NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
The Growing Trend of “Hacktivism”, & What it Means for Businesses

The Growing Trend of “Hacktivism”, & What it Means for Businesses

When most people think of a hacker, they think of a loner hiding in a dark basement, destroying computer systems and other digital resources for personal financial gain, or a sophisticated computer whiz employed by a foreign government up to no good. 

However, in recent years, a growing number of hackers have been putting their skills to use for a different reason: activism. This trend, dubbed “hacktivism”, is on the rise and can have serious consequences for businesses of all sizes in all verticals and industries. 

computer with hacktivism on the front screen

What is Hacktivism?

Information security researcher Dorothy Denning defines hacktivism as “the marriage of hacking and activism”, more specifically, using computers to achieve a political agenda through legally ambiguous means. As a general rule, hacktivism aims to obstruct normal computer and business activities in some way but, unlike other forms of hacking, does not necessarily aim to cause permanent injury or significant financial loss and is rarely motivated by financial gain. 

Hacktivism Can Be a Force for Good….

When most readers think of hacktivism, they think of large-scale political movements and revolutions such as the Arab Spring, which depended at least in part on technology and hacktivism. 

In 2011, when young protesters took to the streets in cities across the Middle East to rally against oppressive governments, some who had held power for decades, they were emboldened and assisted by technology. In the eyes of some, WikiLeaks and Anonymous played a key role in creating the social conditions that allowed the Arab Spring to happen by posting damning secret government documents online before the protests began. 

A specific example of this hacktivism was the uprising in Tunisia, which was initially largely ignored by the foreign media. When members of Anonymous realized the significance of the uprising, they partnered with Tunisian dissidents to help them share videos of what was really going on on the ground with the outside world. They also created a “care packet” (available in English, Arabic, and French) that offered dissidents advice on how to conceal their identities on the internet to avoid detection by the former Tunisian regime’s cyberpolice.

Though most believe the Arab Spring to be a positive and necessary step, the hacktivism that accompanied it, particularly the act of disclosing confidential documents and personnel files indiscriminately, could endanger lives. Anonymous and similar hacktivist organizations do not always carefully vet what information they release, which could inadvertently expose innocent individuals to cybersecurity threats.

… But it Frequently Harms Innocent Organizations & Individuals

The goal of most hacktivists is to draw attention to a particular cause using virtual political activism. This can be a noble goal, as demonstrated during the Tunisian uprising, but not all hacktivists are so altruistic. Unfortunately, many hacktivists are also not particularly concerned about avoiding collateral damage while carrying out their activist activities, and innocent parties can be caught in the crossfire. 

For example, while protesting the recent police actions on the Bay Area Rapid Transit (BART) system in San Francisco, a hacktivist posted the full names, addresses, and cell phone numbers of cover 2000 MyBART subscribers (ordinary transit users) online, increasing their chances of being targeted by identity thieves and other criminals. 

In a recent article by PC World, a former member of Anonymous called “SparkyBlaze” admitted that he was “fed up with [Anonymous] putting people’s data online and then claiming to be the big heroes.” He also stated that “Getting files and giving them to WikiLeaks, that sort of thing does hurt governments. But putting user names and passwords on a Pastebin doesn’t [affect governments], and posting the info of the people you fight for is just wrong.”

While some hacktivist organizations, like other activist organizations, might be doing real good, too many are using the guise of activism to cause significant harm to innocent organizations and individuals. 

As one article published in the Journal of Human Rights Practice puts it, unlike more familiar forms of activism, hacktivism can often be anonymous, allowing it to operate with a kind of impunity afforded by technology. As such, hacktivists are accountable to no one, not even organizations, groups, and individuals they aim to help, which is deeply problematic

Many hacktivist organizations, including Anonymous and WikiLeaks, engage in highly questionable activities, which they are able to do because of the anonymous nature of hacktivism. Since there is no way to hold individuals accountable, they are incredibly dangerous, both for the problematic organizations and governments they target and for the rest of us. 

large crowd protesting

A Brief History of Hacktivism: Six Infamous Events

While hacking has been around since the 1950s, hacktivism as a concept didn’t really emerge until 1989, when the first “hacktivist” action (referred to as Worms Against Nuclear Killers) took place. 

Worms Against Nuclear Killers (1989)

The 1989 attack, which many believe to be the work of Melbourne-based hackers “Electron” and “Pheonix”, used a malware worm to infiltrate computers at both NASA and the US Energy Department. The worm altered the login screen of infected computers to display the message ”Worms Against Nuclear Killers” and was fueled by rising anti-nuclear sentiment. A second worm, called OILZ, was also deployed and contained bugs designed to prevent access to accounts and files by changing passwords. The goal of this attack was to attempt to shut down the DECnet computer network in the days before a NASA launch, causing disruption and costing roughly half a million dollars in damages and lost time.

Hacktivism has only grown in both scope and influence. Other influential campaigns include:

Hacktivismo Declaration (2001)

Hactivismo, an offshoot of the hacker group Cult of the Dead Cow (cDc), emerged when they released their declaration that aimed to elevate freedom of speech. During this event, the group explicitly attempted to both engage in civil disobedience and explain their reasoning behind their actions. 

The declaration released by Hactivismo cited two United Nations’ documents: the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights, and included an FAQ that stated that the main purpose of their actions was to “cite some internationally recognized documents that equate access of information with human and political rights”.

As a result of their declaration, this group aimed to create both moral and legal grounds for future hacktivists to launch their campaigns. The group went on to release a web browser, called Peekabooty, that prevents censorship from nation-sates that deny or restrict internet access. 

Project Chanology (2008)

When a video of actor Tom Cruise voicing his affiliation with the Church of Scientology appeared on YouTube, the church forced the video hosting platform to remove it. In response to the censorship, Anonymous launched a DDoS (Distributed Denial of Service) attack against the Church of Scientology website, which was also defaced. A series of prank calls and black faxes followed the DDoS attack, and Anonymous also distributed private church documents stolen from Scientology computers during a doxxing attack

The hacktivist actions were also paired with in-person protests across the country where protesters donned the now infamous Guy Fawks masks associated with Anonymous

US Executive Branch Attack (2013)

Presumably believed to be associated with Syrian President Bashar al-Assad, the Syrian Electronic Army (SEA) has carried out a number of attacks using both spear-phishing and DDoS attacks designed to compromise and deface government, media, and privately-held organizational websites. 

