Go to the profile of Ipswitch
Ipswitch

Fancy Bears Hackers Choose White Whale Over School Of Tuna

Photo Credit: iStock

For the second time this week, a group of Russian hackers called “Fancy Bears” posted healthcare data belonging to Olympic athletes that was stolen from the World Anti-Doping Agency (WADA). To date, the group has exposed information about 29 people who participated in the Rio games. The hackers accessed records detailing “Therapeutic Use Exemptions” which allows for the use of banned substances due to athletes’ verified medical needs.

Related Article: How to Assemble a Data Breach Rapid Response Team

Olympians Serena Williams and Simone Biles were among the athletes whose records were shared online. Fancy Bears accused Simone of taking an “illicit psycho-stimulant”. In reality she’s taking prescribed and approved medication for ADHD (as she Tweeted). The Russian government has firmly denied any involvement with Fancy Bears hackers and the breach. [insert eye roll]

Shooting a Spear at a Single Target vs. Casting a Wide Net

WADA believes Fancy Bears used a spearphishing attack to steal the information. A spearphishing attack is a lot more targeted than a phishing attack, and a lot harder to defend against.

A hacker that launches a phishing attack casts a wide net through an email blast to hundreds or thousands of people at a time. The high volume of email recipients increases the chances of one or more people clicking on a piece of malware that infects their machines.

Related Article: Social Engineering Probably Led To MedStar Security Breach

Spearphishing targets a single individual or small team with an email tailored to what interests them. This kind of attack has also been called “whaling” when a targeted person has a lot at stake financially because of their high net-worth.

Oftentimes the goal is to get past an employee at an organization that holds data of particular interest to hackers. Hackers also target small teams with common interests like HR or finance to craft impossible-to-resist subject lines and attachment names. It’s possible that a simple search for WADA employees on Facebook revealed information on favorite sports teams and pastimes. Social media meets social engineering.

You are Wasting Money on Security if You Aren’t Training Employees

This story is a bit personal to me. I used to work for a well-known security company that suffered through a nation-state sponsored spearphishing attack. All the data security technology in the world isn’t going to help when there are employees clicking on email attachments before pausing to consider its validity. If you see an email attachment with an unfamiliar file extension, just don’t click on it.

Related Article: Ransomware Service Providers Only Take Bitcoin

I strongly advise all IT team leaders to create mandatory training modules for employees. Including testing and verification to make sure information has settled in. A proper training can help employees be educated, cautious, and vigilant while online. This also needs to be supported and enforced by HR and senior management.

It’s not all that difficult to determine if an email presents potential risk. But if no one is pointing out the telltale signs to employees, the blame shouldn’t simply fall upon the hackers who broke in.