PII Data Breaches Trending In Critical Infrastructure

Over the last couple weeks, several critical infrastructure cyber-events made headlines in the Industrials, Energy, and Utilities industries. Some of these targets include the German Gundremmingen nuclear reactor, the Lansing Board of Water and Light (BWL), and the Canadian gold mining firm Goldcorp. While none of these cyber-attacks resulted in chaos, they did demonstrate weaknesses within these companies.

The chart above shows the top trending targets in Critical Infrastructure YTD in 2016. In this chart, “Critical Infrastructure” includes data from the Industrials, Utilities, and Energy Sectors.

W-2 and tax-related data breaches have been trending in 2016 – this trend is also occurring in critical infrastructure. In 2016, many top trending critical infrastructure targets have suffered such a breach, including:

  • Alpha Payroll Services
  • Whiting-Turner Contracting Company
  • ADP
  • Michels Corporation
  • Equifax

SWIFT was the software compromised in the Central Bank of Bangladesh cyber heist. As a result, business support services was the top trending industry group affected in critical infrastructure so far in 2016.

The industry group “Business Support Services” is the top trending tag so far in 2016.

The Critical Infrastructure Cyber Threat

Attacks against critical infrastructure have occurred in the U.S.; however, these attacks have never lead to the doomsday scenario many of us fear, such as disabling power to cities or truly compromising a nuclear reactor. Most critical infrastructure attacks in the U.S. involve the loss of user data, not a takeover of key operating capabilities.

A critical infrastructure takeover has occurred in another country. In 2015, a cyber group named Sandworm Team launched an attack against the Ukrainian Power Authority. Using the infamous BlackEnergy malware, the group was able to successfully shut down power for 700,000 people over a two hour period – the first known power outage caused by a cyber-attack. The Sandworm team has attacked U.S. critical infrastructure in the past, forcing ICS-Cert to issue an alert in 2014 addressing the threat.

Attacks against critical infrastructure have been taken especially seriously by the U.S. government. In February 2013, President Barack Obama signed Executive Order 13.636, “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience.” The executive order and policy directive attempt to address key issues with our nation’s critical infrastructure cybersecurity, including:

  • Promote information sharing with U.S. private sector
  • Clearly define roles of key officials involved with critical infrastructure security
  • Commit to providing assistance in the event of a data breach
  • Create a framework to reduce cyber risk to critical infrastructure
  • Promote innovation, research, and development of enhanced cybersecurity measures

As a result, the Department of Homeland Security (DHS) launched the Critical Infrastructure Cyber Community Voluntary Program. The goal of this program is to help enhance critical infrastructure cybersecurity and to promote the adoption of the National Institute of Standards and Technology’s Cybersecurity Framework.

Our country’s critical infrastructure suffers from the same vulnerabilities as other sectors. Valuable information is kept on databases and people are used as a bridge to that information. While the threat of a doomsday attack against our nation’s critical infrastructure remains a serious threat, traditional cybercrime is still driven by profit motive. Those in charge of critical infrastructure security not only have to be prepared for threats attempting to cause physical harm to our nation, they must also prepare for the theft of personal information, which seems to be the current trend.

Trade Secret Legislation Awaits Obama’s Signature

Organizations will soon have another avenue to seek relief from trade secret theft, as President Obama is expected to sign into law the Defend Trade Secrets Act. The bill, which gives companies the ability to pursue trade secret cases in federal courts rather than at the state level, is the latest in a string of headlines related to stolen intellectual property.

The effort is meant to help combat the growing problem of espionage, which costs the U.S. $300 billion and 2.1 million jobs each year, according to a 2013 report from the Commission on the Theft of American Intellectual Property.

Many different individuals and groups have been associated with cyber-espionage so far this year, according to threat intelligence data from SurfWatch Labs.

House Judiciary Committee Chairman Bob Goodlatte (R-Va.) said the DTSA would “build on efforts over the past two years and take a significant and positive step toward improving our nation’s trade secret laws.”