The group successfully released a fake tweet claiming that an explosion at the White House had injured the President. After the tweet went live, the Dow briefly plunged 140 points. In 2016, the FBI charged two SEA-affiliated individuals with the attack.

Clinton Emails Leak (2016)

This attack, a joint venture between WikiLeaks and Russia’s foreign military intelligence directorate Glavnoye Razvedyvatel’noye Upravleniye (GRU), focused on emails between then-presidential candidate Hilary Clinton and her campaign manager. The emails were illegally obtained by GRU and released by WikiLeaks, and the goal was to discredit Ms. Clinton in order to further the campaign of her opponent Donald Trump.

Hackers used spear-phishing emails to steal credentials from DNC members and gain unauthorized access to the emails. The campaign significantly impacted the Clinton campaign and may have contributed to her loss. Following the leak, the US Department of Justice indicted 12 Russian hackers for the incident.

Black Lives Matter Movement (2020)

While the BLM (Black Lives Matter) movement reaches beyond the realm of hacktivism, the group Anonymous did throw their weight behind this movement protesting police corruption following the death of George Floyd. The group had also voiced similar condemnations in the past following the murders of Michael Brown and 12-year-old Tamir Rice.

In support of the social-justice-focused BLM movement, Anonymous released a video on Twitter that specifically criticized the Minneapolis police department in the wake of the shooting. As a result of the video, Anonymous’ Twitter account gained 3.5 million new followers in the following days, and the campaign has been linked to a series of DDoS attacks that briefly shut down the Minneapolis police department website, its parent website, and the Buffalo, New York government website over the course of a single weekend.

How Hacktivism Harms Businesses

While some hacktivist activities, such as creating open-source software that allows people in China to circumvent government censorship, are arguably good, we have seen that hacktivism also has a dark side. 

Hackers of all stripes, including some hacktivists, often use open-source hacking tools to penetrate networks with the goal of paralyzing or destroying legitimate businesses. This can be done for a variety of reasons, including retaliatory action in the case of George Hotz.

Sony vs Hotz

In 2010, then-teenage researcher George Hotz (now President at was able to reverse-engineer the Sony private key and published it online. This allowed almost anyone with an internet connection to rewrite Sony’s firmware and classify themselves as a developer on the Sony network, gaining free access to all of Sony’s online games. This action adheres to the philosophy that many hacktivists and other hackers share, which deems that all information, even proprietary information, should be free. 

In response to his actions, Sony sued Hotz, which attracted the attention of hacktivists. The company was targeted by several DDoS attacks and a data breach, which exposed the credit card numbers of 12 million innocent customers, as well as 75,000 “music codes” and 3.5 million “music coupons”, resulting in massive financial losses for the company. All and all, Sony estimates they lost about $173 million, including the cost of increased customer support, incentives to woo customers back, legal costs, loss of sales, and the costs to improve their cybersecurity systems. 

Ultimately, regardless of the goal of the hacktivist organization, gaining unauthorized access to a company’s network or other digital assets is wrong, and companies need to take steps to ensure their cybersecurity posture is robust enough to thwart attacks and avoid or at least minimize damage. 

Is your organization prepared? For more information, or to start crafting your incident response plan, please contact our team today.

Suggested Reading

Cybersecurity is complicated, and the field continues to evolve to respond to new threats, and keeping up to date is critical for safeguarding your organization and its digital assets. To help you expand your knowledge and stay up to date, please consider visiting our blog and reviewing these suggested educational articles and resources.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

What is Cybersecurity Insurance (& Does Your Business Need It?)

What is Cybersecurity Insurance (& Does Your Business Need It?)

An unfortunate reality of the modern, connected business world is that it is no longer a question of if your organization will experience a cybersecurity incident, but when. In 2020, there was one new ransomware victim every ten seconds, while the average cost of a data breach the same year was $3.86 million.

Those eye-watering numbers have many organizations of all sizes and in all verticals, justifiably concerned. Improving your cybersecurity posture and ensuring you have an effective incident response plan in place can significantly reduce the amount of downtime your organization experiences should an incident occur, as well as minimize or even eliminate damages. However, to help offset the costs associated with cybersecurity incident recovery, more organizations than ever before are turning to cybersecurity insurance.

man calculating cost or cybersecurity risks and breaches

What is Cybersecurity Insurance?

Cybersecurity insurance (also called cyber liability insurance) is designed to cover the costs associated with cybercrime should your technological systems or customer data be targeted as part of a cybersecurity incident. While your exact coverage will vary depending on your insurance provider and other factors, cyber liability insurance typically covers legal costs and damages such as:

Cyber Liability Insurance vs Cybercrime Insurance: What is the Difference?

Some insurance providers also offer cybercrime insurance in addition to cyber liability insurance. This additional insurance is designed to help compensate your organization for funds lost during a cybersecurity incident such as a hack or social engineering attack, including notification costs, data restoration costs, and associated legal expenses.

What Typically Isn’t Covered

Like all forms of insurance, there are a few things cyber liability insurance typically doesn’t cover. While what is and is not covered will vary depending on your insurance provider and policy, typical exclusions include:

  • Potential future lost profits
  • Loss of value due to intellectual property theft
  • Betterment, which is the cost to improve your internal technology systems, including software or security upgrades, after an attack has occurred

Common Types of Cyber Liability Claims

When it comes to insurance claims, most cyberattacks fall into one of three categories: hacking, social engineering, and malware (including ransomware).


Hacking (gaining unauthorized access to a computer system, usually by exploiting existing security vulnerabilities) is the most common type of attack that leads to an insurance claim. This is because if an attacker compromises your system or network, your company could be liable for a wide variety of costs related to the attack, including:

  • Third-party lawsuits
  • The costs associated with notifying affected parties and other stakeholders
  • Public relations and reputation management costs
  • Regulatory fines

Social Engineering

Social engineering attacks (including phishing scams) depend on an attacker tricking someone inside your company into helping them. Attackers trick unknowing individuals with access to your system into essentially opening the door for them, usually by impersonating a trusted individual (such as their boss or another superior or someone from accounting or the bank) and asking them to click a link, hand over their login credentials, or grant access to restricted areas of the network. The employee then unwittingly either lets the attacker into the network or downloads malware, which grants access or otherwise allows the attacker to wreak havoc.


