Recent news stories have featured extensive coverage of the latest cyber attack resulting in a large-scale data breach of employees’ personal details. The attack this time was targeted at a number of large companies – including the BBC, British Airways and Boots – by infiltrating their payroll provider. Hackers exploited a loophole in the software used to transfer files, and although the software provider quickly built a patch for users to install to fix the issue, there are concerns that names, dates of birth and email addresses may now be in the hands of cyber-espionage criminals.
Cyber-espionage is a type of cyber-attack that involves an unauthorised user (or multiple users) accessing a victim’s sensitive information in order to secure economic benefits, competitive advantages or political gain. Also known as cyber-spying, the primary targets of such cyber-attacks include government entities, large corporations and other competitive organisations. Cyber-criminals may leverage cyber-espionage in attempts to gather classified data, trade secrets or intellectual property (IP) from their victims. From there, cyber-criminals may sell this information for profit, expose it to other parties, or use it in conjunction with military operations, potentially threatening their targets’ reputations and overall stability. Often, cyber-espionage is deployed across international borders by nation-state attackers.
Over the past few years, cyber-espionage has become a rising concern, especially in certain countries. In fact, the UK’s Government Code and Cipher School (GCCS) estimates there are 34 separate nations that have professional well-funded cyber-espionage teams. With this in mind, it’s crucial for businesses to understand cyber-espionage and know how to effectively mitigate such incidents. This article provides a detailed overview of cyber-espionage, outlines real-world examples of these cyber-attacks and offers key prevention measures that businesses can implement to safeguard their operations.
Although cyber-espionage often involves nation-state attackers, it’s not interchangeable with cyber-warfare. While cyber-warfare is conducted with the intention of noticeably disrupting a target’s operations or activities, the goal of cyber-espionage is for the perpetrator to remain undetected by their victim for as long as possible, therefore permitting them to gather maximum information. Yet, the information collected from cyber-espionage efforts could be used later amid acts of cyber-warfare.
Any government or business could fall victim to cyber-espionage. However, countries possessing high-income economies and advanced technological infrastructures, such as the UK, may be more attractive to cyber-criminals.
When leveraging cyber-espionage, perpetrators may attempt to access a wide range of data from their targets, including:
- Research and development activities
- Critical organisational projects or IP (eg product formulas and blueprints)
- Financial information (eg investment opportunities, employee salaries and bonus structures)
- Sensitive stakeholder details
- Business plans (eg upcoming marketing, communications or sales initiatives)
- Political strategies or military intelligence
Cyber-criminals may engage in a variety of tactics to execute cyber-espionage, such as:
- Exploiting security vulnerabilities in websites or browsers a target frequently visits and infecting them with malware to compromise the victim’s technology (as well as any data stored on it)
- Utilising phishing scams (eg deceptive emails, texts or calls) to steal login credentials and gain unsolicited privileges within a target’s network
- Posing as employees or contractors and physically going to a victim’s workplace to steal hard copies of data or infect devices with malware
- Bribing actual employees or contractors to share a target’s sensitive information in exchange for payment
- Infiltrating another party in a victim’s supply chain and using that party’s digital privileges to compromise the actual target’s network
- Injecting different forms of malware (eg Trojans and worms) within updates from third-party software applications, thus hijacking a victim’s technology upon installation of these updates
In any case, cyber-espionage can lead to serious consequences for impacted organisations. What’s worse, as cyber-criminals’ tactics get more sophisticated, these incidents could become increasingly common.
Examples of Cyber-espionage
Over the years, multiple large-scale cyber-espionage events have occurred, including the following:
- The Microsoft Internet Explorer incident—Between 2009 and 2010, Chinese cyber-criminals took advantage of a security vulnerability in Microsoft Internet Explorer to execute cyber-espionage against at least 20 international media and technology companies, including Google, Yahoo and Adobe. Google reported that the cyber-criminals stole various IPs from the company and compromised many Gmail accounts.
