One day, a shipping container of bananas disappeared in Belgium. Workers at the port of Antwerp couldn’t figure out what was going on. And it wasn’t only containers of bananas that were disappearing. Other containers of normal cargo suddenly were not where they were supposed to be when trucks came to get them. The records showed that they had been loaded on the ships that brought them, but where did they go?
Little did the operators of the port realize that they had been the victims of one of the most devious of all cyber attacks, the business process compromise (BPC). It seems that drug gangs and other organized crime groups teamed up with hackers to infiltrate the computer network of the port. When the network was compromised, the criminals were able to manipulate shipping schedules to have their drug-filled banana containers delivered to a certain location at a certain time. When the containers were unloaded, the criminals’ trucks were there to take them away. Later, when the actual owners of the containers showed up, the containers had mysteriously disappeared. This particular story has a happy ending. The police were able to set up a sting on the criminals, arresting a number of them and discovering a ton of heroin, a ton of cocaine, and other contraband in the process.
Although this particular hack was uncovered, you have to wonder how long these criminals had been doing this kind of activity before they were captured. In fact, the BBC reported that this criminal group had been stealing containers for over two years. Other ports were later found to have been compromised as well. Almost certainly this attack vector has been upgraded and is now happily working its evil on businesses around the globe. As it turns out, last month, 1,188 kilos of cocaine were delivered to Rotterdam in a container of avocados. Police managed to chase down the truck that took off with the container, but the point is that the attacks described above are still being implemented.
So how was the attack set up? Apparently, organized crime syndicates in the Netherlands hired four high level hackers to help them in the attack. The hack itself began with spear phishing emails which persuaded employees to download and install remote access malware. The malware, once installed, allowed the hackers to work their way through the network of the shipping port and control container delivery schedules. Later, when the port put up a firewall to stop the intrusion, the criminals either physically entered the company and installed keyloggers or persuaded employees to do so. In fact, one source reports that these gangsters had corrupted a customs officer, who is now serving a 14 year prison term.
Now, you may be led to believe that this type of cyber attack only occurs in industries that can be implicated in the illegal drug trade. That would be naïve. All companies are being targeted for business process compromise attacks. And, in all these attacks, the same basic MO applies. The criminals will try to penetrate a company network and manipulate critical elements of the business to achieve financial or political ends.
Unlike regular hacks, these BPC hacks are based on an in-depth knowledge of business operations. The criminals may infiltrate the network they want to manipulate long before they decide to use it to achieve their goals. They will study how, for example, funds are transferred, and then, when the time is right, they will step in to perfectly mimic a transfer that results in money being sent to their accounts. The criminal’s knowledge of how a particular company functions makes the intruder’s detection all the more difficult. The infiltration will not disrupt normal operations but will lurk in the background and make it seem that all is running smoothly. That’s why the port of Antwerp hack went undiscovered for two years.
According to a report from Trend Micro, there are a number of variations on these attacks. Here are some that companies can look out for.
The Ghost Employee
Criminals manipulate the payroll to add employees who don’t actually exist. Large companies with employees in wide ranging locations are the easiest to manipulate. It is unlikely that an investigation will only find one ghost employee. Criminals may test the network with one ghost employee and, if that attempt succeeds, then incrementally increase the number of “ghosts” until they are caught. For large companies that allow employees to work remotely, strong endpoint security is a must, as criminals often try to compromise such endpoints to begin their breach of a corporate network.
The Transport Compromise
As in the Antwerp attack, criminals who learn the logistics of a company can manipulate them. Trucks, seemingly from the compromised company but controlled by the criminals, may show up at a time arranged by the criminals to pick up goods. The goods could be sold on public or nefarious websites. However, most such transport compromises move drugs through the system. After all, that’s where the big profits lie.
Compromised Money Transfers
This is probably the most common way that companies lose money. The criminals pose as someone in a position of authority and, through a legitimate looking email or text message, tell someone in charge of payments to transfer money to a new vendor for certain services. This is what is commonly referred to as a business email compromise (BEC) attack, and they are increasing at an alarming rate, as can be seen in the attacks Trend Micro has uncovered during the past year (see graph below).
More sophisticated breaches will involve a man-in-the-middle attack which is set up within the corporate network and which redirects transfers into the criminals’ accounts. often without the need for an initial spear phishing email.
Such attacks should not be taken lightly. According to a report by the Australian Competition and Consumer Commission, 63% of all complaints they receive are related to BEC scams. Last July, the F.B.I, estimated that the annual loss to such scams around the globe amounted to $12 billion.
Financial Institution Compromise
The biggest BPC attack to date was the attack on the Bangladesh Central Bank where the attackers, possibly from North Korea, manipulated the Swift transfer system to make off with $81 million. Obviously, banks are major targets for such attacks but, when the attackers succeed, no one but the bank and the hackers will probably ever know about it. This is because banks operate on trust, and such hacks aren’t going to contribute much to that.
Also, under this heading, should be included cyber attacks which attempt to manipulate stock prices, such as the one which took place in 2010. Another attack, reported in 2017, breached the SEC itself. According to SEC Chairman Jay Clayton, the hack “may have provided the basis for illicit gain through trading.” No details were ever given except for the fact that the SEC was repeatedly warned of vulnerabilities in its systems.
What can you do?
Here’s a chart from Agari that shows the main attack profile for these compromises.
It is clear that the main vulnerability appears to be from phishing emails that pretend to come from a real authority, either by the hackers having taken over the actual authority’s email account or by using a similar account address. The only good way to avoid such an attack is to institute a corporate policy that all transfers to new accounts over a certain amount must be double checked with the person making the transfer request. The confirmation should be done either in person or, at the very least, by phone,
If the request from an authority is to update an existing app or download an attachment, this, too, should be checked with the sender before taking any action. Attachments may often appear with valid names. Links appearing in emails may say they will lead you to a valid page, but always hover your cursor over the link to reveal its destination. If it does not seem valid, simple don’t go there. If you click on the link, check the URL of the page you arrive at, especially if you find yourself at a login page or a form that needs to be filled out.
If, in the worst case, the malware happens to get installed, it then becomes a problem for the IT department. They may get lucky and find unusual behavior showing up in their logs. But, in many cases, nothing unusual will be seen. BPC attacks may get onto a network and do nothing but observe for months or even years as they work on understanding the mechanisms of the network. The attack will begin only when they have a complete grasp of the system and its vulnerabilities. The criminals will do all they can to conceal their activities, which is why it takes so long for them to be discovered. Besides, Trend Micro found that half of companies don’t look for such attacks even though 43% of companies surveyed claimed that they were victimized.
The BPC hack is a sophisticated hack which requires money and expertise. Organized crime has the money to hire the expertise, which is why organized crime rings are behind most attacks. The graph below from a recent report shows the extent of the problem.
The sad truth is that organized crime can pay more for good cyber skills than most companies can. The competition is one-sided. They will also not hesitate to pay an important employee for help, making corporations doubly vulnerable from outside and inside threats. Keep in mind that nation-states also have the money to organize such attacks, and, although some look for financial gain, most are trying to glean important information.
I realize this paints a grim picture for those trying to protect their enterprises from breaches. Most companies and organizations simply can’t compete with the hackers behind these attacks. If a breach actually occurs, the F.B.I. suggests you work with them. This seems reasonable as they may be the only ones who can neutralize the attacker’s firepower. Sure, no one wants to admit they have been compromised because it makes customers, potential customers, and contractors worry about their own safety. Yes, hacks do affect business. However, not reporting such breaches just makes the threat landscape worse for everyone. The F.B.I. has a form enterprises can use to get their help. Use it.