by Ian Heritage
Legendary UK band Radiohead is not technically a corporate entity. But it generates enough revenue to be considered one, with individual band members now worth tens of millions of pounds. Why should this matter? This week it was hit by an online extortion attack lifted straight from the corporate world — something Trend Micro has been warning organisations about for some time.
It should serve as another reminder that cyber-related risk may not just equate to stolen customer data or service interruptions. It could mean sensitive IP sold to the highest bidder, or used as a premise for extortion.
Earlier this week the band revealed that its lead singer, Thom Yorke, had been ‘hacked’ and that an archive of around 18-hours of MiniDisc recordings, presumably hosted online, had been stolen. The hacker then tried to extort money from the band, $150,000 to be exact, in order not to release the recordings, which were made during the sessions of seminal 1997 album OK Computer. The cyber-criminal had made a calculation that the recordings were too valuable, or embarrassing, for the band to be made public. In the end, Radiohead not only refused to pay — as all online extortion victims should — but also turned the tables and decided to release the recordings themselves, with proceeds going to an environmental cause.
The incident highlights a growing trend among cyber-criminals looking to monetise theft of IP or other sensitive data. In the past, we’ve seen hackers hold TV networks hostage after stealing Game of Thrones scripts, for example. Another popular tactic is to target MongoDB databases that have been left exposed online, download the data therein, delete the database and leave a ransom note.
Trend Micro has been warning about such threats for several years. To an extent, they’re nothing new: extortion attempts using denial of service to force victims to pay up have been around since the early 2000s. But there’s a much bigger threat today, thanks to the advent of anonymous digital currencies, digitisation of IP and customers’ personal information on a massive scale, and dark web sites which have democratised the tools and knowledge needed to launch attacks. As GDPR fines begin in earnest, we could also see extorters breaching organisations with a proposition: “pay us off or we’ll tell the regulators.”
CISOs must therefore factor into their risk plans that breached data may not just be sold on the dark web, it could also be used as leverage in an attempt to blackmail the firm or individuals working there. The breach at infidelity site Ashley Madison showed the potential impact of threats involving the latter.
Raising the stakes
The question therefore becomes: how can I insulate my organisation as effectively as possible from extortion attempts? The good news is that it doesn’t require a fundamentally different approach to cybersecurity. Managing risk effectively means putting in place best practice security, from privileged account management and multi-factor authentication to network monitoring, automated patch management and incident response. This will help defend your organisation against all but the most determined of targeted attackers — whether they’re after your data or looking to disrupt and extort via ransomware.
Most important to remember is that there’s no silver bullet when it comes to managing cyber risk. Along with best practices of the sort mentioned above, CISOs need a cross-generational blend of threat defence tools optimised so the right technique is applied depending on the threat. Managed detection and response from a third-party provider can also help organisations improve proactive threat hunting to get back on the front foot. With online extortion increasingly popular, the stakes couldn’t be higher.