Cyber attacks are a fact of life
There’s no doubt that the internet has made almost every element of our lives easier. Virtually everything now has an online presence, from multi-national social media goliaths to your local bakery. Though this has its advantages, it also creates risk. Convenience comes at a cost, and all too often consumers and businesses alike don’t pay enough attention to cyber security until it’s too late. Even those who are security minded often don’t get a say in what happens to their data, as the recent mega-hacks from the likes of easyJet and SolarWinds have proved. Cyber attacks can result in data breaches, regulatory fines for non compliance, legal costs, and a ruined reputation. So let’s take a look at the biggest cyber attacks of 2020 and see what we can learn.
The WHO is a noble international institution that was taking a leading stance in combatting the COVID-19 pandemic. Unfortunately this moral high ground that doesn’t mean it’s above the attention of cyber criminals. As a result of a series of cyber attacks in Spring 2020, a gigantic data leak took place, with more than 20,000 email addresses and passwords being released to the public. What was the modus operandi of the criminals behind those cyber attacks?
It turns out that the cyber criminals obtained confidential data thanks to social engineering, or to be more precise – phishing attacks. The sheer number of people employed in large organisation such as the WHO, along with the fact that it only takes a single individual responding to a suspicious email to let the hackers in, means that phishing must be considered a constant threat. After the leak, the WHO officials claimed that the 2020 cyber attacks were successful due to the outdated information infrastructure. Which is tech-speak for ‘we didn’t patch our security flaws’. Lack of resource to run proper patching schemes is one of the challenges we highlighted in our 2021 Annual Cyber Security Report. To avoid a similar data breach in the future, they have implemented a secure authentication system. Which might sound like ‘too little too late’ until you realise that phising attacks happen all the time. This will happen to the WHO again, and this time they’ll be a little more prepared.
The lesson for businesses here is to proactively test your defences against phishing attacks, hold regular security training, and have an internal penetration test to know what damage a hack could do if your defences are breached. The necessity for employee remote working has made phishing attacks more successful, something we looked at in our blog and webinar on secure remote working on securing remote working.
Most of the people you know have accounts on at several social media platforms. There are over 330 million monthly active users on Twitter alone, so it’s no wonder that cyber attacks directed at those platforms are not rare, as gaining access to personal data of millions of people could be insanely profitable. However, the Twitter cyber attacks of 2020 that we want to mention were no mere data leaks.
As a result of the phishing campaign, cyber criminals gained access to accounts of several senior Twitter employees. This privileged access meant the miscreants could tweet from the profiles of world leaders and industry titans, including Bill Gates, Jeff Bezos and Elon Musk with scam to gain Bitcoin.
It wasn’t a threat – quite the contrary, a proposal of a business deal seemingly from the likes of Elon Musk, in which they promised that they would send them twice this number of Bitcoin later on. Although this attempt might seem silly, those cyber attacks were at least moderately successful, as they managed to obtain Bitcoin exceeding $100,000. Though it certainly wasn’t one of the biggest cyber security attacks in 2020, the relatively low extent of damages aside, it was troubling primarily because it showed that even the largest organisations that handle the personal data of hundreds of millions or billions users are not immune from external threats.
The Twitter hack highlighted the influence that social media has in our everyday lives, and if the hackers had been motivated by politics rather than finance it could’ve been a very different (and disastrous) outcome. The lessons learnt from the Twitter hack can also apply to your business. Just as you shouldn’t trust Bill Gates’ account offering you a Bitcoin deal, you also shouldn’t trust an email from your CFO pressuring you to make an unexpected payment. Email and messenger accounts can be compromised, and you need to make sure that everyone in your business is prepared for it and knows how to respond. Simple security training is a great place to start.
Though video conferencing is nothing new, the arrival of the COVID-19 pandemic was a true game-changer. Instead of being a feature that made the functioning of businesses around the world easier, video calls became something without which conducting day-to-day operations wouldn’t be possible with the lockdown in place. Because of that, in a matter of weeks, Zoom became an insanely popular brand.
However, even though its number of customers has skyrocketed almost overnight, it doesn’t mean that it hasn’t had any security issues. Despite best-practice (and common sense) advice, many people re-use credentials across different online locations. So if one company has a data leak (which you might not even be aware of), your credentials fall into the hands of cyber criminals. Instead of being able to access your only the one breached account, the hackers can now access a variety of your online accounts thanks to your security complacency.