Malware, short for malicious software, comes in a variety of forms and is an incredibly common type of cyberattack. Malware can be difficult to defend against because every program is different and uses different strategies to infiltrate your network. Ransomware is a very common form of malware designed to hijack your system and lock you and your employees out of the network. The attacker then demands a ransom in exchange for releasing or unlocking the system. However, not all attackers follow through on their end and may simply take the ransom money and leave the network locked.

photo of hooded man hacking with his computer

First-Party vs Third-Party Insurance

What type of cyber liability insurance your organization decides to purchase should be based on a variety of factors, including your needs as an organization and what entities you need to protect. Unfortunately, when it comes to cyberattacks, the business originally targeted is not the only party that may be impacted. As such, there are two different types of cyber liability insurance: first-party and third-party.

First-party insurance protects your company or organization and will cover the costs outlined in your policy associated with an attack. Any organization that handles electronic data should purchase a first-party policy to cover the various expenses that organizations face in the wake of a cybersecurity incident.

Third-party insurance is designed to protect organizations that offer professional services to other businesses that could be impacted in the event of an attack. This type of coverage is often compared to professional liability insurance in the sense that the third-party insurance can help safeguard your business in the event you are sued by another organization for errors you may have made that resulted in damages or losses to the company suing you.

For example, let’s say your organization is a law firm. Your law firm’s data security is compromised, and as a result, several of your clients have accused you of failing to prevent the data breach. In this instance, the third-party cyber-liability insurance would cover your legal fees, government penalties and fines, and any settlements or judgments related to these claims.

What is the Average Cost of Cybersecurity Insurance?

How much your cyber liability insurance plan costs will depend on a variety of factors, including the type of business you run and the level of cyber risk you are exposed to. However, a recent study by AdvisorSmith Solution Inc found that the average cost of a cyber liability policy in 2019 was $1500 per year for $1 million in coverage, as well as a $10,000 deductible.

How much your policy costs will also depend on:

  1. Your size and industry: The more employees you have, the greater your chances of falling for a successful phishing or other social engineering attack, which will drive up your insurance premiums. However, a larger factor is your industry. Different industries are classified as low, medium, or high risk, depending on the type and amount of data your organization stores.
  1. How much data you store, and how sensitive it is: Low-risk organizations, such as small local businesses with limited customer bases, will pay less for their coverage than higher-risk organizations such as retail stores that collect and store customer credit card numbers both instore and online through their website or eCommerce store. Organizations that store large amounts of highly sensitive personal data (such as social security numbers or dates of birth), such as hospitals or other healthcare facilities, will pay higher premiums.
  1. Your annual revenue: In the eyes of most insurance companies, the more money your business makes, the more likely a cybercriminal will target your organization. As such, organizations with higher revenue streams are more likely to pay higher premiums for cyber liability insurance.
  1. How robust your cybersecurity posture is: Most insurance companies reward organizations that take cybersecurity seriously and dedicate significant resources and people hours to safeguarding their digital assets. To help keep your insurance costs low, all organizations (particularly high-risk ones) should invest in robust cybersecurity measures, have sufficient security measures in place, and ensure their employees receive appropriate cybersecurity training.
  1. The terms of your policy: Your coverage limits and deductible also play a significant role in determining your insurance premiums. The more coverage you want, the higher your monthly insurance premiums will be. Your deductible refers to the amount of loss your business is responsible for in the event of an incident that is covered by your policy. Organizations that opt for a higher deductible (absorbing more of the initial costs themselves) typically pay lower premiums but are on the hook for more of the damages in the event of an incident. On the other hand, organizations that opt for a lower deductible will pay higher monthly premiums but will have more of their losses covered in the event of an incident. Organizations with robust security measures in place may opt for lower premiums and a higher deductible, while high-risk organizations that store lots of sensitive data may opt for higher premiums in exchange for a lower deductible.

Does My Business Need Cybersecurity Insurance?

If your organization handles electronic data, you should have at least a basic cyber liability insurance plan in place. Like all forms of insurance, cyber liability insurance is there to cover worst-case, what-if scenarios.

Handing over funds for cyber liability insurance every month may seem like an unnecessary expense, but a large-scale cybersecurity incident can be enough to bankrupt a small or even medium-sized organization and destroy your reputation. Having access to emergency funds to defray costs such as hiring an expert team to help you fend off an attack in progress and limit damages, replacing damaged equipment, paying fines, covering your legal costs, and managing your reputation after an incident could be the difference between your organization weathering the storm relatively unscathed or folding under the pressure.

Take a Proactive Approach

Investing in a robust yet flexible cybersecurity posture will do more than just help keep your premiums low; it can also help your organization fend off attacks in real-time and limit or even eliminate permanent damage to your infrastructure.

Investments such as employee cybersecurity training (both as ongoing training and part of your employee onboarding process) can also help safeguard your organization by giving your team the tools they need to spot suspicious activities (such as phishing scams) and sound the alarm before any damage can be done.

Selecting the Best Insurance Provider for Your Organization

With cybercrime on the rise, more insurance companies than ever are offering cyber liability insurance. As with any insurance policy, it often pays to shop around. Start by finding out if your existing insurance provider offers cyber liability insurance. If they do, you might be able to negotiate a break on your premiums or a better deductible in light of your existing relationship.

However, it also helps to shop around and see what other providers and policies are available. Since the cost of your insurance plan is typically determined in part by your industry or vertical, it can help to reach out to other organizations like yours for recommendations and advice. You may also want to consider consulting with your MSSP (Managed Security Services Provider) to see if they have any recommendations. MSSPs have extensive cybersecurity experience and work with a variety of organizations, so they may be able to help you determine what sort of policy is best for your organization’s unique needs.

For more information about the importance of cyber liability insurance, and cybersecurity in general, please contact our team today.

Guide to Creating an Effective Incident Response Plan

Guide to Creating an Effective Incident Response Plan

It’s always best to take a proactive, rather than a reactive, approach to almost any problem or potential problem. In a world where breaches and other cybersecurity threats and incidents have become commonplace, it is no longer a question of if your organization will be targeted, but when.

To best safeguard your organization’s digital assets and reputation, you need to develop a robust yet flexible incident response plan tailored to your company’s unique needs. A comprehensive plan allows you to respond to incidents quickly and effectively and is crucial for minimizing damage and recovering from an incident.

