In 1995 around 1% of Europeans used the internet. There are now over 3 billion people on the internet. Technology has advanced. As technology has changed so have the opportunities for those trying to attack companies.
The increase in mobile working also increases these risks..
Mobile working can increase risks as the technology has become more widespread criminals have become more sophisticated too. One of the most sinister hacking techniques is the “DarkHotel”, so-called after some research by Eugene Kaspersky a Russian specialist in the information security field and founder of IT security company Kaspersky Lab. We did a podcast on DarkHotel last month.
DarkHotel hackers are said to have targeted executives in every continent for the last 4 years. DarkHotel has not been widely reported by the media – as a result most executives have been ignorant of the dangers. With DarkHotel, criminals are targeting the executives of companies to try and steal information from them. A hacker might for example target an executive in the mining industry. The hacker might be seeking confidential emails, sensitive pricing information, accounting information or the business strategy of a company.
This type of hacking is similar to phishing. A phishing attack is when emails are sent to thousands of people in the hope that some are tricked into allowing the hacker access to their information. Spear phishing is when a specific individual or company is targeted by hackers who try and dupe them into allowing their personal information to be accessed.
The DarkHotel hackers try and find out which hotel the executive is staying at during a business trip. They then use the hotel’s Wi-Fi in order to send the unsuspecting executive a piece of malware disguised as a software update. The malware might be disguised as an Adobe or a Google update. The executive then installs the false update. The attackers can then either send a virus which can access the information of the executive and/or install a key logger which records all of the person’s keyboard activity. The hackers then obtain the passwords of the executives in order to hack into their company systems.
The hacker can use this information to get wider access to the company. They might be targeting some specific piece of information within the company. This might be details of a merger, stock information or details about an internal investigation within the company. The hacker can then access and sell the information or use it to get an advantage from one of the company’s business rivals or trade their stocks and shares. The damage these hackers can do to companies and to reputations should not be underestimated. Kaspersky’s report says:
“The crew never goes after the same target twice; they perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high profile individual. The most recent travelling targets include top executives from the US and Asia doing business and investing in the APAC region: CEOs, senior vice presidents, sales and marketing directors and top R&D staff have all been targeted.”
There are three things companies should do to try and reduce the risk:
- Companies should draft policies and procedures to explain the risks to busy executives. They need to be clear and easy to read – not long technical or legal documents which won’t be read.
- Executives should be trained on how to avoid these sinister attacks. Again training should be bespoke, interesting and engaging – employees need to know this is not just a theoretical risk.
- Technology should be used to reduce the risks. This might involve using technology to geo-fence an executive’s device for example to make sure it will not work in a high risk country until the employee has done the training. It may also involve providing other means of connecting devices with sensitive data with home base rather than simply relying on unsecure public Wi-Fi. It is also likely to include a software updating regime which focuses on at desk updates rather than updates on the move so that employees can more easily distinguish genuine updates from fakes.
For more information please contact Jonathan Armstrong a lawyer with Cordery in London with significant experience in cyber security issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 118 2700