Microsoft Office 365 heist highlights sophistication of cultural engineering cyber attacks

Cybersecurity

Private equity groups using cloud environments to improve their remote working capabilities under the Covid-19 lockdown need to be as vigilant as ever when it comes to cybersecurity. 

Covid-19 has presented an opportunity for hackers to construct scam websites related to Covid-19 financial incentives or relief packages, designed to trick people to click on links. These malicious domains are designed to steal personal information or unleash malware, and according to Check Point Research, in March a total of 2,081 domains were registered, of which 38 were malicious and 583 were suspicious. 

On top of this, Check Point says that it had seen a huge spike in the number of coronavirus-related attacks through March and early April, rising six times higher to an average of 14,000 a day; they further note that this figure rose to 20,000 during the week of 7 April. 

The reason for highlighting the above figures is apposite when one considers the level of sophistication among cyber hackers, who are happy to play the long game when it comes to carrying out fraudulent wire transfers. 

As Forbes reported on 23 April, Check Point’s Incident Response Team investigated a sophisticated Business Email Compromise (BEC) attack at the end of 2019, involving three finance sector firms. In total four bank transactions totalling GBP1.1 million were intercepted by a group referred to as “The Florentine Banker” by Check Point. While half of the money was recovered, the rest was permanently lost. It took place within Microsoft Office 365. 

The phishing email scam first began by infiltrating the firms’ email accounts and observing email activity to understand the different channels used to conduct money transfers. Next, any interesting emails were diverted into a folder monitored by the threat group, after which a series of lookalike domains were registered to monitor email activity between any of the entities involved. 

Emails were then sent from these lookalike domains, according to Check Point, and once the attackers had learned how money transfers were executed, they used the lookalike domains to instruct new money transfers. This resulted in three successful fraudulent wire transfers totalling GBP600K. 

This story is a perfect example of attacks that pervade the market below the enterprise level and tend to remain quiet. 

It also reinforces a new method of targeting firms called cultural engineering. 

“Targeting PE firms and other alternative asset firms is nothing new,” comments Alex Jinivizian, VP, Strategy at eSentire, a leading cybersecurity firm that invented the Managed Detection and Response (MDR) category; a modern form of managed security. 

“Industry regulators have clamped down on false redemptions (wire transfers made on behalf of investors), but are perplexed by attacks that use long-play investment in attacking a firm to abscond with much larger sums of money. 

“The reality is that these types of "Oceans 11" scams are the new norm. They are hard to discern from legitimate traffic, use the victim’s own defences against them, and pay off big dividends. It’s the financial equivalent of going long on an investment. Criminals have learned from the best: their victims.”

Cybersecurity is all about risk. But how does one minimise the cost of a risk? There are some stark data around this. According to the IBM Pomeron report, the average cost of a data breach in the UK is GBP2.7 million and the mean time to identify and contain that breach is over 200 days. 

It is well known that once a hacker gets into a network, within 24 hours they’ll be able to extract data. 

The big question for PE groups today, especially amidst the chaos caused by Covid-19, is how best to respond to a compromise once it has been identified; it’s not a case of if but when it happens. 

By using proprietary machine learning techniques, eSentire’s MDR solution and its team of analysts in eSentire’s Security Operations Center (SOC) focuses on the most elusive of threats and seeks to contain them before a breach has occurred to prevent business disruption. 

At eSentire, the team uses automation and machine learning to filter out signals/alerts it has seen before (over its 19-year history). This allows its security analysts to focus on identifying only those threats that could be the most damaging to a client. 

“For every 1,000 events that come into our SOC, we only investigate one. We’ve applied so much filtering to things we’ve seen before through blacklists, whitelists, but we have to be careful as to when is the right time to take down a client’s systems to investigate,” says Jinivizian.

Detecting an attack and stopping the threat actors from stealing proprietary information, or indeed finances, is an ongoing arms race and cultural engineering is the latest iteration; a step up from social engineering attacks we’ve all heard about in recent years. 

Cultural engineering demonstrates an insider’s knowledge of the industry: authority chains, ecosystem players, and influencers. The aim, as highlighted above in the Microsoft 365 attack, is to pretend to be a part of the organisational culture: a part of the ecosystem, as it were. 

The threat landscape will continue to evolve. And with PE groups undergoing varying levels of digital transformation, there will need to be an even more forensic approach to data security in the years ahead; especially as cloud-based environments become more popular among global deal teams.   

As the Microsoft heist serves to demonstrate, even the most secure platforms are a target for hackers.

Author Profile
James Williams
Employee title
Editor-in-Chief