A hacking and cyberespionage group is currently targeting industrial control systems at energy companies. According to a survey by Symantec they have broken into 27 corporate networks so far. The Dragonfly group, also known as Energetic Bear is using spear phishing campaigns and malware-infected websites to collect credentials for corporate networks. Dragonfly has been active since at least 2011 and was exposed by security analysts in 2014. Afterwards, the group seemed to go underground and has only recently emerged again in the public eye. Symantec researchers refer to the current attacks as “Dragonfly 2.0” because they replicate many aspects of the previous attacks. The attacks target industrial control systems (ICS) which belong to companies that operate pipelines, generate electricity, and other energy-related companies. The Dragongly group appears to be particularly active in Switzerland, Turkey and North America.
Sometimes it’s hard to believe the stories we read. In the case of CEO fraud incidents, cybercriminals earn double-digit sums in the millions by persuading employees that they are acting on behalf of the CEO or another senior manager. Employees then transfer the required amount to an alleged account of a partner or supplier, based only on an e-mail or telephone request without seeking reassurance. CEO fraud follows a similar method to telephone cons targeting the elderly but causes significantly higher financial damage. In mid-2016, an international network was unraveled which was alleged to have earned USD 60 million through the cybercriminal methods of Business Email Compromise (BEC) and CEO fraud. Similar attacks are now occurring on a daily basis in Germany, with similar dramatic consequences.
Smartphones are part of everyday life, either for private or professional use. However, while many users have taken basic measures to protect their desktop PC or laptop, this is not the case for mobile devices. A study by Consumerreports.org showed that in 2014 one third of all American smartphones did not have a single security measure, neither a PIN code, nor anti-virus software, let alone encryption. This may look different for professional and enterprise managed devices, but many use their personal mobile device at least partly for professional purposes. This means that links, files, photos, contacts and other internal company data are stored on personal smartphones. This makes easy pickings for a thief or digital attacker.
When WannaCry dominated the headlines, manufacturers fell over one another to make a statement. On the whole, the comments can be divided into two groups. Some reminded customers that not patching software is negligent and others claimed that it simply would not have happened with their software/hardware/service. How true is this? One can hardly imagine that organizations such as hospitals or Deutsche Bahn would not have any protection software, employ incompetent administrators, or have not heavily invested in security technology. Security products and services were almost certainly available to the affected organizations; however, they were unable to neutralize this threat.
Data protection is considered important, the Federal Data Protection Act is well established and German companies really should be absolute experts in data protection by now. However, a quick reality check shows that data protection is not quite as advanced as it might seem either due to lack of knowledge or deliberately ignoring data protection and profiting from selling customer data. Some readers may however take comfort that data protection is taken somewhat more seriously in Germany in comparison to the rest of the world where privacy and data protection issues are not even considered by decision and policy makers.