In recent years, it has become a known fact, that if a country or its government performs actions which may be perceived as ‘provocative’, it automatically becomes a viable target for hackers, and specifically Hacktivists. Cyber-reactions have become the norm when it comes to military operations, campaigns and even tensions between countries – for example, Israel vs Hamas, Russia vs Ukraine, India vs Pakistan, US vs Iran, and many other cases. Same goes for internal political or law enforcement actions – for example, the Fergusson riots, Sweden taking down the Pirate Bay, Occupy Wall Street, and others.
Until now, we didn’t say anything new.
But, in the past months, we have seen this trend expanding – while once it was relevant almost entirely for governments and law enforcement agencies, now it is becoming more and more relevant for companies and organizations. Just look at these cases from the past few months:
– Sony – Sony Entertainment has been breached by hackers belonging to, or supporting the North-Korean regime. The hackers managed to penetrate the company’s systems, place destructive malware on almost every computer in the network, and copy just about all of the company’s corporate data. This includes personal identifiable information and healthcare data belonging to employees, financial plans, future projects and even internal email correspondence. This attack was apparently done as retaliation for the company’s plan to release a movie embarrassing North-Korea’s Kim Jong-un, that’s it. Not because of a military offensive, not because of a draconian law, not even because of corruption charges or environmental disaster – just because of a plan to release a silly film (did I hear someone saying “the Innocence of Muslims”?).
– Leumi-Card – Israeli-based credit-card operator Leumi-Card had the payment information of millions of its customers compromised, when a disgruntled employee managed to copy the data from the company’s internal systems before leaving the country and demanding ransom for it. In this case, the employee (which as it seems didn’t have the highest of skills, to say the least) was upset with his career stagnating or with the fact that the company was about to let him go and decided to steal information as retaliation. This is an important point companies should keep in mind – if you give an employee his notice, you have to take preventive actions to keep him from abusing his privileges to hurt the company.
– Monsanto – Agricultural biotech conglomerate Monsanto was breached, its website was defaced and sensitive information regarding hundreds of its employees and thousands of its customers and colleagues was compromised by the hacktivist collective Anonymous. The attack was done as retaliation for the company’s lawsuits against organic farmers, whose products were labeled as not containing growth hormones. Monsanto is, amongst other things, the world’s largest producer of genetically modified seeds.
– Las-Vegas Sands – The Las-Vegas Sands Corporation, the largest casino operator in the world, was attacked by hackers who managed to deface its website, leak personal employee and customer information, and more importantly, destroy thousands of servers and computers using a destructive Wiper malware on the hard disks. The financial and PR damages are astounding. This attack was done as retaliation for remarks made by Sheldon Adelson, the company’s chairman and CEO, against the Iranian regime. Specifically, Adelson stated that the USA should bomb Iran with a nuclear bomb to deter it from continuing its nuclear weapons program. Smart. Both this case and the Sony case are the definition of: “don’t poke the bear”.
So, we established that companies’ actions have become a main incentive for cyber-reactions. Additionally, we can see that in these cases the attackers vary and can be hacktivists, nation-states, nation-affiliated or basically anyone with a grudge against the company, who just needed the push. Even the slightest action can trigger a reaction. But, does this mean companies should stop and hand over the keys? Au contraire!
What all the above means is that companies and organizations first have to understand that they are viable targets for hackers not only because of their assets but also because of their actions.
They need to understand who their potential enemies are, what their capabilities are and what might trigger them to attack.
They should be able to understand what the cyber-consequences of their actions are in advance.
And, above all, their cyber defense strategies must become pre-active rather than reactive, using preemptive measures before planed actions and enabling quick recovery procedures, rather than putting the finger in the dike or extinguishing fires.