simply stealing business from his previous employer. By sending these contacts to his personal email server, Lloyd compromised the information of these customers.

Organizations face many problems protecting data, and a malicious insider could be the biggest of those threats due to employees knowing proprietary information and often having legitimate access to sensitive data such as customer lists. Most employees are loyal, and though the most egregious data breaches involving malicious insiders have a tremendous impact to the victimized organization, it is the every day errors committed by these loyal employees that leave a company the most vulnerable.

Anonymous Ops Trending, Where are the Other Hacktivists?

Not long ago, several hacktivist groups like the Syrian Electronic Army and Lizard Squad were making headlines on a weekly basis with new hacktivism campaigns and random attacks. While Anonymous has always been the primary source of hacktivism throughout the world, it is interesting to see how these other prominent hacktivist groups’ activity has essentially fallen off the map. Where have all the hacktivists gone?

Taking a look at SurfWatch Labs’ data, Anonymous has been (and will remain) the top trending hacktivist group in 2016, with other factions of Anonymous such as New World Hacking and Ghost Squad Hackers providing additional support to the many Anonymous campaigns currently in existence.

2016-05-23_hacktivistactors
Anonymous is by far the top trending hacktivist group in 2016. Several other Anonymous-affiliated groups also made the list. 

The members of the Anonymous collective have been busy in 2016. New campaigns are underway, but several operations that were created in previous years have seen the most activity to date.

2016-05-23_hacktivistops
Throughout each month so far in 2016 an Anonymous campaign has made headlines. 

Government Sector Targeted, Financials Sector Trending

The government sector has been targeted the most by hacktivism in 2016 by a large margin. The data breach of the Philippines Commission on Elections is by far the top trending hacktivism target.

2016-05-23_hacktivism
The Government sector has been targeted the most by hacktivism in 2016. The Philippines Commission on Elections is the top trending industry target. 

Two Anonymous-affiliated groups were behind the data breach of the Commission on Elections: Anonymous Philippines and Lulzsec Pilipinas. The breach affected 55 million Filipino voters and is considered one of the biggest government data breaches on record.

The Financials sector has also seen a lot of activity over the last month. This is largely due to #OpIcarus, a campaign created by members of Anonymous that is specifically targeting banks.

As the chart illustrates above, several banks are trending, with new banks targeted by #OpIcarus making headlines seemingly on a weekly basis. Between May 13 and 19, a total of 18 banks suffered DDoS attacks at the hands of Anonymous.

Where are the Other Hacktivist Groups?

Anonymous continues to make headlines while other prominent hacktivist groups remain stagnant. Groups like Lizard Squad, the Armada Collective, and the Syrian Electronic Army (SEA) appear to have almost completely ceased all operations. The CyberFacts collected by SurfWatch Labs backs this up, with 2015 being the last time any significant conversation took place among the three groups.

2016-05-23_hacktivistgroups
The chart above shows negative CyberFacts for SEA, Lizard Squad, and the Armada Collective over the past 18 months. 

Syrian Electronic Army
Once one of the most recognized hacktivist groups, the SEA has seemingly disappeared since the summer of 2015. Most current news surrounding the SEA involves legal and law enforcement content as members of the group are being hunted down for past hacking activities. The SEA has been involved with many cyber-attacks, including the the hijacking of the Associated Press Twitter account and the takeover of Forbes. The group was founded in 2011, with most of their activity occurring during 2013 and 2014.

Lizard Squad
Perhaps one of the most notorious groups linked with DDoS attacks, Lizard Squad made a name for themselves after launching multiple DDoS attacks against the Sony Playstation Network and Xbox Live. The group has engaged in a war with Sony Online Entertainment president John Smedley, leading to bizarre events such as calling in a fake bomb threat to an airline which Smedley was a passenger of and effectively grounding the flight. Lizard Squad has recently made headlines without any effort, as a group of unknown hackers were posing as the hacktivist group in an effort to extort money from U.K. businesses through the threat of a DDoS attack. As for actual current activity from Lizard Squad, Blizzard reported a DDoS attack from the group back in April 2016.  