If you have experienced or are currently experiencing a security incident, please contact our team right away by calling (855) 422-8283 anytime 24/7/365. You should also consider reviewing our guide: Hacked? Here’s What to Know (and What to Do Next).

What is an Incident Response Plan?

At its core, an incident response plan is a set of instructions developed by your team (and likely with assistance from your managed security services provider) that tells your team how to detect, respond to, and recover from a security incident. Though most incident response plans tend to be technologically centered and focus on detecting and addressing problems such as malware, data theft, and service outages, a security incident can have a widespread impact on all of your organization’s usual activities. As such, a good incident response plan will not only provide instructions for your IT department but will also provide guidance and critical information to other departments and stakeholders, such as:

  • Human resources
  • Finance
  • Customer service
  • Employees
  • Your legal team
  • Your insurance provider
  • Regulators
  • Suppliers
  • Partners
  • Local Authorities

If not handled correctly, a security incident can also tarnish your reputation and damage your relationship with your clients, sometimes irreparably.

Create a strong response plan in order to keep downtime to a minimum

The 5 Phases of an Incident Response Plan

While NIST has drafted a guide outlining how to handle computer security incidents, these general guidelines only offer a starting point. For maximum efficacy, your organization’s incident response plan needs to be both specific and actionable and clearly specify who needs to do what and when. All key stakeholders need to be involved in the plan development process and kept up to date on any changes made to the plan. 

Though your plan will need to be tailored to meet your organization’s unique cybersecurity needs, all VirtualArmour Cybersecurity Incident Response Plans follow the same basic phase format: Hunt, Alert, Investigate, Remediate, Review, and Repeat.

Phase 1: Hunt & Alert

The only way you can respond to a threat is if you know it is there. All organizations should take a proactive, rather than a reactive, approach to their cybersecurity. This includes actively hunting for potential security threats and reviewing your security protocols frequently to ensure they are continuing to meet your organization’s needs. 

To hunt for security threats, you should be internally monitoring all company email addresses to look for signs of trouble such as phishing scams and invest in security tools that will alert you to any potentially suspicious activities. 

Should any suspicious activities be detected, you need to have a process in place to ensure your internal security team or MSSP is made aware of the issue so they can help you determine if the threat is credible. Should you discover a threat during this preliminary phase, you also need protocols in place to: 

  • Assess how serious the threat is
  • Determine whether a breach is imminent
  • Activate your security incident response plan (including alerting all internal and external stakeholders)
  • Allocate resources (including pulling employees away from regular tasks to deal with the threat)
  • Address the threat (ideally before any significant damage has been done)

Why You Should Consider Pen Testing

An excellent way to identify gaps in your security before they can be used against you is pen (penetration) testing. Pen testing involves hiring an ethical hacker to attack your network and other IT infrastructure and look for gaps in your defenses that could be exploited. 

As the hacker stress tests your cybersecurity, the hacker notes any flaws they managed to exploit to gain entry to your system so that you can address these shortcomings and shore up your defenses. Once the test is complete, the ethical hacker reviews their findings with you and offers recommendations to improve your security. Essentially, by hiring a good guy to look for deficiencies in your current security posture, you can address those issues before the bad guys discover and exploit them.

Phase 2: Investigate

During an incident, your top priority needs to be containing the threat and minimizing damage. Once the threat has been dealt with, you should review both the threat and your response to help ensure the same threat cannot be used against you again.

Phase 3: Remediate

Once you have contained and eliminated the threat, it is time to begin cleaning up the mess. Your recovery and remediation process should include notifying all appropriate external entities (including your customers, relevant regulators, and potentially impacted third parties such as suppliers). Impacted external entities should be told the nature of the incident (ransomware attack, DDoS attack, etc.) and the extent of the damage.

The remediation process also needs to involve gathering evidence so that it can be reviewed by your security team, your MSSP, and regulators, as well as law enforcement (if appropriate). Once you have all the evidence, you will need to perform a root cause analysis to determine the primordial problem and determine what steps need to be taken to address the primordial problem and ensure a similar incident can’t happen again. 

The remediation process may also involve:

  • Replacing damaged or compromised equipment
  • Restoring systems from backups
  • Addressing any vulnerabilities the attacker was able to exploit
  • Updating your security controls (changing passwords, installing security patches, etc.)

Phase 4: Review

If you are targeted, one of the best things you can do to best safeguard your organization going forward is to learn from what transpired. As part of your review process, make sure you gather all internal and external team members involved and discuss your response to the incident and identify any shortcomings or oversights that need to be addressed.

As part of this phase of the incident response plan, the VirtualArmour team will help you assess your current incident response plan and offer suggestions for improvements. 

Practice Makes Perfect: The Benefits of Tabletop Exercises

As part of your ongoing security training, you should consider running tabletop exercises with your security team as well as all internal and external team members that are involved in responding to security incidents. 

Tabletop exercises work like fire drills, presenting your team with a hypothetical security incident and allowing them to practice responding in a no-stakes environment. Not only do tabletop exercises give your team valuable practice before an incident occurs, but they also allow your organization to assess the efficacy of your current incident response plan so that any shortcomings or other problems can be addressed before an incident occurs.

Phase 5: Repeat

Just because your team managed to identify and effectively respond to a security incident doesn’t mean your organization is safe forever. Constant vigilance is required to ensure your team is always ready to respond to threats, regardless of what attackers throw at you.

Does My Organization Need an Incident Response Plan?

All organizations, regardless of size or vertical, need to have an incident response plan in place. 

When Should My Organization Begin Developing Our Incident Response Plan?

Because you will never know when disaster will strike, you should begin developing your incident response plan as soon as possible. If you aren’t sure where to begin, we suggest you get started by:

  1. Reviewing the NIST guidelines
  2. Create the living document your plan will reside in and meet with stakeholders to begin fleshing it out. This document should include:
    1. Your incident response mission statement: The job of this section is to outline why you need an incident response plan.
    2. Roles and responsibilities: Explicitly name who is involved in the incident response plan, why they are involved, and their role should an incident occur.
    3. Incidents you are likely to encounter: This section will outline what types of incidents your organization is likely to encounter (ransomware attacks, DDoS attacks, etc.) and how you will respond to them.
    4. Emergency contact details for all relevant parties: This includes both members of the incident response team and regulators. You may also want to consider including contact information for local law enforcement here as well. 