The first version of DTSA was introduced in 2014, just weeks before the U.S. made waves when — for the first time ever — they filed charges against five Chinese military hackers for cyber-espionage against U.S. corporations. That 2014 indictment centered around alleged hacking and theft related to six organizations: Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies, the United Steelworkers Union, and Alcoa.

Those allegations continue to play out as U.S. Steel recently took steps to request the government prevent imports from China’s largest manufacturers due to, among other things, trade secret theft. A complaint filed on April 26 with the U.S. International Trade Commission under a section of the U.S. Tariff Act alleges those stolen trade secrets led to decades of research in creating the next generation of high-strength steel being taken and reproduced in China. 

The DTSA gives the many organizations affected by the theft of trade secrets another outlet to seek relief, and the version awaiting Obama’s signature has received widespread support (the house voted 410-2 in favor); however, the legislation is not without detractors. When the bill was first introduced two years ago, 31 law professors signed a letter opposing it, and in November 2015 they again called on Congress to reject the DTSA:

While we agree that effective legal protection for U.S. businesses’ legitimate trade secrets is important to American innovation, we believe that the DTSA — which would represent the most significant expansion of federal law in intellectual property since the Lanham Act in 1946 — will not solve the problems identified by its sponsors. Instead of addressing cyberespionage head-on, passage of the DTSA is likely to create new problems that could adversely impact domestic innovation, increase the duration and cost of trade secret litigation, and ultimately negatively affect economic growth.

The federal law does not replace current state laws, the group argued, so it will complicate rather than simplify trade secret litigation by adding a new layer of federal jurisprudence.

What this Means for Business

Most states have adopted a version of the Uniform Trade Secrets Act, which is how most trade secret disputes are currently handled. Once the DTSA is signed into law, organizations will be able to decide whether federal or state courts are more beneficial.

Although most legal experts agree that the DTSA provides a slightly broader interpretation of “trade secrets” as well as additional tools that can be used, the choice of avenue for litigation will likely need to be decided on a case by case basis.

“State courts may still to be a more preferable venue for many plaintiffs, as they typically provide more lenient rules for obtaining ex parte relief and a temporary restraining order,” the National Law Review noted. “Federal courts are often backlogged and may not hear a temporary restraining request immediately. By the time a temporary restraining order is issued, the critical information may be disclosed or forever gone. Thus, an expedited hearing in state court may outweigh the benefits of the federal court option provided by the DTSA.”

Trade secrets are often the most important assets for an organization, and the recent legal developments should serve as a reminder for businesses to assess the risks associated with those secrets, do their best to ensure those secrets are protected, and to have a plan in place so they can take legal recourse should those secrets get stolen.

Cyber-Attacks Against Banks Making Huge Impact in 2016

Although the financials sector hasn’t been as widely discussed as others this past quarter, cyber-attacks in the sector are having a greater impact, according to SurfWatch Labs’ data.

The impact and targeted asset financials scores (red) are trending much higher than other sectors (blue), according to SurfWatch Labs.

Since March 2016, the financials industry has made big headlines for high-profile cyber events involving the Central Bank of Bangladesh and most recently, Qatar National Bank. These two banks have contributed enormously to the amount of cybercrime discussion surrounding banks.

Banks are the most discussed group in the financials sector, accounting for nealy 40% of the negative CyberFacts collected by SurfWatch Labs, followed by Diversified Financial Services (14%) and Specialty Financials (13%)

The Central Bank of Bangladesh is the top trending financials sector target so far in 2016. The multiple cyber-attacks against the Trump Organization – including an Anonymous campaign – and the January DDoS attack against HSBC Bank round out the top three targets.

The Central Bank of Bangladesh is the top trending financials target in 2016. 

Latest on Bangladesh Bank Heist

The $81 million bank heist of the Central Bank of Bangladesh is one of the most successful cyber bank thefts in history. The bank was attacked via SWIFT, a well-known and utilized international bank messaging system.

SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication. The system authorizes payments between accounts and is recognized for its security. According to Michael Corkery of The New York Times, one financial analyst even called SWIFT “the Rolls-Royce of payments networks.”

Unfortunately for banks, SWIFT issued a warning to customers that cybercriminals have attempted similar bank thefts through its system.

“SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network,” the warning read.

One of the main problems with SWIFT is that not all banks put security features in place to protect against potential threats.

“SWIFT is a great organization,” said Chris Larsen, the founder of Ripple, to The New York Times. “But the system is fractured and antiquated. The way it is set up, you cannot totally isolate problems in a place like Bangladesh from the whole network.”

HSBC U.K. Banking System Taken Offline

In January 2016 Europe’s largest financial lender HSBC suffered a DDoS attack, keeping several banking customers unable to access their accounts. The attack took place on Friday, January 29, and services were restored on January 30.

This was the second website outage suffered by the bank in January.

The attack was particularly damaging due to its timing. HSBC was attacked on the last Friday in January, a particularly busy day for banks as the end of the fiscal year approaches. Millions of customers -– both online and mobile app users –- were affected by the attack.

HSBC never released any technical data about the incident. DDoS attacks can have an impact on brand reputation as well as loss of revenue. On average, a DDoS attack can cost about $40,000 per hour, according to a study conducted by Incapsula.

New Hybrid Malware Used In Bank Attacks

Cybercriminals are always looking for new, sophisticated ways to attack organizations. A new threat called GozNym malware has been identified targeting banks in the North America, Asia, and Europe. As SurfWatch Labs recently reported to customers, the malware has stolen over $4 million between 24 banks in North America alone.

The GozNym banking Trojan has been discussed frequently over the past 30 days.

The GozNym banking Trojan is the top trending advisory tag in the Financial sector over the last 30 days. 

GozNym is a hybrid malware, containing code from both the Nymaim and Gozi ISFB variants. The source code from the Nymaim malware is used to steal user data and login credentials. Once this data is obtained, the source code from the Gozi ISFB malware manipulates web sessions and conducts online banking fraud attacks. This nasty threat not only perpetrates bank fraud, it can also open the door for further malware attacks, including ransomware.

Like most malware, GozNym relies heavily on one factor to promote infection – human behavior. The malware is spread through exploit kits and Office macros, both of which require human interaction for its operation to take place.

Banks are an especially ripe target for cybercriminals due to the amount of transactions and data transferred between individuals and other organizations. Hacking tools such as malware and DDoS services can be purchased on the dark web for a surprisingly low price and used to create havoc and devastating financial loss for organizations. As demonstrated in the Central Bank of Bangladesh theft, it only takes one vulnerability to crack a company’s security, and the impact of those attacks is often more far reaching than other sectors.

W-2 Data Breaches Were Abundant During 2015 Tax Season

The 2015 tax season has ended, signaling a potential break in the number of tax-related data breaches we read about in the news. The list of companies suffering from these cyber-attacks seemed to grow weekly and nearly 100 companies have been publicly tied to W-2-related breaches in 2016. SurfWatch Labs collected a multitude of CyberFacts pertaining to W-2 and tax data breaches during the 2015 tax season.

Tax-related cybercrime impacted companies across a wide variety of industry groups in 2016.

The IRS, predictably, has the most CyberFacts related to tax and W-2 cybercrime in 2016. The IRS has suffered massive data breaches within the last year. In 2015, the IRS exposed 700,000 taxpayer accounts through its “Get Transcript” service. Last February, the IRS was breached again, with more than 100,000 stolen Social Security Numbers used to successfully access an E-file PIN. Events like these have lead to predictions that the IRS will lose $21 billion to cyber fraud and fake tax returns in 2016.

Surprisingly, the group Higher Education also received a lot of discussion, with the high profile W-2 data breach at the University of Virginia leading the way in terms is discussion.

The chart above lists the top trending organizations pertaining to tax and W-2 cybercrime for the most talked about industry groups. The IRS garnered the most discussion of any organization. 