Armada Collective
The Armada collective is the newest hacktivist group out of the three, and it is well-known for its DDoS extortion attacks against online retailers, a method of attack that was first made popular by another hacker group, DD4BC. The group was very active towards the end of 2015, attempting to extort several companies. Much like ransom demands, experts have overwhelmingly warned companies not to give into these attacks. The group went silent in late 2015, although other groups continue to use the group’s name for fake DDoS threats, which unfortunately lead to the group earning over $100,000 for their efforts.

While many people find the threats of hacktivism to be just a nuisance, the damage created from a single attack can have lasting consequences. DDoS attacks — the primary hacktivist weapon of choice — can impact a company through financial losses and damaged brand reputation due to the amount of time the company’s servers are down. In other attacks, sensitive data can be obtained and leaked on the Internet for other criminals to exploit. Hacktivism hasn’t been as prominent in 2016 compared to years past, but the threat posed from these groups remains the same, and companies need to remain diligent in protecting from these threats.

Ransomware Is Not the Top Cybersecurity Threat Facing the Healthcare Sector

Ransomware is making all the headlines so far in 2016. This threat has become so mainstream it has caused both the FBI and US-CERT to issue ransomware alerts, with the healthcare sector being mentioned in both.

On March 31, 2016, the United States Computer Emergency Readiness Team (US-CERT) issued a ransomware warning concerning the Locky and Samas ransomware variants – both of which have been used to target hospitals and other healthcare targets.

On April 29, 2016, the FBI wrote a post warning of the rise in ransomware threats, saying that ransomware attacks were prevalent in 2015 and will continue to grow in 2016.

“Ransomware attacks are not only proliferating, they’re becoming more sophisticated,” the FBI post read. “Several years ago, ransomware was normally delivered through spam emails, but because email systems got better at filtering out spam, cyber criminals turned to spear phishing emails targeting specific individuals.”

However, when you look at the biggest data breaches in healthcare, are ransomware attacks really deserving of all the headlines?

Despite Ransomware Trend, Healthcare Most Impacted By Data Loss

SurfWatch Labs has collected data on 141 healthcare cybercrime targets so far in 2016, and the ransomware attacks against Hollywood Presbyterian Medical Center and Medstar Health have been the top two most discussed industry targets to date.

2016-05-16_healthcareitt
Ransomware attacks such as the ones against Hollywood Presbyterian Medical Center and MedStar Health have dominated the discussion around healthcare sector cybercrime in 2016.

Both Hollywood Presbyterian Medical Center and MedStar health made huge headlines this year after being victimized with ransomware. Hollywood Presbyterian paid the ransom demand to get their data back. Medstar Health was able to get their systems operational without paying a ransom.

While infected assets leads the way in terms of chatter around healthcare sector cybercrime effects this year – largely due the high level of ransomware discussion – stolen or leaked personal information and data are leading the way when looking at the total number of distinct healthcare targets being impacted by cybercrime so far this year.

upload
Although not receiving the most discussion (CyberFacts), the stolen personal information and stolen data tags are associated with the highest number of healthcare targets impacted by cybercrime in 2016.

Similarly, while malware dominates the chatter around healthcare sector cybercrime practices, unauthorized access is the top trending practice category in terms of the actual number of affected targets.

upload1
Malware is leading the way in terms of discussion for the Healthcare sector in 2016; however, unauthorized access was the leading practice used in attacks against healthcare by total number of industry targets.

While everyone is talking about malware – more specifically, ransomware – affecting healthcare targets, if we dig deeper into that top practice category it’s clear that the old-fashioned, tried-and-true methods used by cybercriminals are causing the most damage in the healthcare sector in 2016.

2016-05-16_unauthorizedaccess
Physical theft was the top trending unauthorized access practice tag to date in the healthcare sector. 

Criminals Are Still Seeking Healthcare Data

While it is still important for hospitals and healthcare companies to worry about the threat of ransomware, as SurfWatch Labs’ data shows, ransomware attacks are just the tip of the iceberg when it comes to cyber threats facing the healthcare industry.

Several attack vectors are present in the healthcare industry. Phishing and social engineering attempts are still the primary cybersecurity threat concerning healthcare facilities, with stolen laptops and flash drives also creating a severe issue protecting data.

W-2 data breaches have made several headlines this year, affecting organizations throughout all sectors – including healthcare. Healthcare companies Main Line Health, York Hospital, E Clinical Works, Endologix, Care.com, CareCentrix, and Magnolia Health Corporation all suffered W-2 data breaches in 2016 that stemmed from a simple phishing email.