Assembling Your Team: Who Needs to Be Involved While Developing & Actioning Your Incident Response Plan

Who is involved in developing and actioning your incident response plan will vary depending on your organization’s specific needs. However, all organizations should include at least one person from each of the following stakeholder groups.

Your Executive Team

At least one C-suite executive (ideally your CTO) or a similarly ranked decision-maker should be included. This is not only vital to ensure your executive team is kept in the loop but can make it easier to secure resources quickly should an incident occur. 

Your IT Department

Your internal IT department will be integrally involved in any response, so it is vital that they are given a seat at the table. You need to make sure you have a good relationship with your networking team, database team, and developers, though whether you wish to include representatives from these sub-groups will depend on the size and structure of your organization. You should also strongly consider working with your MSSP during the development phase since they will be able to offer valuable insights and approaches you may not have considered.

You should also consider engaging with your hosting providers and service providers, though this may simply involve sharing your finalized plan with them and informing them of any changes, so they are up to date if an incident occurs.

Your Legal Team

Security incidents can become a legal nightmare, so your legal team or company lawyer must be included. During the incident response plan development process, you will need to make decisions regarding what is reported and to whom. Your incident responders should be chosen for their technical skills, not their legal skills, so your legal team must be intimately involved in the development process.

Human Resources

Many security incidents occur because of users (such as an employee falling for a phishing scam), so having a member of your human resources team at the table is critical. Your incident response team needs to be able to handle user-caused incidents delicately and respectfully and ensure your response plan complies with all relevant laws from a human resource perspective. HR can help ensure compliance and should be involved in the incident response plan development process. If an incident occurs, they should also be pulled in on an as-needed basis. 

Your Public Relations Team

Security incidents can quickly become public knowledge, whether you are ready to share the details or not. Like your HR team, your PR team should be kept in the loop during an incident, but their expertise is particularly invaluable during the remediation phase.

Looking for Guidance or Advice? VirtualArmour is Here to Help

Creating an incident response plan from scratch may seem like a daunting task. So much rides on having a robust plan in place that is flexible enough to be quickly updated to ensure your organizations’ evolving needs are met. Many small and medium-sized organizations do not have the bandwidth or expertise to develop a good incident response plan on their own. That is where MSSPs like VirtualArmour come in. 

Our team of security experts has extensive experience working with organizations of all sizes in a variety of verticals, including healthcare, financial services, retail, energy, and service providers. For more information about the importance of having a security incident response plan, or to being work on your own plan, please contact our team today.

search your hardware and processes to make sure your prepared for an incident

Suggested Reading

Cybersecurity is a complex and continually evolving field. To help keep your knowledge up to date, please visit our blog and consider reviewing these suggested educational articles and resources.

Knowledge is Power: Our Cybersecurity Predictions for 2021

5 Major Companies Were Recently Breached: Where Are They Now?

5 Major Companies Were Recently Breached: Where Are They Now?

2020 was a record-breaking year in the cybersecurity world, both when it comes to the amount of data lost in breaches as well as the eye-watering number of cyber attacks on companies, governments, and individuals. Ransomware attacks alone have risen 62% since 2019, and this trend doesn’t appear to be waning.

In this article, we will discuss five major companies that were attacked between 2019 and 2021, including the impact of those breaches and how these organizations responded.

If you have experienced, or are currently experiencing, a cybersecurity attack please contact our team immediately for assistance by calling (855) 422-8283 anytime 24/7/365 and consider reading our educational article Hacked? Here’s What to Know (and What to Do Next).

Capital One (2019) 

The Attack

The Capital One hack was first discovered on July 19th, 2019, but likely occurred at the end of March that same year and impacted credit card applications as far back as 2005. The attacker, Paige Thompson, was able to break into the Capital One server and access:

  • 140,000 social security numbers
  • 1 million Canadian social insurance numbers
  • 80,000 bank accounts
  • An undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information

This devastating attack impacted nearly 100 million Americans and an additional 6 million Canadians. In June of this year, the US Department of Justice announced that they were adding to the charges. Originally charged with one count each of wire fraud and computer crime and abuse, Ms. Thompson now faces six additional counts of computer fraud and abuse and one count of access device fraud.

Capital One’s Response

In an official statement to impacted customers on their website (last updated April 16, 2021, as of the writing of this article), CapitalOne lays out the damage done and the number of individuals impacted. They go on to stress that no login credentials were compromised.

The statement goes on to provide answers to some pressing questions in the Q&A section and offers practical advice about what Capital One cardholders can do to protect their accounts, including additional steps that individuals can take to protect themselves against fraud and identity theft. American cardholders can find additional information on this FAQ page.

The official FAQ page linked above goes on to mention that all affected Capital One customers will be provided with two years of free credit monitoring and credit protection. The FAQ states that impacted individuals should have received either an email or a letter outlining the enrollment process for this service, including an activation code.

The FAQ goes on to discuss what individuals should do if they received a possible scam email, call, or text related to the incident, which indicates scammers are piggybacking on this breach in an attempt to further victimize impacted individuals.

Capital One also agreed to pay an $80 million fine to US regulators over the incident.

Capital One did have a plan in place to recognize and respond to the breach (highlighting the importance of having an incident response plan). The incident was discovered via a vulnerability report, and once the incident was discovered, Captial One responded swiftly and worked hard to ensure impacted individuals were kept in the loop. Ms. Thompson was arrested a mere 12 days after the initial vulnerability report was released.

Facebook (2019) 

The Attack

The Facebook data breach was discovered in April 2019 when it came to light that two third-party Facebook app datasets had been exposed to the wider internet. This database (containing private information on 533 million accounts) was then leaked on the Dark web for free in April of 2021, increasing the rate of criminal exposure. 

The data exposed included phone numbers, DOB, locations, past locations, full names, and some email addresses tied to compromised accounts. In an official blog post, the company stated that “malicious actors” had scraped the data by exploiting a vulnerability in a now-retired feature that allowed users to find each other via phone number.

cybersecurity software that protects you and your business

Facebook’s Response

Facebook chose not to notify impacted individuals in 2019, and according to this NPR article published in April 2021, they still have no plans to do so. According to a company spokesperson, the company isn’t entirely sure which users would need to be notified and that the decision not to contact users stemmed at least in part from the fact that “the information that was leaked was publicly available and that it was not an issue that users could fix themselves.”

