YOUNGSTOWN, Ohio – Cyber crimes are often committed by organized criminal enterprises that operate similarly to the companies they target.
The stereotype of the lone wolf hacker in a dark room is far from the reality of real “threat actors,” says Craig Horbus, partner at Brouse McDowell in Akron.
“Threat actors these days are not little Johnny sitting in Grandma’s basement,” he says. “Hacking businesses try to get paid. It’s a very sophisticated, organized criminal enterprise.”
Threat actor is the term experts and law enforcement use for an entity responsible for a cybersecurity incident. They are referred to as “actors” because it is a neutral term that avoids labeling them as an individual, group, or collection of more than one group. The term also does not ascribe a motivation to the actor, such as crime or espionage, according to Digital Hands, a security service provider.
Horbus says his law firm and the FBI, the agency responsible for investigating cybercrimes, is usually familiar with the threat actor they’re looking for. Most organizations are repeat offenders and leave a digital footprint. “Unless it’s a new variant and a new organization, we have quite a bit of intel as it relates to both the organization and whatever the current variant is,” Horbus says. “They leave pieces of information on the system that we can pull from.”
Many threat actors operate out of Russia and China, Horbus says, and some have organizations with close to 200 employees. Taking down such a large operation is a costly and daunting task and is often a losing battle.
“The problem is that those people just go across the street and set up shop again the next day. So it’s a never-ending battle,” Horbus says. “Most of the criminal aspects of this are happening not within the United States. There would be a lot more ability to prosecute and take these guys down if they were operating within the U.S. So it makes things very challenging.”
FBI Acting Special Agent in Charge Philip E. Frigm Jr. says investigation into cyber crimes is all circumstance and individual incident driven.
“If we take the case, then yeah, it’s our goal to figure out who did it, why they did it, how they did it, and ultimately get some kind of justice,” Frigm says.
The FBI, he says, uses various techniques including the legal process, surveillance and other activities that provide agents with information about such individuals and how they accomplished their tasks.
Variants are different types of ransomware, which Horbus says is the most common attack and the No. 1 threat to businesses. Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Threat actors use ransomware to extort money from victims by holding the system for ransom.
Ransomware is a growing, evolving threat to businesses, Frigm says. Larger businesses involved in critical infrastructure, such as hospitals and schools, are common targets.
“We’re seeing them more and more targeted by ransomware because, to be blunt, they’re often willing to pay higher amounts,” Frigm says.
Horbus says that the most common remediation is to pay the ransom. “The problem is that 90% of the cases that we run into – the companies are compromised; the backups are compromised,” he says. “They don’t have incident response plans or preventive documentation in place. … They’re in trouble and they’re looking for the quickest and most economical way out of the situation.”
Smaller companies often fall victim to business email compromise, which the FBI defines as a scam targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments.
Frigm says a business email compromise happens when “bad actors obtain access to information about a company by either hacking into the email server or by spoofing the email and making it look like some desperate reason to send money.” Sometimes, he says, the actors pose as customers or as a company collecting a bill. The employee is quick to “solve the problem” and wires the money to what turns out to be a fraudulent account.
“These schemes are relatively impactful because they represent potential significant operational and monetary loss risk,” Frigm says. “The company is inspired to actually act on them in a way that is counter to the otherwise good business practices the company might have.”
According to the FBI’s 2021 Internet Crime Report, American businesses lost a total of over $2 billion in business email compromise crimes. Businesses lost over $49 million to ransomware attacks. Ohio ranks seventh for highest number of victims per state with 17,510 last year. The state also had a total loss of $133.7 million resulting from cybercrimes.
Pandemic and Cybersecurity
The accelerated switch to online services and remote work left companies with weak spots in their networks, Frigm and Horbus say. Company and customer information went from being centralized to one location to the in-home offices of 250 employees. Having those 250 employees connected to the internet creates a “spiderweb” and creates 250 digital doors.
“All it takes is one of those 250 employees to be careless in logging on to a compromised Wi-Fi signal that’s in a coffee shop where a bad actor is monitoring it and pulling credentials,” Horbus says.
The pandemic created an uptick in insider threats, he adds, and bribery is becoming far more prevalent. Threat actors prey on victims of the economic fallout of the pandemic and bribe them with money in exchange for credentials. He expects there to be more incidents as inflation continues to put pressure on American consumers.
“That low level employee is being tempted by these threat actors that are saying, ‘We’ll send you $50,000 or $100,000 if you get us some credentials,’” he says. “We’re seeing a bigger spike in that and it’s just going to get worse.”
Frigm says there is correlation between the pandemic and cyberattacks, but not causation. He says systems that are put together in a rapid way have a “greater propensity for there to be some type of vulnerability.”
Companies had to quickly adjust to the way business was being conducted. Vulnerabilities, Frigm says, were inevitable.
The amount of money businesses lost because of malware, scareware and viruses tripled in 2020 from 2019, according to the FBI Internet Crime Report. Pre-pandemic, businesses lost a total of $2 million. In 2020, American businesses lost $6.9 million. Victim loss from ransomware attacks also skyrocketed to $29 million from $8.9 million to 2020 from 2019. It continued to climb into 2021 and totaled $49.2 million.
‘Cyber Risk Is Business Risk’
Frigm says the FBI has a mantra for cybersecurity: “Cyber risk is business risk. And cybersecurity is national security. Report the breach.” He wants to instill that saying in the business community to emphasize the importance of a solid cybersecurity plan, he says.
“Companies are very good historically at looking at business risk. Things like supply chain and transportation and logistics and human capital staffing,” Frigm says. “What we’re starting to see slowly trickling into the business community is the assumption of cyber risk within that bigger context of business risk.”
Frigm says a business falling victim to a cybercrime isn’t hypothetical; it’s inevitable. The best approach, he advises, is to prepare for the unthinkable and establish a relationship with law enforcement, such as the FBI field office or police, before an incident. He also recommends connecting with organizations like InfraGard. InfraGard is a nonprofit organization that serves as a public-private partnership between U.S. businesses and the FBI.
“It’s critical that companies engage in a relationship with law enforcement when they’re doing their planning for cybersecurity,” Frigm says. “If you have that point of contact, you can reach out to, you can get assistance much more quickly.”
Horbus suggests that companies look seriously at their policies and procedures. “Pen tests,” he says, are an effective way to test company cybersecurity. A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate its security. He says the test can identify holes that can then be patched.
The best outcome of a ransom attack, he says, is being able to “tell the guys to go pound salt because you have good backups and preventive measures in place.”