High-Profile cyber hacks dominated 2015. While US Government breaches figured most prominently in the media, breaches also hit health-care, financial, higher-education and federal markets and even the security industry itself with a breach of Kaspersky Labs. Awareness of security issues is at an all-time high and also investments into security solutions. This surge in attacks serves as a wake-up call for organizations in almost all sectors to fortify their cyber security posture.
But Cyber Security is not just impacting large organizations. It is also hitting consumers’ laptops and mobile devices. It is not uncommon to hear from friends and work-mates that their laptops or smart phones were victims of CryptoLockers, also known as ransom ware, whereby the attacker hacks into a device via a phishing attack and then downloads the malware that encrypts all the data on the device. The attacker then demands a ransom to be paid in bitcoin digital currency in return for the data to decrypted.
The victim is left with only two choices: Factory re-set the device and live with the data loss or pay the ransom, unsure if they will be attacked again.
Attacks in the UAE
Here, closer to home in the UAE, a sinister cyber-criminal calling himself Hacker Buba, hacked into a Sharjah bank and held it to ransom by leaking confidential data of clients on social networking and microblogging site Twitter every few hours. He posted the account statements of government entities and scores of UAE firms and individuals, demanding millions of dollars in ransom to be paid in bitcoins.
In a separate incident, Sharjah Police arrested a gang comprised of seven Pakistani nationals who specialised in electronic scams after robbing the visa card details of various persons. During their interrogation, they told the police about another accomplice who resided in another country. This suspect used to hack accounts and send the information to another accomplice in the UAE. They also launched a fake user name to log into various websites and pay for various transactions of products and services bought online.
While cyber security has been a concern for several years now, the gravity of the problem hit home in the Middle East after the August 2012 attack on Saudi Aramco in which up to 30,000 workstations were affected. More than two thirds (68 per cent) of organisations in the Middle East lack the internal capabilities to protect themselves against sophisticated cyber attacks, according to recent research by Symantec and Deloitte. Meanwhile, 70 per cent of regional IT decision makers lack complete confidence in their company’s cyber security policies.
In 2014 the UAE National Electronic Security Authority announced that cybersecurity is one of the biggest economic and national security challenges countries face in the twenty-first century. All stakeholders, including government and private entities, are vulnerable to cyber attacks, it said.
In April 2015, the first Arabic-speaking group of cybercriminals, also calling itself Desert Falcons, emerged targeting multiple high profile organisations and individuals from across the Middle East. Saudi Arabia saw the highest proportion of cyber attacks in the EMEA region, with 11% of the total attacks, and about half directed against its oil and gas sector, according to FireEye.
Here is list of some of the high-profile breaches of 2015
Ashley Madison – Infidelity Dating Site
The security data breach hit the infamous infidelity dating site and became media gold. A hacking collective identified weaknesses in password encryption and used these to crack the bcrypt-hashed passwords. The upshot was the personal information – including credit card details, of over 11 million users was leaked on the dark web. The company lost its CEO, saw its share price and whatever credibility it had plummet, and faced class actions from clients and investors.
OPM Breach – US Government
The Office of Personnel Management (OPM) breach affected 21 million Americans and resulted in loss of millions of sensitive files. Lost data included Social Security numbers, fingerprints, financial reports and personal health information.
IRS Breach – US Government
During the IRS breach, tax information of 330,000 citizens was compromised because of an undetected error in the agency’s system.
Pentagon – US Government
There was an attack on Pentagon’s Joint Chiefs unclassified email system. The attack was suspected to be carried out by Russian threat actors. The threat compromised 4,000 military and civilian personnel. The purpose of all the attacks was to gain access to valuable information and exploiting it to server their own criminal or political agendas.
CareFirst BlueCross BlueShield – Healthcare
CareFirst BlueCross BlueShield breach highlighted the vulnerability of the health-care sector. CareFirst discovered that hackers had gained access to a database that members use to get access to the company’s website and services.
Kaspersky Lab – Security
Kaspersky Lab discovered an infiltration in several of its internal systems. The attack, which it named Duqu 2.0, was believed to be a nation-state-sponsored attack, whose other victims included events and venues with links to world power meetings, including recent negotiations for an Iran nuclear deal. The Moscow-based security vendor said the compromise included information on the company’s newest technologies, such as Kaspersky’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services.
Cyberheist – Banking
In February, a billion-dollar bank cyberheist was discovered, affecting as many as 100 banks around the world. The breaches, discovered by Kaspersky Lab, infiltrated the banks’ networks using tactics such as phishing and gaining access to key resources, including employee account credentials and privileges. The cybercriminal ring, known as Carbanak, then used those credentials to make fraudulent transfers and make hijacked ATM machines appear legitimate as they funneled more than $1 billion into their own pockets.
Harvard University – Education
The breach at Harvard University affected as many as eight schools and administrative offices, though it remains unclear what information was accessed by the hackers. Harvard wasn’t the only university that was hit by a breach this year, with an announcement of two Penn State University breaches in May, which compromised the information of 18,000 people since the attack started in 2012.
Donald Trump Hotels – Hospitality
A hack that targeted seven of Donald Trump’s hotels, and lasted the whole year: even the presidential candidates aren’t immune to hacks. Hackers snuck malware onto Trump systems, stealing credit card data (including security codes and card numbers) in the firm’s hotels across the US. No final figure of how many people were affected was ever reported, but it’s thought to be in the many thousands.
TalkTalk – Mobile Phone Provider
This was the UK’s biggest hacks of 2015 and one that dominated news headlines for weeks. The mobile phone provider was the target of a bunch of teenage hackers who stole the details of over 20,000 customers. Hackers were quickly identified and dealt with, but the company was left with a bill of up to £35 million, having had millions wiped off its share price, and is facing law suits from customers and investors.
Hilton Worldwide – Hospitality
The global hotel chain has recently been the victim of an attack that infiltrated its POS terminals, giving hackers unfettered access to customer credit card information. Stolen information included cardholder names and card numbers, security codes and expiry dates, enabling hackers to shop online or by phone.
Sources: Global Risks Insights, Intelligent CIO, ZDNet, CRN, Gulf Today, @FedNewsRadio
About the author:
Jaime is Marketing Manager at ISIT. He has worked in IT for over 25 years in various technical and non-technical roles in companies based in the US and the UAE. He has been a key contributor to ISIT since the company’s inception in 2007 in Sales, Business Development and Marketing. He is an avid follower of technology trends and enjoys talking about technology in a way that is easy for a non-technical person to comprehend.