IT service providers have recently become a common target of cyber attacks and 11 of them have been compromised since July 2018. Attackers target providers in attempts to gain access to their customers, according to a blog post by Symantec.
What makes this especially ironic is that IT service providers often are the same companies that businesses hire to protect them against cyber threats. It’s not exactly a new tactic by cybercriminals, who in the past have even attacked security vendors. Perpetrators also have been known to target some companies purely to get to their business partners. This practice was the subject of investigation in a recent (ISC)² study titled, “Securing the Partner Ecosystem.”
Symantec revealed that the group responsible for the IT service provider attacks, which calls itself Tortoiseshell, appears to be relatively new. Most of the attack targets are based in Saudi Arabia, and Symantec has detected Tortoiseshell activity as recently as July 2019.
On at least two occasions, attackers gained domain admin-level access, as evidenced by the deployment of tools designed to retrieve information about the infected machines. That information includes IP configuration, applications, system information and network connectivity data.
These “supply chain attacks” target trusted software, hardware or services to infiltrate third-party networks. Such attacks require a higher level of skill and sophistication, the vendor says.
The IT service providers come as reminder of the risks associated with digital and cloud connections between companies. Attackers over the years have sought to exploit this interconnection, as they look for security vulnerabilities in third-party suppliers to get to their partners.
The common perception has been that cybercriminals seek to infiltrate large companies through smaller partners. But (ISC)² research in spring 2019 contradicts this view. Of the large enterprises participating in a study of more than 700 respondents, only14% say a small business partner has caused a breach, compared with 17% who say they were breached though a larger partner.
The study showed a respectable degree of confidence among large companies in their smaller partners. More than half (57%) say they are “confident” and 37% “very confident” in the cybersecurity measures employed by those partners.
What the (ISC)² study shows is that the size of a third party is less important than their cybersecurity hygiene. For IT providers, getting hacked is especially embarrassing because their customers expect them to have their cyber backs. It’s also dangerous to the business because some customers may choose to leave them, reasoning that if providers can’t protect themselves, how can they protect clients?
The bottom line is that cybercriminals are always looking for their next target. Being able to breach a company that can serve as a conduit to dozens or hundreds of other organizations is especially attractive to them. And this makes vetting partnerships for cybersecurity hygiene a critical requirement for any company.