Though Facebook claims to have addressed the vulnerability that allowed attackers to access this data, that is cold comfort for Facebook users. “Scammers can do an enormous amount with a little information from us,” said CyberScout founder Adam Levin when interviewed by NPR. “It’s serious when phone numbers are out there. The danger when you have phone numbers, in particular, is a universal identifier.” Phone numbers are frequently used to connect users to their digital presence, including using them as additional identifiers via two-factor authentication text messages and phone calls. 

As a response to the incident, the US Federal Trade Commission fined Facebook $5 billion for violating an agreement the company had with the agency to protect user privacy. Facebook CEO Mark Zuckerberg will also be held personally liable by the FTC for any future privacy violations.

If you are concerned that your personal information may have been leaked during the breach, you can use the data tracking tool HaveIBeenPwned to learn whether your Facebook account or other digital accounts, including email, have been compromised.

SolarWinds (2020)

The Attack

Cybersecurity company FireEye first discovered the back in December 2020. The attackers, which are believed to be affiliated with the Russian government, used a supply chain attack to push malicious updates to FireEye’s popular network monitoring product. 

Impacted FireEye customers include

  • Multiple US government departments
  • 425 of the US Fortune 500 companies
  • The top ten US telecommunications companies
  • The top five US accounting firms
  • All branches of the US military
  • The Pentagon
  • The State Department
  • Hundreds of universities and colleges worldwide 

The total extent of the damage may never be known, but this attack continues to impact affected organizations. For example, in July 2021, attackers were able to gain access to the Microsoft Office 365 email accounts of 27 US Attorneys’ offices. The accounts were originally compromised during the SolarWinds attack.

FireEye’s Response

The larger attack was discovered when FireEye’s internal team of investigators was investigating the original, smaller, FireEye attack. During this investigation, the backdoor within the SolarWinds code was discovered, prompting the FireEye team to contact law enforcement. Though the SolarWinds attack was devastating, the fact that the attackers decided to use FireEye as a vector might have actually lessened the damage. According to Charles Carmackal, senior vice president and CTO of Mandiant, FireEye’s incident response arm, “one silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community, and security partners.” 

FireEye took the crucial step of publicly reporting the attack (instead of waiting for impacted customers to discover the issue), conducted a thorough review of the incident, and made sure to share all their information with law enforcement and the US government. As such, the extent of the attack was learned quickly, so impacted companies and government bodies could take appropriate steps. If FireEye had tried to hide the attack from their customers, the damage could have been even worse.

Keepnet Labs (2020)

The Attack

Keepnet Labs is a threat intelligence company that collects and organizes login credentials exposed during other data breaches. If a customer’s details are discovered, Keepnet Labs notifies impacted individuals and offers advice on steps they should take to best safeguard their data and minimize damage.

The Keepnet Labs incident is a little unusual in that it wasn’t actually Keepnet Labs user data that was exposed. Instead, Keepnet Labs had compiled a database of usernames and passwords that had been leaked during a variety of cybersecurity incidents between 2012 and 2019. Attackers were able to exploit a vulnerability in this Elastisearch database, which was (according to Keepnet) actually maintained by a contractor, not Keepnet Labs themselves. 

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Keepnet Labs’ Response

After discovering the vulnerability, Diachenko published a security report, which was picked up by a variety of cybersecurity news outlets and blogs which were covering the leak. However, Keepnet Labs felt that a number of these publications had made misleading statements and contacted several reporters to ask them to edit their articles. 

Graham Cluley, a popular security blogger, received one such email from Keepnet. Though he felt his representation of the facts was fair, he was willing to give Keepnet the chance to tell their side of the story. However, instead of an official statement or a chance to speak to a company spokesperson, he instead was contacted by Keepnet’s lawyers, who threatened him with legal action if he didn’t edit his article and remove the company’s name. 

This heavyhanded reaction was only one of several failings on the part of Keepnet to manage the fallout of the attack. It took almost three months for the company to release an official statement to set the record straight, and they refused to work with reporters and bloggers like Cluley to provide accurate facts. Though the security incident itself may tarnish Keepnet’s reputation, their poor handling of the aftermath is likely to cause far more damage.

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Microsoft Exchange (2021)

The Attack

The attack was first discovered on March 2, 2021, when Microsoft detected multiple zero-day exploits in their on-premises versions of Microsoft Exchange Server, which were being actively exploited by attackers. Over the following days, nearly 30,000 American organizations were attacked using these vulnerabilities, which allowed attackers to gain access to email accounts and install web shell malware to provide attackers with ongoing administrative access to the victim’s servers.

On the day the attack was first discovered, Microsoft announced that they suspected the culprit was a previously unidentified Chinese hacking group dubbed Hafnium. According to the Microsoft Threat Intelligence Center (MSTIC), this group is suspected to be based in China, state-sponsored, and focused on primarily targeting organizations based in the United States that depend on leased virtual private servers (VPSs).

The actual purpose of the attack is more nuanced. According to Garner analyst Peter Firstbrook, the attackers are really looking to test the defences of organizations and discover which organizations are lagging behind security-wise. Most organizations that use Microsoft Exchange Servers have moved away from on-premises models to the online Exchange, which means organizations still using on-premises solutions are likely to be late adopters or less security conscious, making them excellent targets.

It has also been speculated that the attacker’s real endgame is not the on-premises servers they are currently targeting but more of a fact-finding mission to help them set up future attacks on high-value targets with connections to those servers. This may include using these email servers to impersonate trusted individuals and use those email accounts to send phishing emails to sensitive targets such as the Defense Department. Much like the SolarWinds attack, the companies currently being attacked may not be the actual target.

cybersecurity on your laptop

Microsoft’s Response

Microsoft has released security updates addressing Exchange Server versions 2010, 2013, 2016, and 2019 to address the software vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). 

Microsoft has also gone out of their way to try and get everyone to pay attention to this attack, particularly since impacted individuals and organizations may be relying on IT generalists (instead of specialized admins) and may not understand what this attack could really mean. If impacted organizations don’t take action, it could have widespread and devastating consequences for the sensitive companies and organizations (such as the Defense Department) that they do business with. Should someone at the Defense Department or another government body fall for a phishing scam perpetrated using these compromised servers, it could compromise US national security. 