IRS and FBI Release Warnings About Tax Fraud

In March, the IRS released an alert about tax fraud which described various methods used by criminals to obtain W-2 and tax information. The alert provided information on several areas individuals and organizations leave themselves vulnerable to compromise:

Abusive Return Preparer
Taxpayers should be very careful when choosing a tax preparer. While most preparers provide excellent service to their clients, a few unscrupulous return preparers file false and fraudulent tax returns and ultimately defraud their clients. It is important to know that even if someone else prepares your return, you are ultimately responsible for all the information on the tax return.”

Abusive Tax Schemes
“Abusive tax scheme originally took the structure of fraudulent domestic and foreign trust arrangements. However, these schemes have evolved into sophisticated arrangements to give the appearance that taxpayers are not in control of their money. However, the taxpayers receive their funds through debit/credit cards or fictitious loans. These schemes often involve offshore banking and sometimes establish scam corporations or entities.”

Nonfiler Enforcement
“There have always been individuals who, for a variety of reasons, argue taxes are voluntary or illegal.  The courts have repeatedly rejected their arguments as frivolous and routinely impose financial penalties for raising such frivolous arguments.  Take the time to learn the truth about frivolous tax arguments.”

The FBI also released a warning in March related to the rise of Business Email Compromise (BEC) scams targeting businesses and individuals within organizations. BEC scams have gained notoriety for defrauding organizations out of money. However, BEC scams can also be used to obtain information from organizations — including W-2 and tax information.

“Based on complaint data submitted to IC3, B.E.C. victims recently reported receiving fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information prior to a traditional BEC incident,” the warning read.

A “traditional” BEC attack starts with a fraudulent request that is sent utilizing a high-ranking executives spoofed email. In this case, the email is sent to a member of an organization who handles employee W-2 and tax information. The email will appear to be an urgent message requesting all employee W-2 information.

This is what happened at Sprouts Farmers Market, which is facing a class action lawsuit after an employee fell for a BEC scam and forwarded W-2 information on all 21,000 of the company’s employees to a malicious actor.

Protecting Yourself From Tax Fraud

One of the biggest vulnerabilities we face concerning our data is that it is handled by other human beings. Humans make mistakes, and cybercriminals capitalize on this. Since corporations cannot guarantee your data will be safe in their hands, you must remain vigilant and prepare yourself for the possibility that your tax information could be stolen.

Here are a few tips on protecting yourself from tax fraud in 2016:

File Your Taxes Early: The early bird gets the worm; this also rings true when filing tax returns. If you file your tax return before a criminal does you’re in a much better position, as the tax return will already be marked as filed, preventing anyone else from filing a tax return with your credentials.

Avoid Password Reuse: Poor password management is one of the leading problems in cybersecurity. Remembering passwords can be cumbersome, so we do what is in our nature — we take shortcuts. Unfortunately, taking shortcuts on password management can lead to many problems. Employees have historically been shown to use the same password across several accounts, which could leave an organization vulnerable to compromise. In this scenario, a cybercriminal could obtain an employee’s login credentials from another site (Facebook is a good example) and use it to log into several accounts — even the employee’s account within an organization. Make sure employees are aware of the problems with password reuse. Also, make sure passwords are utilizing capitalization, numbers, symbols and are at least 8 characters long. Organizations can take this one step further and enable two-factor authentication, which would require an additional login step before employees, or malicious actors, could access accounts.

Educate Employees About BEC Scams: Employees are one of the primary targets in tax fraud. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Deploy Security: While there are plenty of examples that show security tools are not a 100% guarantee of protection, features such as firewalls and antivirus software are paramount when it comes to securing your data. It is also important to make sure these tools and other software — such as your operating system — are current on updates. The latest updates could provide patches to vulnerabilities in older versions of the software.

Consumer Goods Sector Most Impacted By DDoS In 2016

The consumer goods sector has seen more chatter around DDoS than any other sector so far in 2016, according to data from SurfWatch Labs.

