The 30 per cent increase in business email compromise attacks that has occurred during COVID is not a surprise given that malicious cyber activity thrives during periods of uncertainty and turmoil, even if the number is alarming, Mimecast’s country manager Nick Lennon says.
At least as concerning for business as the increase in raw numbers is the growing sophistication of the well-resourced cyber criminals that perpetrate these business email compromise (BEC) attacks.
It is worth noting also, Mr Lennon says, that in 2020 Australia has attracted a disproportionately large proportion of these attacks – partly because the COVID-inspired themes followed directly from a wave of malicious email that sought to leverage Australians’ goodwill during the summer bushfires.
Mr Lennon says it is the sophistication of the attacks as much as the quantum that should be cause for alarm.
Mimecast conducted a threat intelligence advisory after 100 days of COVID and says that in addition to the 30 per cent increase in business email compromise attacks, that 66,000 COVID-related domain names had been “spun-up” as part of orchestrated campaigns to fleece businesses.
“These are sophisticated, global entities that are leveraging many different datapoints for the greatest impact, whether that’s through a nation state or through the significant money that these criminal organisations make off the back of these scams,” Mr Lennon said.
“They can build huge repositories of data that they can draw on where they can impact on business in an extremely efficient way,” he said.
Ultimately the primary motivation for these attacks are financial. Mr Lennon pointed to the recently uncovered Russian hacking group Cosmic Lynx as an example of the step-up in sophistication where criminal groups are targeting bigger prizes on the back of well-resourced, multi-layered campaigns of deception.
The Cosmic Lynx groups have targeted – effectively – mergers and acquisition activity of their targets. With a well-resourced campaign to better understand the target, the people that work within the company and its advisors, the group has been able to get inside the supply chain.
In a merger and acquisition scenario, the hacking group has been able to redirect large payments at the point of transaction.
“By understanding who the transacting parties are and who the professional services firm is that’s supporting the M&A activity, they are able to identify who is involved all the way through from the early stages to the transaction being completed,” Mr Lennon said.
“Once they understand that, they can get involved. That has resulted in huge sums of money being transacted and directed to the malicious actors.”
Where Cosmic Lynx is different – aside from exceptionally well-written, refined email – is that it has been able to identify and target companies without DMARC policies, rendering the victims relatively easy to spoof.
DMARC refers to Domain-based Message Authentication Reporting and Conformance, an email validation system designed to protect a company’s email domain being used for spoofing, phishing scams and other cyber nonsense. The DMARC leverages the existing email authentication techniques Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM).
Mr Lennon says the availability of cheap compute power with artificial intelligence and a global internet has “unlocked opportunities at scale” for cyber criminals. It’s a problem, he says, because it has been so successful.
While the Prime Minister Scott Morrison outlined in a major speech in June that Australia that Australia was under sustained cyber-attack, Mimecast research says the uptick in malicious activity pre-dates the pandemic and began in serious volume last November.
A disproportionate number of cyber incidents are targeting Australian businesses. That is a reality, says Mimecast’s Nick Lennon.
This increase in malicious activity is an indicator of underlying turmoil. Mr Lennon says there is a direct correlation between the amount of cyber activity and instability, whether that economic, political or geopolitical.
“When we see periods of change and instability, you also see increased attack activity. Where opportunity exists, cyber attackers are going to leverage that more and more.”
In the short term, businesses have been consumed with configuring their organisations to maintain operations. But the focus should now move to the longer term and putting in place cyber practices that better manage risk in the new working models.
“There are a lot of organisations that are just getting themselves back to being productive in the current state of things,” Mr Lennon said.
“But the changed operating model for employees in nearly all verticals is significant, and its time now to invest in making sure there is awareness and a heightened sense of the security controls on how they operate,” he said.
“That’s where organisations are really investing at the moment.”
This article was produced in partnership with Mimecast. Nick Lennon is a member of the InnovationAus Leadership Council.