The verdict is in; ransomware isn’t going anywhere and will continue to trend throughout 2016. However, we can’t forget about the old-fashioned methods used by hackers since the dawn of the Internet when it comes to protecting organizations from cybercrime. Ransomware has become popular due to its ease of execution and potential to make a quick buck, but the valuable data stored throughout the healthcare sector is still the holy grail for cybercriminals looking for a bigger score.

PII Data Breaches Trending In Critical Infrastructure

Over the last couple weeks, several critical infrastructure cyber-events made headlines in the Industrials, Energy, and Utilities industries. Some of these targets include the German Gundremmingen nuclear reactor, the Lansing Board of Water and Light (BWL), and the Canadian gold mining firm Goldcorp. While none of these cyber-attacks resulted in chaos, they did demonstrate weaknesses within these companies.

2016-05-09_itt
The chart above shows the top trending targets in Critical Infrastructure YTD in 2016. In this chart, “Critical Infrastructure” includes data from the Industrials, Utilities, and Energy Sectors.

W-2 and tax-related data breaches have been trending in 2016 – this trend is also occurring in critical infrastructure. In 2016, many top trending critical infrastructure targets have suffered such a breach, including:

  • Alpha Payroll Services
  • Whiting-Turner Contracting Company
  • ADP
  • Michels Corporation
  • Equifax

SWIFT was the software compromised in the Central Bank of Bangladesh cyber heist. As a result, business support services was the top trending industry group affected in critical infrastructure so far in 2016.

2016-05-09_groups
The industry group “Business Support Services” is the top trending tag so far in 2016.

The Critical Infrastructure Cyber Threat

Attacks against critical infrastructure have occurred in the U.S.; however, these attacks have never lead to the doomsday scenario many of us fear, such as disabling power to cities or truly compromising a nuclear reactor. Most critical infrastructure attacks in the U.S. involve the loss of user data, not a takeover of key operating capabilities.

A critical infrastructure takeover has occurred in another country. In 2015, a cyber group named Sandworm Team launched an attack against the Ukrainian Power Authority. Using the infamous BlackEnergy malware, the group was able to successfully shut down power for 700,000 people over a two hour period – the first known power outage caused by a cyber-attack. The Sandworm team has attacked U.S. critical infrastructure in the past, forcing ICS-Cert to issue an alert in 2014 addressing the threat.

Attacks against critical infrastructure have been taken especially seriously by the U.S. government. In February 2013, President Barack Obama signed Executive Order 13.636, “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience.” The executive order and policy directive attempt to address key issues with our nation’s critical infrastructure cybersecurity, including:

  • Promote information sharing with U.S. private sector
  • Clearly define roles of key officials involved with critical infrastructure security
  • Commit to providing assistance in the event of a data breach
  • Create a framework to reduce cyber risk to critical infrastructure
  • Promote innovation, research, and development of enhanced cybersecurity measures

As a result, the Department of Homeland Security (DHS) launched the Critical Infrastructure Cyber Community Voluntary Program. The goal of this program is to help enhance critical infrastructure cybersecurity and to promote the adoption of the National Institute of Standards and Technology’s Cybersecurity Framework.

Our country’s critical infrastructure suffers from the same vulnerabilities as other sectors. Valuable information is kept on databases and people are used as a bridge to that information. While the threat of a doomsday attack against our nation’s critical infrastructure remains a serious threat, traditional cybercrime is still driven by profit motive. Those in charge of critical infrastructure security not only have to be prepared for threats attempting to cause physical harm to our nation, they must also prepare for the theft of personal information, which seems to be the current trend.

Cyber-Attacks Against Banks Making Huge Impact in 2016

Although the financials sector hasn’t been as widely discussed as others this past quarter, cyber-attacks in the sector are having a greater impact, according to SurfWatch Labs’ data.

snapshot_1462215431132
The impact and targeted asset financials scores (red) are trending much higher than other sectors (blue), according to SurfWatch Labs.

Since March 2016, the financials industry has made big headlines for high-profile cyber events involving the Central Bank of Bangladesh and most recently, Qatar National Bank. These two banks have contributed enormously to the amount of cybercrime discussion surrounding banks.