The Consumer Goods Sector has seen the most DDoS-related CyberFacts this year, including attacks against Blizzard, the BBC, Ireland’s National Lottery, and many more.

The consumer goods sector has become a popular target for DDoS attacks, with new groups like DD4BC emerging on the scene and attempting to extort money from victims in exchange for not launching a DDoS attack against them. Retail stores – especially online retailers – make appealing targets for cybercriminals as they are more likely to pay a ransom demand to avoid service interruption due to the amount of money that could be potentially lost during a DDoS attack.

Gaming networks such as Steam, Xbox Live, and the PlayStation Network are popular targets. Last week, the infamous cyber group Lizard Squad launched a DDoS attack against Blizzard’s gaming servers, effectively taking the servers offline for a couple hours.

DDoS attacks are a popular method of cyber-attack due to their ease of execution and price point. There are DDoS-for-hire services on the web that can be utilized for just $38 per hour. This price is shockingly low considering companies have reportedly lost anywhere from $5,000 to $40,000 per hour during a DDoS attack.

DDoS will remain a popular trend in cybercrime. However, DDoS related CyberFacts have decreased since peaking in January 2016.

DDoS attacks against high-profile targets such as the BBC and Ireland’s National Lottery led to a surge in DDoS-related chatter in January 2016. However, the number of CyberFacts related to DDoS has since dropped. 

Layer 7 DDoS Attack Makes Headlines

Earlier this month, a humongous Layer 7 DDoS attack was spotted reaching 8.7 Gbps of bandwidth through the Nitol botnet, which set a new record for this specific type of DDoS attack. While 8.7 Gbps doesn’t seem like much of a figure compared to traditional DDoS attacks of over 100 Gbps, Layer 7 DDoS attacks are different.

A DoS attack is an attempt by a criminal or hacktivist group to make a computer or network resource unavailable. This is done by interrupting a host’s services that are connected to the Internet. The most common method of DoS is a DDoS attack. DDoS attacks use botnets –- an enslaved group of computers –- to push massive amounts of communication to a targeted server to achieve its goal of service disruption.

A Layer 7 DDoS attack has the same end goal as a traditional DDoS attack, except for a few small differences. It only needs to use a small amount of network packets to disrupt service as this will create massive server processing operations that will exhaust a target’s CPU and RAM resources. This means that a Layer 7 DDoS attack can be pulled off by sending only a few thousand requests per second.  

As recent DDoS attacks have shown, cybercriminals have a variety of different ways to disrupt services or attempt to extort money from organization. Businesses should be prepared for the possibility of these attacks and work with a reputable DDoS mitigation company if they are concerned about those risks.


This real-life case study will contain some info, but not all – to protect individuals’ personally identifiable information – as well as our intelligence collection sources – with our goal of highlighting the importance of having visibility into your supply chain cyber risks. In the beginning of April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include some professional sports leagues as well as major media and entertainment companies.

The actor, going by the name AlphaLeon, is associated with both the AlphaBot and Thanatos trojans – early strains of these pieces of malware appear to date back to early 2015. AlphaLeon has been known to sell access to these trojans on the dark web. While the actor has not been a seller for very long, the group’s experience and presence indicates they have been active in this space for more than five years – including multiple dark web and open web forums.

After discovering information related to the latest activity of this actor, we alerted Invision Power Services (IPS) who had not yet detected this compromise. We worked with them to validate that the actor appeared to have established a presence within the managed hosting environment that Invision Power Services operated via Amazon Web Services (AWS).

It is our understanding that IPS is still working through their own internal investigation into the incident and additional information may be uncovered, but it appears that the initial cause of the compromise was most likely the result of unpatched software. AlphaLeon indicated that this access, which affected multiple high level brands, would allow them to install Exploit Kits with the purpose of infecting users visiting these sites with their trojan. This would grow the group’s botnet further, which would in turn be sold via various underground markets. The trojan appears to be capable of:

  • Stealing banking credentials and bitcoins
  • Gaining (and selling) webcam access
  • Delivering ransomware
  • Sending spam
  • Stealing gaming credentials
  • Distributed Denial of Service

As of the date of this post it does not appear that AlphaLeon has initiated this specific campaign.

