The Stuxnet virus attack on Iran’s nuclear programme is the stuff of spy stories – a sliver of computer code sneaks on to illicitly obtained Siemens computers either on a USB or under the cover provided by a massive overload of the system through a denial of service assault.
The code disrupts Windows 7, causing sensitive centrifuges to whirl out of control while telling technicians that all was going smoothly. As many as 1,000 centrifuges were permanently damaged, meaning Iran’s nuclear programme slowed and the chance of a bomb moved further off.
Mikko Hypponen, chief research officer at Finnish anti-virus firm F-Secure, believes Stuxnet was the work of governments, probably the United States and Israel. “We face three kinds of online attacks: criminals, hacktivists and nation states,” he says. “Of these, nation states have the greatest power.”
Over the past three years, however, it’s become clear that it’s not just James Bond who has to worry about so-called advanced persistent threat (APT) attacks like Stuxnet. It is becoming more apparent that any business handling valuable data, from blueprints for important new designs to financial data from customers and suppliers, is at risk of compromise by talented, well-funded hackers.
“Five years ago, the internet was like the high street with companies selling to consumers,” says David Emm, senior security researcher at Kaspersky Lab. “Now the internet is central to almost every company’s business, connecting them with suppliers, employees, customers and partners. With extended supply chains, any company is only as safe as its least protected employee or supplier.”
He cites Icefog, a recent cyber-espionage campaign targeting governments, military contractors, maritime and ship-building companies, telecom and satellite operators, tech companies and mass media across South Korea, Japan, the United States and Europe.
Icefog arrives through phishing e-mails and exploits vulnerabilities in Microsoft Word and Excel on both PC and Mac, opening a back door that allows hackers to handpick sensitive documents, company plans, e-mail account details and network passwords. This kind of customable assault, previously the preserve of nation states, is now for sale on hacking sites.
“APT attackers aren’t usually lurking on massively used public sites like Google,” says Darien Kindlund, director of threat research at FireEye. “They’ll focus on smaller, very specific sites visited by experts and senior staff in the area they hope to find victims.
Any business handling valuable data is at risk of compromise by talented, well-funded hackers
“Once they’ve compromised one of these sites – a research site, say – they’ll do passive reconnaissance, watching who is visiting at what time and with what protocols to craft a combination of seemingly simple techniques into a very targeted attack on a single well-researched victim.”
Protecting against APTs is critical to all organisations, but simply beefing up a company’s own IT isn’t enough. “If your employees connect to your network using their devices, they can easily get infected with malware at a coffee shop or while working from home,” warns Shel Sharma, product management leader at Cyphort. “Security deployed at the firewall will have no opportunity to find and alert you about the malware.”
Tech firms have been compromised via their legal firms, employed to file patents. Car companies have faced attacks via engineering support companies. The Syrian Electronic Army, a collection of computer hackers who support the government of Syrian President Bashar al-Assad, rerouted visitors to The New York Times and to Twitter by hacking their domain name system register companies.
With unplanned IT outages, the most debilitating source of supply chain disruption – outpacing bad weather, transport network disruption, bankruptcy and earthquakes – placing secure IT at the heart of contracts with the suppliers is key. Although it may not be enough.
“With more and more companies using one of a handful of cloud providers, the insurance industry is starting to rethink the way it covers corporates against data loss,” says Stephen Wares, head of European cyber risk practice at insurance broker and risk management specialist Marsh.
“Some insurers may have as many as 1,000 clients using the same cloud provider and thinking about the way they provide cover if that company is compromised has to change as the risks change. There are 30 insurers on the London market spending the next year or so working through their data to see what that means.”
If the possibility that compensation for loss from cyber attacks will decrease sounds alarming, Mr Wares is keen to point out that scary headlines can sometimes just be scare stories.
“Very big numbers are being floated about the number of APT attacks at the moment,” he says. “Those numbers don’t really tally with the actual experience of many business owners. The challenge for the future is to develop good predictive modelling so that the benefits and the risks of decisions, like which cloud service provider to use, can be independently understood.”