Corporate America’s most sensitive documents are under assault, and recent breaches suggest companies’ security walls are less impenetrable than they may have realized.
Cyber espionage came back to the forefront last week as the Nasdaq OMX Group (NDAQ) acknowledged a confidential document-sharing service it runs had been hacked into and McAfee (MFE) said Chinese spies infiltrated five Western energy companies’ networks targeting proprietary files on oilfields.
The developments haven’t gone unnoticed by authorities, with America’s top spy telling a Congressional hearing last Thursday the cyber warfare threat facing the U.S. is increasing in scope and scale.
Against that backdrop, major corporations are being urged to assume every system can be penetrated, and when in doubt leave ultra-sensitive documents off the Internet.
“Maybe you want to file stuff on paper. Who would have thought paper would be more secure than digital encryption? But it may be,” said James Rickards, co-head of Omnis’s threat finance & market intelligence practice and a consultant for the U.S. defense community.
The Nasdaq breach in particular raised alarm bells in the cyber security community because of the nature of the target: Directors Desk, an online portal run by a stock market operator and used by boards of directors to gain remote access to documents, calendars and secure email.
While most of that data is likely benign, hackers could also find a treasure trove of intellectual property such as proof of concept for new drugs, secret acquisition plans, or new trading strategies.
“From an adversary’s point of view, it’s like the crown jewel,” said Jeff Carr, a cyber intelligence expert and author of Inside Cyber Warfare. “You have this focused, concentrated pool of nothing but high-value targets in one place, that’s just really unthinkable” and “stupid from a security point of view.”
In a statement released after media reports of a breach, Nasdaq acknowledged it detected “suspicious files” unrelated to its trading system. The company said “at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.”
Even though there is no proof sensitive data was stolen, the fact that Directors Desk was breached at all is cause for alarm for its clients, which include more than 175 organizations, many of them Fortune 500 companies.
Nasdaq did not respond to a request for comment.
To be sure, Nasdaq’s system is one of many that uses cloud computing to provide remote access to companies and it’s not exactly like clients should have been unaware of the threat.
“We can’t just put all of the burden on the proprietor of the system, in this case Nasdaq. We know these attacks are coming,” said Rickards.
Additionally, Nasdaq’s security system did pass a number of hurdles, including receiving SAS-70 approval, which comes only after an in-depth operational review that includes on-site auditors.
Cyber Insider Traders or State-Sponsored Spying?
Security experts are focused on at least three possible malicious intents behind the Nasdaq breach: a criminal gang was searching for actionable insider information, a state actor or security service was looking for economic intelligence, or a group was testing the waters before a larger attack aimed at disrupting the financial markets.
In the insider trading scenario, hackers may have been looking for some form of nonpublic information that they could then illegally trade on. This could include a pre-earnings release, memos or emails about an unannounced merger or a damaging scientific study.
If that was the aim, it could be likened to a more high-tech version of the scheme federal authorities have sketched out in their ongoing expert networks probe.
“Imagine how much more powerful that would be if you could actually get straight to the confidential information on these companies,” Rickards.
However, given the time and cost involved in such a hack, some believe the Nasdaq breach was actually a state-sponsored treasure hunt. Instead of searching for documents they could trade on, hackers would be looking for big-picture secrets like blueprints for a new technology, a secret formula for a cutting-edge product or details about a new discovery that hasn’t been announced yet.
“The information alone would be extremely valuable so you wouldn’t have to trade it,” said Rickards.
Instead, the cyber spies could pass the sensitive information on to their governments and eventually to their own state-run companies.
China and Russia are two of the countries most frequently accused of cyber espionage. Carr said China is focused on finding new energy sources and technologies like cloud computing, nanotechnology and virtualization. By gathering intellectual property in these areas, countries can accelerate their own work there.
In its report Thursday detailing the security breach in the systems of five energy companies, McAfee placed the blame on Chinese hackers. The attacks, which it dubbed the “Night Dragon” attacks, zeroed in on highly-sensitive documents, especially ones about operational oil and gas field production systems and financial documents on exploration and bidding.
Security experts are also fearful the Nasdaq breach may have been aimed at setting the stage for a malicious disruption of the stock market that would cross over the line between cyber espionage and cyber warfare.
“While economics and leverage in insider trading was probably the goal here, an attack against the exchange systems themselves that brought them down, or worse -- corrupted recorded trades -- is all within the realm of feasible, if not likely,” said Anup Ghosh, founder of Invincea, which specializes in document and browser protection.
Convenience Versus Security
Regardless of the specific intent of the recent cyber breaches, the incidents will only give some companies more pause in deciding to put sensitive documents online, especially on cloud-computing servers, instead of keeping them in the corporate vault.
“Every high-profile entity in our country needs to be keenly aware that anyone and everyone can be hacked,” said Jason Glassberg, co-founder of Internet security company Casaba. “Every safeguard known to man doesn’t protect you from faults.”
However, services like the Nasdaq one offer an undeniable convenience, especially for companies that have directors living and traveling in various places around the world.
“At some point everyone needs to decide when the cutoff is between convenience and security,” said Glassberg. “Something like this [breach] sheds light and maybe will tip the scales more towards the security side.”