1.4 Examples of high profile cyber security breaches
Cyber security attacks take many forms from obtaining users’ personal information, to attacking critical national infrastructure and obtaining companies’ proprietary data. Here we describe four high profile cyber security breaches which caused major financial losses and damaged the reputations of the organisations concerned.
Attacking online identities
Adobe Systems is one of the more important companies in the digital economy. Its software is used to produce, publish and present an enormous amount of material – chances are your favourite magazines and books were laid out with Adobe software.
Over the years, Adobe had stored the names, addresses and credit card information of tens of millions of users on its servers. Then, in October 2013, Adobe admitted that data from 2.9 million accounts had been stolen. Later, that number was revised to 38 million accounts, but when the data file was found on the internet it contained no less than 153 million user accounts. Much of this data could be read and soon copies of the stolen accounts were in wide circulation. It also became clear that the people who had stolen user data had also gained access to Adobe’s development servers – program code, potentially worth billions of dollars, had also been stolen.
Adobe was forced to change the log in details of every one of its users and to greatly improve its own security. And, of course, users sued Adobe for not protecting their information.
You can check to see if your email address was included in this information that was stolen by visiting: https://haveibeenpwned.com/ [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] and entering your email address into the email input box.
Is Adobe alone, or are other companies holding valuable data but not protecting it properly?
Fast forward to 2019
- A huge database of 49 million Instagram accounts was exposed online without any password protection (TechCrunch, 2019a).
- A database containing hundreds of millions of phone numbers linked to Facebook accounts was left exposed online (TechCrunch, 2019b).
- Personal data of the entire population of Ecuador was available online – 20.8 million records, some including bank balance (ZDNet, 2019).
Attacking industrial systems
Not many people want a uranium centrifuge, but those that do, really want a uranium centrifuge. The centrifuge was developed after the Second World War for enriching uranium so that it can be used either for generating nuclear power, or, as the heart of a nuclear weapon.
Under international treaty it is not illegal for countries to slightly enrich uranium for nuclear energy, but high levels of enrichment are forbidden to all but a handful of countries. As a consequence, centrifuge technology is tightly controlled, but still, centrifuges have gradually spread around the world. Most recently they have been developed by Iran, ostensibly for that country’s legal civil nuclear programme; but it is sometimes suspected it might possibly be for the development of an Iranian nuclear bomb.
In the summer of 2010, a new piece of malicious software for the Microsoft Windows operating system was discovered by an antivirus company in Belarus. The software was dissected and found to attack a very specific set of computer-controlled high-speed motors manufactured by Siemens. Left unchecked, the software, dubbed ‘Stuxnet’, would rapidly increase and decrease the speed of the motors causing irreparable damage to whatever was connected to them – among other things, uranium centrifuges.
The very specific nature of the systems targeted by Stuxnet make many believe that it was developed specifically to disrupt the Iranian uranium enrichment programme. By the autumn of 2010, reports were appearing that the Iranian centrifuge programme was in trouble. The Israeli paper Haaretz reported that Iran’s centrifuges had not only produced less uranium than the previous year, but that the entire programme had been forced to stop and start several times because of technical problems. Other sources reported that Iran had been forced to remove large numbers of damaged centrifuges from its enrichment plant.
In 2016, there was a serious cyber attack on the Ukrainian power grid (Ars Technica, 2019). Recent analysis has provided much more detail about how it was carried out. It would appear that the intention was to disable safety monitoring equipment in such a way that the operators would not be aware that important safety equipment had also been turned off. This could have caused catastrophic damage when operators attempted to restore power. The target was a known vulnerability in a piece of Siemens equipment known as a Siprotec protective relay. A security patch was available but may not have been installed.
In 2017, there was an incident at a Saudi oil refinery, Petro Rabigh, when malware shut down the plant. A report by Dragos, updated in 2019, suggested that the malware was probing the plant’s industrial control systems when it accidentally triggered the shutdown. In 2019, Dragos reports that the same group behind this malware was probing industrial control systems within the electrical transmission networks in the US and Europe-wide. They have named this threat XENOTIME (Dragos, 2019).