2016-05-02_groups
Banks are the most discussed group in the financials sector, accounting for nealy 40% of the negative CyberFacts collected by SurfWatch Labs, followed by Diversified Financial Services (14%) and Specialty Financials (13%)

The Central Bank of Bangladesh is the top trending financials sector target so far in 2016. The multiple cyber-attacks against the Trump Organization – including an Anonymous campaign – and the January DDoS attack against HSBC Bank round out the top three targets.

2016-05-02_itt
The Central Bank of Bangladesh is the top trending financials target in 2016. 

Latest on Bangladesh Bank Heist

The $81 million bank heist of the Central Bank of Bangladesh is one of the most successful cyber bank thefts in history. The bank was attacked via SWIFT, a well-known and utilized international bank messaging system.

SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication. The system authorizes payments between accounts and is recognized for its security. According to Michael Corkery of The New York Times, one financial analyst even called SWIFT “the Rolls-Royce of payments networks.”

Unfortunately for banks, SWIFT issued a warning to customers that cybercriminals have attempted similar bank thefts through its system.

“SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network,” the warning read.

One of the main problems with SWIFT is that not all banks put security features in place to protect against potential threats.

“SWIFT is a great organization,” said Chris Larsen, the founder of Ripple, to The New York Times. “But the system is fractured and antiquated. The way it is set up, you cannot totally isolate problems in a place like Bangladesh from the whole network.”

HSBC U.K. Banking System Taken Offline

In January 2016 Europe’s largest financial lender HSBC suffered a DDoS attack, keeping several banking customers unable to access their accounts. The attack took place on Friday, January 29, and services were restored on January 30.

This was the second website outage suffered by the bank in January.

The attack was particularly damaging due to its timing. HSBC was attacked on the last Friday in January, a particularly busy day for banks as the end of the fiscal year approaches. Millions of customers -– both online and mobile app users –- were affected by the attack.

HSBC never released any technical data about the incident. DDoS attacks can have an impact on brand reputation as well as loss of revenue. On average, a DDoS attack can cost about $40,000 per hour, according to a study conducted by Incapsula.

New Hybrid Malware Used In Bank Attacks

Cybercriminals are always looking for new, sophisticated ways to attack organizations. A new threat called GozNym malware has been identified targeting banks in the North America, Asia, and Europe. As SurfWatch Labs recently reported to customers, the malware has stolen over $4 million between 24 banks in North America alone.

The GozNym banking Trojan has been discussed frequently over the past 30 days.

2016-05-02_advisories
The GozNym banking Trojan is the top trending advisory tag in the Financial sector over the last 30 days. 

GozNym is a hybrid malware, containing code from both the Nymaim and Gozi ISFB variants. The source code from the Nymaim malware is used to steal user data and login credentials. Once this data is obtained, the source code from the Gozi ISFB malware manipulates web sessions and conducts online banking fraud attacks. This nasty threat not only perpetrates bank fraud, it can also open the door for further malware attacks, including ransomware.

Like most malware, GozNym relies heavily on one factor to promote infection – human behavior. The malware is spread through exploit kits and Office macros, both of which require human interaction for its operation to take place.

Banks are an especially ripe target for cybercriminals due to the amount of transactions and data transferred between individuals and other organizations. Hacking tools such as malware and DDoS services can be purchased on the dark web for a surprisingly low price and used to create havoc and devastating financial loss for organizations. As demonstrated in the Central Bank of Bangladesh theft, it only takes one vulnerability to crack a company’s security, and the impact of those attacks is often more far reaching than other sectors.

W-2 Data Breaches Were Abundant During 2015 Tax Season

The 2015 tax season has ended, signaling a potential break in the number of tax-related data breaches we read about in the news. The list of companies suffering from these cyber-attacks seemed to grow weekly and nearly 100 companies have been publicly tied to W-2-related breaches in 2016. SurfWatch Labs collected a multitude of CyberFacts pertaining to W-2 and tax data breaches during the 2015 tax season.

2016-04-25_Tax_groups
Tax-related cybercrime impacted companies across a wide variety of industry groups in 2016.

The IRS, predictably, has the most CyberFacts related to tax and W-2 cybercrime in 2016. The IRS has suffered massive data breaches within the last year. In 2015, the IRS exposed 700,000 taxpayer accounts through its “Get Transcript” service. Last February, the IRS was breached again, with more than 100,000 stolen Social Security Numbers used to successfully access an E-file PIN. Events like these have lead to predictions that the IRS will lose $21 billion to cyber fraud and fake tax returns in 2016.