An unfortunate truth about the modern security landscape is that it is no longer a question of if your organization will be targeted but when. Security incidents such as the ones listed above can have widespread consequences for the organizations that have been targeted, as well as the organizations and individuals that do business with them. 

The best thing you can do to safeguard your organization and its digital assets is cultivate a robust yet flexible cybersecurity posture, which starts with an incident response plan.

For more information about cybersecurity, or to get started shoring up your defences, please contact our team today.

Additional Reading

Knowledge is Power: Our Cybersecurity Predictions for 2021

5 Old-School Hack Techniques That Still Work (& How to Protect Your Data)

5 Old-School Hack Techniques That Still Work (& How to Protect Your Data)

Hacking, in the loosest sense of the term, was born in the 1950s when “phone phreakers” first figured out how to exploit the dial tone sounds produced by phones to make free long-distance calls. This form of hacking peaked in the 1960s and 1970s and has since fallen by the wayside.
The 1980s brought us the term “cyberspace,” and saw one of the earliest hacker groups (called the 414s) raided by the FBI and charged with 60 counts of “computer intrusion.”
Though the ability to manipulate dial tones isn’t particularly useful in the digital age, there are a few old-school hacking techniques that have endured the test of time. Here are 5 old-school hack techniques that still work and what you can do to safeguard your data.

Social Engineering

Social Engineering protection
Social engineering, which plays a prominent role in phishing scams, involves manipulating unsuspecting victims into revealing private information (such as usernames and passwords) by pretending to be someone else. While a phishing scam involves sending an email reportedly from a trusted source (such as your bank, your IT person, or your boss) and tricking you into handing over your username and password, social engineering can take several forms.
At its core, social engineering exploits human psychology to gain unauthorized access to private or restricted buildings, systems, or data. This form of hacking has technically been around since people first figured out that they could pretend to be other people for ill-reputed gain.

How to Protect Yourself

If you get an unprompted phone call or email asking for personal information, you should always approach the situation with a healthy dose of skepticism. Don’t reveal anything and report the situation to your supervisor, cybersecurity team, or MSSP right away. If possible, forward the email or get a copy of the call log.
To check if the person on the other end of the exchange is who they say they are, you should reach out to them independently. If you get a suspicious email from your “boss,” pick up the phone or forward the email to them to verify that they sent it. If your “IT company” has called you unprompted to help you fix a problem with your machine (that you supposedly reported), hang up and call your IT company directly to verify the situation.

Identity Theft

Identity Theft Protection
Identity theft isn’t strictly a cybersecurity issue, but it can be used to gain unauthorized access to digital systems. If a cybercriminal is able to gain access to sensitive information (such as your SIN, full name, address, username, password, etc.), they can use that information to commit fraud or other illegal activities. 

How to Protect Yourself

Check your credit card statements and credit report regularly and report any suspicious activity right away. You should also change your password if you suspect it’s been compromised, and never use the same password for more than one account. You may also want to consider setting up multi factor authentication on all accounts that allow it.
To select a secure password, consider following the NIST password guidelines. You may also want to consider using a secure and reputable password manager, which will help you avoid using duplicate passwords and can generate random strings of characters (and store them safely) so that it’s more difficult for criminals to guess your passwords.

DDoS Attacks

Distributed Denial of Service (DDoS) attacks are performed by either large groups of hackers or a hacker with a large number of bot computers under their control. All players then hammer the targeted organization’s servers with requests, causing the server to crash and business to grind to a halt. This coordinated attack prevents legitimate users (such as customers) from accessing the targeted website or server. 

How to Protect Yourself

There are a few steps you can take to inoculate your systems against DDoS attacks. To begin, you should make sure your network infrastructure is secure by keeping your firewalls up to dates, using spam filters, and implementing load balancing measures.
You can mitigate or even avoid damage by migrating critical infrastructure to the cloud (whose distributed model means that if one server goes down, others are available to step in).
As with any potential cybersecurity incident, you should also have a robust, detailed, and flexible plan in place for dealing with DDoS attacks effectively, minimizing disruptions, and getting to the root of the problem before too much damage can be done.

Online Scams

The Nigerian prince scam is the first example many people think of when they think about cybercrime. It involves a scammer contacting you via email, text message, or online messaging program and regaling you with an elaborate story about how the majority of their vast fortune is trapped because of a civil war, coup, or other disruptive events. The scammer then offers the victim a large sum of money in exchange for helping them transfer their fortune out of their country. Though this style of scam originated in Nigeria, they are now launched all over the world.
To complete the transfer, the scammer explains, they need your bank login details. They may also ask for a small amount of money to cover taxes or fees. Of course, the entire story is a lie designed to get you to hand over your bank details and increasingly large sums of money.

How to Protect Yourself

Most obvious scam emails are probably flagged and filtered out by your email company’s built-in spam filter, but text messages and online messaging apps may not have this feature. Any unsolicited request (even if it appears to be someone you know) that spins a tale of woe and asks for money or bank account details is likely fraudulent. 
If the message comes from someone you know or care about (say, your daughter who is currently backpacking through Europe) and you think it could be a legitimate call for assistance, do not reply to the message. Instead, contact your loved one through another medium (such as by phone) to verify the story. 
A common form of this scam involves criminals claiming that the victim owes taxes or some other form of payment to the government, and may ask for payment in gift cards, bank transfer, pre-loaded bank card, or a cryptocurrency such as bitcoin. If you receive a request like this, do not respond. Instead, reach out to the governmental body in question or call your local police department’s nonemergency line to find out if this request is legitimate or a scam.

Exploit Kits

Exploit kits are automated cybersecurity threats that take advantage of weaknesses in compromised websites to divert traffic, run malware, or capture private user data (including usernames and passwords).
These small programs are particularly insidious because they don’t require a lot of technical expertise to install, and they can easily be deployed across several compromised websites at once. Exploit kits can easily be purchased or rented on underground criminal markets (including on the dark web).