That’s what happened in this situation. Thanks to a method of cyber attacks called “credential stuffing,” hackers were able to gain access to hundreds of thousands of Zoom accounts, which were then sold for profit. The hackers gained access from getting credentials from existing data breaches and trying them on Zoom.
Creating different passwords for each platform might be a nuisance, but it’s a necessary step if you want to avoid serious cybersecurity threats. Businesses can use two-factor authentication (2FA), which is a great defence against credential re-use at the expense of a slightly longer logon process. You’ll be used to 2FA from things like mobile banking. With the increasing popularity of cloud tools and single-sign-on for businesses (such as Azure Active Directory), organisations need to ensure that a data breach in one area, such as an employee’s private life, doesn’t impact corporate cyber defences.
Most readers will have heard of ransomware: where hackers encrypt your computer, charging you a fee to unlock it and recover your data. There’s no guarantee that they’ll hand over the unlock code after you pay, and no guarantee that they haven’t grabbed a secret copy of your sensitive data. If ransomware to your home PC it could be heartbreaking to lose personal memories such as photos. If it happened to your business IT it could devastate your entire business in one go. But what happens when ransomware attacks healthcare?
Magellan Health, a healthcare insurance provider, found out the hard way in 2020 when private information of more than 350,000 individuals was stolen. Once again, the cyber criminals’ methods involved social engineering, and while impersonating Magellan Health’s clients, they managed to install malware on the company’s system. Once they obtained logins and passwords of the employees, they managed to access a database that contained information such as the address, Taxpayer Identification number but also Social Security number of around 350,000 patients. The cyber criminals exfiltrated (and presumably sold) this highly lucrative data, whilst the ransomware also provided another revenue stream and also helped hide the hacker’s attack.
The lesson for businesses is that, even in the times of the global pandemic, cyber criminals have no qualms about attacking companies that attempt to save lives. As our revealing ‘Cyber Stats for 2021’ infographic shows, this proves to businesses that everyone is a target, from UK SME to global multi-national. Hackers have few morals and will pursue every avenue to make money. Often a business can be breached not because they were a direct target, but simply because they were collateral damage from another attack. Take the threat of cyber security seriously and start with the basics, such as Cyber Essentials or ISO 27001 certification.
Social media, email and IM apps may rule the roost of modern communications, but humble voice telephony is still a valuable data source for hackers. Cosmote, Greece’s largest mobile network operator, found out to its cost in September 2020 when it suffered a colossal data breach.
Apart from intercepting millions – that’s millions – of phone calls, cyber criminals also stole valuable contextual data about the calls – time/date, duration, telephone numbers, age, and gender. Greek newspapers noted that even the calls of Greece’s prime minister and other members of the government were intercepted, which may have been the real motivation.
According to the company officials, even though this attempt succeeded, Cosmote typically has to repel around half a million cyber security attacks each month – that’s about 700 per day. If we consider the fact that Cosmote is handling personal data of millions of its users, it is no wonder that they are an attractive target for cyber criminals. However, we must remember that the largest corporations on the planet deal with data of billions of internet users, in which case the frequency of cyber attacks is even more stunning.
Your personal and corporate data exists everywhere, in your business and outside it. Your suppliers, such as telecoms or cloud tools providers, need to play their part in safeguarding your data, and you in turn need to do your part to safeguard the data of your customers. Good cyber security should be part of a chain of trust.
Cyber attacks are not by any means a rare occurrence and, as we covered in our blog ‘4 Things Hackers Don’t Want You to Know’, they have many tricks up their sleeves. In the information era, data breaches, fines and reputation damage can be extremely harmful to organisations big and small. Whilst investing in cyber defences must be commensurate with organisation size, every business must be doing the basics. Cyber attacks are often a numbers game – hackers will fire out simple attacks en masse, and if your business is doing the basics right, there’s a good chance you can avoid being hacked. Phishing is an extremely effective tactic for cyber criminals and is one of the biggest security risks to business of all sizes – but with regular engaging security training and simple best-practice security defences, it can be one of the easiest risks to treat. Mid-market and enterprise organisations have the additional challenge of fighting for a cyber security budget to match their attack profile – something we explored in our blog, ‘How to get board-buy-in’.