It has been reported today that the World Anti-Doping Agency (WADA) has been hacked by a group of Russian hackers called "Fancy Bears," which leaked the confidential medical files of several high-profile US Olympic athletes.
The athletes affected - reportedly as the result of a spearphishing attack - include tennis star Serena Williams and quadruple gold medallist Simone Biles. In light of the news, various industry professionals have offered their reaction and analysis.
David Kennerley, Director of Threat Research at Webroot:
“This attack demonstrates that the humble phishing scam continues to thrive as one of the most effective attack vectors, and is yet another example of the need for strong and continuous communication between organisations and their employees.
"User education should never be underestimated – it’s arguably the most cost-effective approach to improving the security posture of any organisation. Employees and users of an enterprise’s IT systems must be educated on the risks associated with phishing, with regular training and testing essential to ensure robust security.
"Fundamentally, organisations must realise that cybercriminals only need to find one hole in the defences to do serious damage, whereas security professionals have to secure against all eventualities, including phishing.”
Luke Brown, VP and GM EMEA, India & LatAm at Digital Guardian:
"For hackers, it’s often the simplest method of attack that becomes the most successful. This is why spear phishing emails targeting employees continue to be one of the most common techniques used by attackers to infect systems and gain access to networks and sensitive data. Spotting cyber security incidents arising from within a company can be particularly tricky because the perpetrator may have a legitimate way to access to the data.
“Threat actors target both the public and private sectors, and everyone, even a global sporting regulator, can be vulnerable to these style of attacks. To safeguard against spear-phishing, employees should be cautious of clicking embedded URLs or opening attachments in email. For more advanced attacks, businesses should look to deploy software that can warn users when a program attempts to download a file from the Internet or write a file to disk. This will help organisations prevent such activities from happening in the background without users being aware. Prompts can also help train users to recognise and report attacks in progress."
John Madelin, CEO at RelianceACSN:
"This Fancy Bear hack is a classic example of a well-executed spear phishing campaign used to dupe users into handing over their login details. It’s the latest in a long line of successful breaches carried out this year alone. But despite this, the industry refuses to recognise it is fundamentally broken. It’s simple economics, it costs far less for a hacker to breach companies’ walls than the worth of the data they’re targeting.
"Sensitive information like that held by WADA is part of the organisation’s critical data, and therefore needs to be completely secure. Key lessons to be taken away from this breach are that organisations need to educate employees and users on best practices to help prevent attacks like this in the future, and make the cost of breaching an organisation’s defences more than the data is worth to would-be hackers."
Wieland Alge, VP & GM EMEA at Barracuda Networks:
“In today’s digital age, data breaches that result from targeted email phishing have become increasingly common. Incidents like the WADA hack highlight that anyone within the business can fall foul to a well-written and researched phishing scam. The most successful phishing attacks are those that impersonate a person, particularly if the recipient knows, or is expecting to hear from, that person, so initially those that have been targeted don’t even realise they’ve fallen victim.
“Spear phishing attacks are not particularly technical. For example, attackers often make subtle changes to the email address they use to send the spam from. This might include a spelling mistake or adding an extra character. Most people are trying to get things done quickly, so it really isn’t difficult to trick them. What’s clear is that the digital transformation of crime is running ahead of the digital transformation of most businesses. Because of this, many companies are vulnerable against a type of attack that does not only use technology, but a well-trained team of people.
“It turns out that the one of the most effective defences is a very transparent and open company culture. Every department must be able to communicate, preferably over the phone, with key stakeholders directly. This is quite a routine practice in young and fast moving companies, but becomes much less common in the larger businesses.
"It goes without saying that properly configured and maintained email security systems also play a big part in preventing these kinds of attacks.”
Jonathan Martin, Anomali EMEA Operations Director:
“It’s unfortunate but spearphishing attacks are effective and criminals are seeing an above average number of click throughs. This is because there are various degrees of customisation and personalisation that go into a spearphishing attack. At the sophisticated end, criminals will hand craft messages to targeted individuals and will include code with a specific, possibly exact, purpose. Towards the less sophisticated end, criminals will craft messages that may look personalised but are sent to a large number of recipients.
"A current phishing attack is an email sent apparently from a reputable company (maybe even one that I do business with) including an infected attachment hidden in an 'outstanding invoice' or a 'delivery note' apparently from a recognised courier company informing me that I missed a delivery. These are crude attacks, but there are sufficient numbers of recipients falling for them.
"Organisations have to realise that not only will they be compromised in the future, they almost certainly already have been. So, we need to start thinking along different lines about how we deal with such breaches.
"Adding in multiple sources of threat intelligence to monitoring applications is a great place to start - this reduces the average 200+ days to identify a breach down to a much smaller number and distils malicious activity into actionable data that can help protect organisations going forward.”
Image source: REUTERS/Christinne Muschi