How to Protect Yourself

Since exploit kits depend on vulnerable websites, the most important thing you can do is take basic precautions. These include keeping your software up to date so that your website can take advantage of any new security patches that have been released and keeping an eye out for suspicious website activities.
Old school hacking techniques have stuck around because they’re still effective. To help safeguard your digital assets, you need to create robust yet adaptable playbooks to follow, train your employees to detect suspicious activity, and stay up to date on all the latest cybersecurity research. 
This may sound like a lot, and for a small or medium-sized business, it may not be feasible to handle on your own. A Managed Security Services Provider (MSSP) can help you put measures in place to safeguard your digital assets, offer employee cybersecurity training, monitor your systems 24/7/365 for suspicious activities, and help you minimize or avoid damage should an incident occur. 

The 8 Most Expensive Cyberattacks of 2019

The 8 Most Expensive Cyberattacks of 2019

In 2019, governments and companies in the United States faced a barrage of ransomware attacks. In all, 103 federal, state, and municipal governments and agencies, 759 healthcare providers, and 86 universities, colleges, and school districts were impacted by ransomware attacks. The potential cost could be more than $7.5 billion, and that’s only for US-based organizations. 
That figure doesn’t even take into account lost employee productivity, how many people hours had to be diverted to deal with cyber incidents, and how many patients, students, and other private citizens were affected either directly or indirectly. Students saw tests and admissions services halted, medical records were lost, and some surgeries were canceled. Emergency services, including 911, were interrupted, putting countless lives at risk.
Here’s a look back at 2019’s most expensive cyberattacks.

CapitalOne Breach

Cost: Between $100 million and $150 million.
The CapitalOne hack affected nearly 100 million Americans as well as 6 million Canadians. The hacker managed to gain unauthorized access to 140,000 Social Security Numbers, 1 million Canadian Social Insurance Numbers, and 80,000 bank accounts as well as an undisclosed number of client names, addresses, credit scores, credit limits, and balances as well as other personal information. 
The expected cost of this breach is estimated between $100 million and $150 million.

Norsk Hydro Attack

Cost: At least $52 million
In March, Norsk Hydro (a Norwegian aluminum company with over 35,000 employees in over 40 countries) was targeted by LockerGoga malware and forced to shut down or isolate several manufacturing plants while other plants were forced to continue operations in manual mode. 
Though it isn’t clear how the Norsk Hydro systems became infected (phishing has been ruled out), the malware was still able to encrypt files, forcibly log victims off of the infected systems, and remove the ability for users to log back on. Though Norsk Hydro was able to determine the causes of the attack, the fact that users are logged off and left unable to log back on means that some victims may not even receive the ransom note at all.
As of last April, the company estimated that the cost of repairing the damage inflicted by the malware would likely be at least $52 million.

Baltimore Ransomware Attack

Baltimore Ransomware Attack
Cost: Up to $18 million
Last May, thousands of city computers in Baltimore were encrypted with RobbinHood malware, and the hackers demanded approximately $76,000 in Bitcoins. Though the city refused to pay the ransom, the entire ordeal ended up costing approximately $18 million. Critical systems, including email service for city employees, were affected, and during the downtime, citizens of Baltimore were unable to pay their water bills or have real estate transactions processed.

Texas Ransomware Attacks

Cost: At least $12 million
Over the summer, 22 local governments in the state of Texas fell victim to a coordinated ransomware attack. Though the hackers demanded $2.5 million, the state refused to give in. Unfortunately, even without paying the ransom, the entire incident still ended up costing over $12 million

Grays Harbor Phishing & Ransomware Attack

Cost: Undisclosed
Both the Greys Harbour Community Hospital and the Harbor Medical Group were hit with a ransomware attack this year, during which hackers demanded $1 million. The attack started when an employee clicked on a malicious link in a phishing email. That employee’s machine then went on to infect systems at several clinics in Greys Harbor, though the hospital’s older software prevented the ransomware from being able to properly install itself on the main system.
As a result of the attack, clinics needed to revert to paper records. This pervasive form of malware infected not only the main system but also computer backups of medical records. Though it still isn’t clear whether or not the company decided to pay the ransom, some medical records have yet to be recovered and are feared permanently lost.
The group has cyber insurance that will cover up to $1 million in damages and lost income (since billing was affected during the incident). However, the total cost of the incident, including patient disruptions, is still unknown.

Asurion Ransomware Attack

Cost: $300,000
Asurion (a global phone insurance and tech support company), based in Nashville paid at least $300,000 in ransom to a hacker who claimed that he had managed to steal the private information of thousands of employees as well as the names, addresses, phone numbers, and account numbers of more than a million customers. Though the company believes that the hacker, in fact, accessed far less information, they still paid $300,000 of the $350,000 demanded ransom in $50,000 per day installments.
The hacker, a former employee, named Nicholas Burks, was arrested after the company noticed that a corporate laptop was missing and that the last known login was by Burks, who had also used the stolen laptop to access the corporate network multiple times in the days before his termination.

DHC Health Systems Ransomware Attack

Cost: Undisclosed
In early October of this year, hospitals across Alabama were hit with a widespread ransomware attack that forced them to shift their operations into manual mode, relying on paper copies of charts and medical records until the IT system could be repaired. The hospitals were all members of the DCH Health Systems hospital group and included the DCH Health Systems Regional Medical Center, Northpoint Medical Center, and Fayette Medical Center.
In order to return to normal operations, the group ended up paying the hackers an undisclosed amount in exchange for the digital key to decrypt the system.

University Attacks by Iranian Hackers

University Attacks by Iranian Hackers
Cost: Intellectual Property
As of this year, Iranian hackers have targeted at least 380 universities in over 30 countries using phishing emails. The goal of the hacker group (dubbed Cobalt Dickens) is to steal intellectual property, which is then either exploited or sold for profit. The phishing emails claim they are coming from the school’s library, and ask the user to reactivate their account by clicking on an infected link.
Though previous iterations of this attack used URL shorteners to obscure the fact that the links didn’t go to the library’s website, the newest version has managed to spoof the school website’s URL so that the link appears genuine. Once the user clicks on the link, they are then asked to input their library login credentials on a spoofed version of the library’s actual site. 
Malware detection software has been hindered because the group used publicly available tools and code from GitHub to conduct the attacks instead of using traditional, and easily recognizable, malware. 
Malware, and ransomware, in particular, continues to grow in popularity among hackers. As such, cybersecurity awareness is only becoming more critical for organizations and companies of all sizes. As part of your organization’s new year’s resolutions, you should take the time to review your cybersecurity policies, train employees, and consider partnering with a Managed Security Services Provider to better safeguard your organization’s digital assets.