This case study highlights three primary things:

  1. This is a classic case of supply chain risk management. Invision Power Services is a supplier to some of the largest brands. These companies entrusted their web hosting provider to perform a reasonable service based on whatever contractual agreements were in place. Even if the impacted companies are not at fault, they still have their own customers and their brand and reputation to protect. If you are going to outsource a service that has cyber risk tied to it, you are outsourcing a portion of your brand and reputation in some way shape or form and you need to keep some eyeballs on that supply chain.
  2. Having a dark web intel capability is an important component of your overall cybersecurity efforts. In this situation, a bad actor was observed in a dark web forum. This source was key to gaining intel that was not available through normal open channels. The dark web is certainly not the only source you should be pulling from in your intel efforts, but it is an important area for which you should have a collection capability.
  3. The intel process works. SurfWatch Labs analysts observed discussions that concerned us, we notified the victim hosting provider, they confirmed the issue and started to react. That is what is supposed to happen.

As you outsource capabilities to other vendors, your cyber risk exposure expands. Make sure you cast a wide net in regards to your intelligence collection capabilities. It is critical to understand this and to keep a watchful eye on not only your internal environment, but that of the vendors you do business with.

Gone Phishing in Q1 2016

We’re already a quarter of the way through 2016, and a clear trend is the rise of social engineering. Based on the cyber event data that we’ve collected, roughly 25% of all targets can be tied to a social engineering attack. This is the highest percent we’ve seen since the beginning of 2015, and over the last 6 months the share of social engineering attacks have doubled.


Just a few examples of common social engineering practices include:

  • Phone calls from a “Microsoft customer support representative” who needs remote access to your computer to fix an issue
  • Leaving an infected USB stick in a parking lot that when found and inserted into a computer by an unsuspecting person, malware/spyware is dropped onto the machine

However, the largest percentage of social engineering attacks (25%+) revolve around different types of phishing. While email is the most common delivery method, phishing attempts are made through text messages, Facebook, etc.

Over the weekend I received several phishing emails from individuals I know. These emails weren’t spoofed to make it look like they were coming from people I know, but actually sent from their email accounts without their knowledge.

The emails were both related to a “signed document” that needed my attention — except I had no previous knowledge any e-docs to sign should be coming my way. Of course, that’s because they should not have been coming at all.

Having been in the security industry as long as I have, I am cautious (or some would say paranoid) — especially compared to friends and family who say they “get it,” but don’t really. Even still, these emails came from legit addresses from people within my circle, and the content within the emails also looked reasonable. Luckily, I knew better, but many don’t.

Here are some quick security tips to consider when it comes to phishing attacks:

  1. Watch out for spoofed email addresses. Confirm the sender of the email is an address you recognize/know. Don’t just check the name in the “From” field, but actually look at the email address. This tip would not have made a difference in the instance above, but it is still a good way to catch a phishing email.
  2. Do not blindly trust links within an email. Banks and credit cards are usually pretty good about directing you to type in the url to go to their homepage and how to navigate to a specific place if necessary, as opposed to including links in their communications to you. This is a good practice to follow with any emails that include links. In my situation the links sent looked like DocuSign links, with familiar DocuSign branding and all. But it was missing the security code. Links can also be spoofed, so make sure you know what it is you are clicking on before you click.
  3. If you have any questions, pick up the phone. Is a vendor asking you to provide information or is a contact of yours asking you to click on a link? Questioning it is good. Call the vendor or individual and have them confirm.

Social engineering is one of the trickiest types of attacks to prevent because it plays on human nature and less on technology. Looking at the intel so far in 2016, the bad guys are going back to a tried and true method for gaining access to sensitive information. Be aware and think before you click.