Targeted attacks were the main focus of our September 2013 Intelligence Report. There's good news and bad news: on the upside, such threats are lower than this time last year, even though they have still increased since two years ago. To give an idea of the diversity of attack types, we highlighted the following examples over the month:
The broader most targeted attacks are aimed at service and government bodies, possibly because these are the softest targets. In terms of company size, 24% of compromised organisations are under 250 employees, 41% are above 2500 and the remaining 35% are in the middle. The numbers of smaller companies being targeted is increasing, suggesting that such attacks are quickly moving into the mainstream and becoming increasingly more, well, targeted- company size is not as important a criterion as, say, quality of information.
As well as the overall theme that attack techniques are continuing to evolve and improve, it is 'hackers for hire' examples that have really made us sit up. In a white paper on the subject, we describe the activities of shady organizations such as Hidden Lynx, which have been set up to offer services to other groups.
We shouldn't be surprised that financial companies - those involved in asset management, investment banking, mergers and acquisitions - are the ones most targeted by such groups: after all, according to the old adage, "That's where the money is." Geography doesn't appear to be a limitation - while many attacks are currently in South Korea and Japan, a major attack cited by the paper (VOHO, which involved a 'watering hole' campaign) was in the US.
We know from available data that such attacks are not only increasing, but the organizations involved are becoming more corporate. Hidden Lynx appears to be a highly professional outfit, the goal of which, states the report, is to "gain access to information within organizations in some of the wealthiest and most technologically advanced countries across the globe."
We do not believe that the information being accessed is particularly easy to sell in its own right; this, coupled with our understanding that the market for financial data such as credit card details is already saturated, leads us to believe that such organizations are providing 'hackers for hire'.
A darkly vibrant market in hacking services is developing for such organizations, with Hidden Lynx leading the pack and, essentially, showing others how it is done. The message is clear: leaving confidential information only weakly protected is like entering a war zone without armor. You might not get hit, but any idea of 'security by obscurity' should be consigned to the past.
Even if you do not fully appreciate the value of your information and the importance of protecting it, the chances are, others will.