We’ve all been there. Oh s—. That moment you realize you should have done more to prepare for days like today.
I’ll bet some folks at Burisma experienced that moment recently. Reportedly, the Ukrainian gas company at the center of the political kerfuffle in the U.S. was targeted by Russian hackers starting in the fall of last year. I think we can all imagine the fire drill that erupted there when that news hit: the security team frantically reviewing system logs and warning systems; the leadership team asking questions like what they are after, how we’re holding up, and the one that hurts much more looking backward than it does forward — could we have done more?
The apparent goal of the attacks: to obtain and expose email messages and embarrass the company. How not so surprising…
The “obtain and shame” approach to hacking first became popular during the financial crisis of 2008, when “Anonymous” worked to cast more negative light on embattled financial services companies and executives at the center of the storm. Since then, similar attacks seeking to weaponize public opinion have been mounted against a wide variety of targets, the two most notable and highly publicized examples of which were Sony Pictures in 2014 and 2016 Clinton campaign advisor and former White House Chief of Staff John Podesta.
That’s not to say that public shaming is the only reason attackers engage in email hacking. It’s a frequent attack vector in incidents involving theft of intellectual property, identity theft, unauthorized access to computer systems, and financial crime. Why? Because it involves the worst possible mix in terms of security risk — a soft target and a high potential for impact.
Data published by Verizon in their 2019 Verizon Data Breach Investigations Report shows that incidents involving compromised business executives are on the rise, with C-level executives being twelve times more likely to be targeted via social and email accounts. It also cites supporting statistics from the Internet Crime Complaint Center (IC3) that put the median direct losses related to business email compromise at three times that of computer data breach.
In a recent blog post at Digital Shadows, author Richard Gold analyzed attacker goals in the Andrei Tyurin indictment, one of the largest computer hacking cases of the last decade. Noting how prominently email compromise factored in the incidents, he concluded that “internal emails are high up on attackers’ wish lists” and warned defenders to be mindful of the risk. Insert your favorite Sun Tzu quote here. “That moment you realize” needn’t cause our hearts to skip a beat if we’re prepared for it. The amount of success attackers have had targeting email communications — even at companies with significant security budgets — suggests that even when we think we’re prepared, we often overlook the obvious. Email communications are a very obvious target.