Surprisingly, the group Higher Education also received a lot of discussion, with the high profile W-2 data breach at the University of Virginia leading the way in terms is discussion.

2016-04-25_tax_itt
The chart above lists the top trending organizations pertaining to tax and W-2 cybercrime for the most talked about industry groups. The IRS garnered the most discussion of any organization. 

IRS and FBI Release Warnings About Tax Fraud

In March, the IRS released an alert about tax fraud which described various methods used by criminals to obtain W-2 and tax information. The alert provided information on several areas individuals and organizations leave themselves vulnerable to compromise:

Abusive Return Preparer
Taxpayers should be very careful when choosing a tax preparer. While most preparers provide excellent service to their clients, a few unscrupulous return preparers file false and fraudulent tax returns and ultimately defraud their clients. It is important to know that even if someone else prepares your return, you are ultimately responsible for all the information on the tax return.”

Abusive Tax Schemes
“Abusive tax scheme originally took the structure of fraudulent domestic and foreign trust arrangements. However, these schemes have evolved into sophisticated arrangements to give the appearance that taxpayers are not in control of their money. However, the taxpayers receive their funds through debit/credit cards or fictitious loans. These schemes often involve offshore banking and sometimes establish scam corporations or entities.”

Nonfiler Enforcement
“There have always been individuals who, for a variety of reasons, argue taxes are voluntary or illegal.  The courts have repeatedly rejected their arguments as frivolous and routinely impose financial penalties for raising such frivolous arguments.  Take the time to learn the truth about frivolous tax arguments.”

The FBI also released a warning in March related to the rise of Business Email Compromise (BEC) scams targeting businesses and individuals within organizations. BEC scams have gained notoriety for defrauding organizations out of money. However, BEC scams can also be used to obtain information from organizations — including W-2 and tax information.

“Based on complaint data submitted to IC3, B.E.C. victims recently reported receiving fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information prior to a traditional BEC incident,” the warning read.

A “traditional” BEC attack starts with a fraudulent request that is sent utilizing a high-ranking executives spoofed email. In this case, the email is sent to a member of an organization who handles employee W-2 and tax information. The email will appear to be an urgent message requesting all employee W-2 information.

This is what happened at Sprouts Farmers Market, which is facing a class action lawsuit after an employee fell for a BEC scam and forwarded W-2 information on all 21,000 of the company’s employees to a malicious actor.

Protecting Yourself From Tax Fraud

One of the biggest vulnerabilities we face concerning our data is that it is handled by other human beings. Humans make mistakes, and cybercriminals capitalize on this. Since corporations cannot guarantee your data will be safe in their hands, you must remain vigilant and prepare yourself for the possibility that your tax information could be stolen.

Here are a few tips on protecting yourself from tax fraud in 2016:

File Your Taxes Early: The early bird gets the worm; this also rings true when filing tax returns. If you file your tax return before a criminal does you’re in a much better position, as the tax return will already be marked as filed, preventing anyone else from filing a tax return with your credentials.

Avoid Password Reuse: Poor password management is one of the leading problems in cybersecurity. Remembering passwords can be cumbersome, so we do what is in our nature — we take shortcuts. Unfortunately, taking shortcuts on password management can lead to many problems. Employees have historically been shown to use the same password across several accounts, which could leave an organization vulnerable to compromise. In this scenario, a cybercriminal could obtain an employee’s login credentials from another site (Facebook is a good example) and use it to log into several accounts — even the employee’s account within an organization. Make sure employees are aware of the problems with password reuse. Also, make sure passwords are utilizing capitalization, numbers, symbols and are at least 8 characters long. Organizations can take this one step further and enable two-factor authentication, which would require an additional login step before employees, or malicious actors, could access accounts.

Educate Employees About BEC Scams: Employees are one of the primary targets in tax fraud. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Deploy Security: While there are plenty of examples that show security tools are not a 100% guarantee of protection, features such as firewalls and antivirus software are paramount when it comes to securing your data. It is also important to make sure these tools and other software — such as your operating system — are current on updates. The latest updates could provide patches to vulnerabilities in older versions of the software.