Whenever one hears the words ‘cyber espionage’, large-scale campaigns affecting entire national states and transnational corporations such as Aurora, Flame or Duqu come to mind. Unfortunately, cyber espionage doesn’t necessarily happen on a global scale, and larger companies are not the only organizations that may draw the attention of cyber spies.
As we have written before many times, smaller companies often consider themselves immune to cyber criminals: why would hackers touch us if we are small… But actually a company’s size means little, if anything at all. At the same time, products, technologies, finances and other data a targeted company works with does matter to criminals, whatever they are – real cyber spies working for hostile states or commercial competitors or plain and simple thieves, acting out of greed.
Kaspersky Lab recently revealed a new paper ‘Who’s Spying on You’ which lists the types of cybercriminals according to their varying goals. For instance, ‘common’ cybercrooks are interested in any corporate data, since they fully understand its value: it may provide them the ability to blackmail and extort, or it can offer them something that can be sold on the black market. So-called ‘hacktivists’ usually don’t care about money, but instead, they’re always willing to ‘punish’ every company they have problems with (usually large corporations), by stealing and dispersing confidential data – such as the poorly preserved personal data of clients – which, in turn, leads to all-out scandals, losses and harsh legal consequences.
There are also hackers-for-hire, seasoned professionals specializing in cyber espionage and stealing specific data on behalf of the highest bidder, whether it is a government or a competitor.
Then there are special groups supported – directly or not – by state governments. These groups gather strategic data about other states and occasionally launch attacks on hostile states’ infrastructures.
No matter what cyber spies want, the consequences of their activities can be apparent (although the attack itself may be revealed years after it has actually started). Consequences can be evaluated in numbers: according to a Kaspersky Lab and B2B International survey, the estimated average financial damage from a targeted attack is about $2.4 million. An average loss from a data leak for an enterprise amounts to $649,000.
Smaller companies lose less money, but they are at a larger risk.
What we really need to touch on is collateral damage. In real-world warfare this is a euphemistic term to describe usually unintended civilian losses and non-military infrastructure. In cyber warfare ‘collateral damage’ may be intentional.
In order to harm any large entity, such as a military contractor, frontal attacks are not quite necessary; they are most likely non-productive as well, since the big company’s cyber defenses are very thorough and always on alert.
But any such enterprise has a vast network of third-party contractors, large and small. The latter’s defenses are often quite relaxed due to various reasons and, therefore, are penetrable.
Recently, we have seen such supply-chain attacks: for instance, those who stood behind Icefog, before attacking their primary targets – industrial corporations, state agencies and military contractors – collected troves of data from third parties- from telecom and satellite operators to software developers and shipbuilding companies.
More on these APTs and ways to ward them off in Kaspersky Lab’s new whitepaper ‘Who’s Spying On You’ is available here.