Government-sponsored cybercriminals are using hacking techniques to steal commercial secrets from businesses, KPMG has warned.
Confidential information, including product designs and bid documents, are at risk from states seeking to win economic advantage, said KPMG partner Steve Bonner in an interview with Computer Weekly.
“They will target high-tech designs, computer code, anyone involved in mergers and acquisitions, and anyone involved in bidding,” he said.
Stuxnet, the worm believed to have been developed by the US and Israel to disable Iran’s nuclear research programme, has prompted state-sponsored hacking programmes in many countries.
“There is no doubt that Stuxnet has led to a growth in state-sponsored espionage. Governments are asking why don’t we have a capability like this,” said Bonner.
Government-sponsored groups frequently use hacking tools to monitor dissidents abroad, said Bonner, who formerly led the information risk management team at Barclays.
“If they are giving a public speech, they will target the location to find out what is happening, who is attending, and what the speech is likely to be about,” he said.
Government-backed cybercrime and organised crime is so sophisticated that it is impossible to prevent systems being attacked
Businesses now recognise that government-backed cybercrime and organised crime is so sophisticated that it is impossible to prevent systems being attacked.
“There is much more focus on improving your detection capabilities, to get better at responding, while making systems harder to attack,” said Bonner.
By responding quickly, companies can minimise the damage from electronic espionage, for example by changing product designs, so it becomes clear which products are genuine, or by changing details of a bid, he said.
“I don’t think we should all give up and think it’s futile to defend against cybercrime. You have to spend more effort, spend more time, and reduce the value of what’s taken,” said Bonner.
The hacktivist challenge
Meanwhile, hacktivist groups, such as Anonymous and Lulzsec, operating through political motives, are presenting a new challenge to businesses.
Unlike state-sponsored groups, or organised criminals, who operate behind the scenes,hacktivists do not shy away from publicity.
They use techniques such as denial-of-service to disrupt businesses, and will frequently post company secrets on the internet.
“Criminals will hide their tracks and disguise themselves, but hacktivists will stand up proudly and say hacking was an important part of their protest, rather than a criminal act,” said Bonner.
Environmental groups, for example, have targeted oil and gas companies with both legitimate protests and illegal hacking.
Protest groups often use social media, such as Twitter, to co-ordinate attacks and to vote for which organisations to attack.
For some organisations, just being on the voting list means they have to respond. Even if they never get to the top of the list, they still experience expense and inconvenience, he said.
In many cases, hacktivists don’t target a company directly. Often they will target a recruitment site or a marketing site that is hosted externally, but features the company brand.
These systems can be easily overlooked by companies, which are more focused on protecting their online money transfer systems from organised criminal hackers.
Companies are responding by monitoring public postings for intelligence about likely targets that they can use to pre-empt any attacks.
Industry and government groups are also swapping information between companies in the same industry.
“We have done several scenario-based exercises, working with organisations to understand their environment and structure, coming up with different kinds of attacks,” said Bonner.