In 2019, a week after suffering a crippling ransomware infection by LockerGoga, Norwegian aluminum producer Norsk Hydro estimates that total losses from the incident had already reached $40 million. It is not clear whether Norsk Hydro was specifically targeted, or whether this was the result of a random infection, but it illustrates the risk to industrial operations from attacks on the IT infrastructure.
Attacking specific targets
In December 2013, the American retailer Target announced that hackers had stolen data belonging to 40 million customers. The attack had begun in late November and continued for several weeks before it was detected. By then it had compromised more than 110 million accounts, including unencrypted credit and debit card information as well as encrypted PIN data. By February 2014, American banks had replaced more than 17 million credit and debit cards at a cost of more than $172 million. The amount of fraud linked to the attack is unknown, as is the damage to Target’s reputation.
Target was not the first major retailer to be hit by hackers, but this attack was different from most; the weakness that allowed the attackers into the Target computers lay outside of the company. The hackers had gained access through computers belonging to one of Target’s heating, ventilation and air conditioning services (HVAC) contractors. Like many large organisations, Target allows other companies to access its internal networks, to submit bills and exchange contracts.
The hack appears to have begun when an employee of the HVAC company received an email from one of their trusted partners. In fact, the email was fake and contained malicious software. Unlike traditional spam email, this message had been targeted at a very specific audience – the HVAC company. It was what is known as ’spear phishing’.
Once the email had been opened, the hidden software went to work and retrieved the HVAC company’s Target network authorisations, allowing them to log on to their real objective. In an ideal system, the HVAC company’s authorisations should have restricted them to a network responsible solely for billing and contracts, but, like a lot of big organisations, Target used a single network for all of its data, allowing the attackers to eventually locate, and steal, customer data.
The Target attack is an example of an advanced persistent threat. Rather than attempting to attack the retailer directly, the hackers had chosen an external company which was much less likely to have the resources to detect and defend against an attack. Their spear phishing email was directly targeted at the contractor, lulling them into a false sense of security and allowing the malware to retrieve the logon credentials needed to attack Target itself.
In 2017, Target had to pay a settlement of $18,500,000 and agree to make the following changes to significantly improve its security.
- Develop and maintain a comprehensive information security program
- Maintain software and encryption programs to safeguard people’s personal information
- Separate its cardholder data from the rest of its computer network
- Rigorously control who has access to the network
- Regularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.
- Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.
You don’t need to be a huge company to be specifically targeted by criminal hackers
An employee responsible for handling the company finances knew that a meeting to finalise the acquisition of another company was in progress. He received the email: ‘Hey, the deal is done. Please wire $8m to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks.’ The employee thought nothing of it and sent the funds over, ticking it off his list of jobs before heading home. But alarm bells started to ring when the company that was being acquired called to ask why it had not received the money. An investigation began - $8m was most definitely sent, but where to?
The criminal hacker clearly new of the meeting in progress. Most likely by intercepting emails over several days or weeks to look for an opportunity for an attack. For the rest of the report see https://www.bbc.co.uk/ news/ technology-49857948
Even private individuals have been attacked in this way – again the most likely method of attack is by intercepting emails. Perhaps by sitting in a car outside the victims house and snooping on the data transmitted through home router wireless networks (WiFi) that have not been password protected, or perhaps by snooping the WiFi traffic of a local tradesman or estate agent, waiting for emails that show that an invoice is about to be sent. The hacker then sends an identical invoice, but with a different account to receive the payment.
Activity 1 Describing cyber security breaches
Choose one of the three example attacks outlined above. You can choose Adobe, Stuxnet or Target.
Using the terminology you’ve learned so far, try writing a brief description of the attack which might explain it to other learners, and write it in the space below.
Examples of things you might put into your description are:
- the CIA concepts that are relevant to the example you have chosen
- whether malware was involved in the attack, and what type of malware it was
- the asset that was affected by the attack.