In the early days of malware, the most well-known viruses were designed to be noticed: at minimum they made themselves a nuisance through a variety of prankish behavior, all the way to the other extreme of destroying data (usually right after taunting you, just to make sure you noticed you got infected). Today, cyber criminals make their best money and achieve their political goals by going undetected for as long as possible, until they are ready to strike. Security firm Cylance has released a report that alleges networks of multiple companies considered to be critical infrastructure and/or highly sensitive – think airlines, natural gas producers, defense contractors – have been completely compromised and “owned” by an outside group suspected to be backed by the Iranian government. Through this coordinated campaign (also called an “Advanced Persistent Threat” – APT) dubbed “Operation Cleaver” by researchers, the unidentified group of hackers obtained complete control over the entire network infrastructures – all servers, network equipment and everything connected to them, and remained in control over the course of at least 2 years. The companies remain unidentified in the report, primarily for security concerns.
What this means for you:
In a conversation with a client today, we discussed the recent hacking takedown of Sony (another APT that completely owned their network), and why they made a more attractive target than my client who is only a fraction of the size. As mentioned above, malware was originally designed to wreak havoc in a chaotic fashion, but now that there is money or power to be gained from it, hackers are much more organized and pursuing targets which usually fall into one of two buckets:
- The average home computer user – easy to hack, but usually not worth much, except when campaigns net thousands of victims. The dollars add up quick.
- High-value companies or organizations – more difficult to hack, but once compromised, can result in significant monetary and political impact.
As you may have guessed, most small and medium-sized business fall squarely in the middle, and if they are hacked, it’s usually by a malware aimed at the first group. HOWEVER, the client and I considered another possibility: what if the object was to destroy data in order to disrupt your business? Even with a culture steeped in Hollywood fantasies of corporate espionage and sabotage, it may still be hard to imagine a competitor stooping so low as to put out a “cyber hit” on your organization. Considering that we already know organized crime is elbow-deep in funding and profitting from malware attacks, maybe that threat isn’t as far-fetched as we might have hoped. Coordinated attacks like Operation Cleaver are typically backed by nation states, primarily because the resource requirements are steep, but a smaller, focused campaign to take out a small company could be handled by a single, freelance “cyber-hitman”. If I can imagine it, you can bet this is already happening. We just don’t know about it yet.