- The Sony Pictures Entertainment (SPE) incident—In 2014, a North Korean hacking group named the “Guardians of Peace” deployed cyber-espionage during the months leading up to Sony’s release of a film that depicted the assassination of North Korean’s leader. The cyber-criminals used malware to compromise SPE’s network and publicly expose a substantial amount of sensitive company data, such as personal details about employees, email exchanges between staff, information regarding executives’ salaries, copies of unreleased films and plans for future films. The incident significantly impacted the film’s release.
- The UK energy sector incident. In 2015, a report released by the Government Communications Headquarters (GCHQ) detailed an espionage campaign against the UK energy sector. Attackers used a technique known as a “watering hole” attack to distribute malware into businesses working within the energy sector. Scripts were added to legitimate websites frequented by energy sector staff, automatically redirecting the website visitors to download malware from an attacker-owned server. The malware harvested visitors’ credentials and computer system information, sending this back to controllers via attacker-owned domains.
Considering these incidents and their associated ramifications, it’s clear that businesses need to take action to properly protect themselves against cyber-espionage.
Cyber-espionage Prevention Measures
Businesses should consider implementing the following best practices to help safeguard their operations from cyber-espionage:
- Educate employees. Make sure employees receive training on cyber-espionage and related prevention tactics. Specifically, employees should be instructed to never respond to messages from unknown senders, avoid interacting with suspicious links or attachments and refrain from sharing sensitive company information online. In addition, employees should be required to form complex and unique passwords for all workplace technology.
- Protect critical data. Review and update existing cyber-security policies to ensure they promote maximum data protection. Implement new policies as needed (eg a Bring-Your-Own-Device policy and data breach response policy). Further, encrypt and store all critical data in safe, secure locations.
- Restrict access. Only permit employees to access technology and data they need to perform their job duties. Require employees to implement multifactor authentication whenever possible.
- Leverage sufficient software. Protect all workplace technology (and the data stored on it) with proper security software. This software may include endpoint detection tools, antivirus programs, firewalls, network monitoring services and patch management products. Review this software regularly for vulnerabilities and make adjustments when necessary.
- Assess supply chain exposures. Assess whether suppliers have adequate measures in place to protect against network infiltration from cyber-criminals. Consider including specific cyber-security requirements in all supplier contracts and keeping the amount of sensitive information shared with these parties to a minimum.
- Have a plan. Creating a cyber-incident response plan can help ensure necessary protocols are in place should cyber-attacks occur, thus keeping related damages at a minimum. This plan should be well-documented, practiced regularly and address a range of cyber-attack scenarios (including cyber-espionage).
- Purchase proper coverage. It’s critical to secure adequate insurance to help protect against losses that may arise from cyber-espionage. It’s best to consult a trusted insurance professional to discuss specific cover needs.
Will cyber insurance help?
Cyber security professionals can help organisations with some preventative measures, such as identifying vulnerabilities and setting up data masking measures, to help mitigate risks. However, some cyber risks are simply not preventable and are fuelled by our dependency on IT to complete everyday tasks. Specialist cyber insurance policies can offer a combination of incident management and access to legal and PR experts, as well as cover costs such as those caused by business interruption or data issues.
The Association of British Insurers has said that the take up rate for cyber insurance by SMEs is 11%, despite claims pay out rates of around 99%. There are many different options for cyber insurance, but almost all will help provide peace of mind by providing:
- Cover for the costs of dealing with data breaches and cyber liability claims
- Cover for business losses from a cyber event
- Cover that helps businesses deal with the impact of cybercrime
- Cover for hardware and data corruption
- Access to expert advice and support (eg IT, legal, forensic and media relations) when an incident occurs
- Full claims support following an incident
Ultimately, cyber-espionage is a pressing concern that businesses need to take seriously. By understanding cyber-espionage and implementing adequate prevention techniques, businesses can effectively safeguard themselves against these incidents and minimise associated losses. An effective cyber insurance policy will help your business to respond to cyber incidents and boost the confidence of the other parties you provide services for. If you need any help and advice around cyber insurance for your organisation, please contact us today.