Receive free Cyber Security updates
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
Robert M Lee, the chief executive of cyber security company Dragos, received an ominous message earlier this year. An organised criminal hacking group had broken into Dragos’s employee email account, telling Lee they would release the company’s data unless a ransom were paid.
He refused to negotiate, so the hackers raised the stakes. They found his son’s passport online, school and telephone number. Lee said the message was clear: pay up, or your family is in danger.
“When you start talking about the life and safety of your kid, things take a different spin,” said Lee, a veteran of the US military and the National Security Agency.
A number of western cyber security professionals told the Financial Times that online threats had increasingly turned real in recent times. Called in by companies to thwart hacking groups, computer engineers are then becoming a target.
The criminal group that threatened Lee, which he declined to name, was known to resort to “swatting” — a practice when someone maliciously calls the local authorities pretending to be a victim of an armed attack, prompting a police SWAT team being sent to a target’s home.
“Basically, they’re trying to get someone killed,” said Lee, who was told by local police that their best option in that situation was to lie down on the floor.
The threats are broad and often inventive. One Ukrainian hacker mailed a gram of heroin to the home of Brian Krebs, a journalist turned cyber security analyst. They followed up by having a florist deliver a giant bouquet in the shape of a cross to Krebs’s home.
Some hacking victims have been told to send money to the bank accounts of cyber security professionals in an effort to frame them. A North Korean hacking group pretended to be security researchers on LinkedIn, with prospective contacts then sent malware hidden in an encryption key.
“We’re an organisation that calls out threat actors all the time, and so we have to think about our own security from a company perspective, from an individual perspective, from a physical perspective,” said Charles Carmakal, the chief technology officer for Mandiant Consulting, which is called in to investigate major breaches, including recently at the State Department and other US agencies.
“There are certain countries that I will not visit, particularly because I’ve been very vocal about offensive operations from those countries,” he said. “I am outing a lot of very expensive intrusion operations. So I’m very careful and mindful about that perspective of: ‘are we going to become a victim?’”
The ability of criminals based in eastern Europe, China or North Korea to target security professionals based in western Europe or the US highlights the transnational nature of an industry that has grown to reap billions of dollars from their victims.
Carmakal notes that these threats often come from criminals, rather than governments, who tend to conduct espionage or disinformation campaigns, and are trained to move on to the next operation when one is thwarted.
“These are young folks, teenagers, folks in their twenties that aren’t employees of companies that are tasked with hacking, nor are they members of military or intelligence organisations,” he said. “It’s a bunch of folks with no rules of engagement. They have an unlimited amount of free time. They really push the envelope. They bring a lot of pain to individuals and make it feel very real.”
For professionals outside the US, the issue has felt even more real. One researcher, based in eastern Europe, and who declined to be named, described coming home to find his home expertly rifled through by “well-trained, discreet and extremely professional” men, who disabled his home security, but missed a new nanny-cam that his wife had placed in a living room.
Weeks before, he had identified a Russian government agency responsible for an espionage operation against a Nato government’s email systems. Following the search, his bank account was hacked, his company’s tax documents were doctored and released on the dark web, while his family photographs were traded as trophies on hacker networks.
Another researcher, based in a different eastern European country, said he was followed on a skiing trip, received threatening phone calls and had to placate his wife after she was sent doctored pictures of him with a female employee. “This is textbook harassment and extortion,” he said.
Cybersecurity analysts said they tried not to provoke or mock the hackers they identified, keeping their reports focused on the technical nature of the breaches.
Others, like Rafe Pilling, who does threat research at SecureWorks, said they protected junior employees by making themselves the face of the organisation.
“The first half of my career I kept a lower profile. Now, I act as a front
person for the team’s research, so others aren’t in the spotlight as much,” he said.
But some analysts have warned that the situation is exacerbated by the deep involvement of western companies in the cyber security of Ukraine, a country that has faced the most sustained and sophisticated cyber attacks ever recorded.
“It’s going to get worse,” said the researcher whose home was searched. “Someone is going to get killed.”