How cybercriminals infiltrate organisations

We hear all the time about cyber-attacks and hackers infiltrating institutions and businesses. But what exactly does this mean? How do cyber criminals infiltrate a company? In this article, we describe some examples.
 

Motivation

Cyber security is on everyone's lips these days. There are regular headlines about criminal hackers breaking into organisations. A quick glance at the alarming figures reveals the scale of the threat:
  • 3 out of 5 companies in Germany were victims of a cyber attack at least once in 2023
  • Average damage of 4.5 million euros per incident
  • Total damage of 206 billion euros to German companies related to theft, industrial espionage, and sabotage (2023)
  • 3+ months to return to normal operations
  • 52% of companies feel threatened in their existence by cyber attacks
  • Approximately 20% of companies are on the brink of insolvency after a successful attack
The fact that organisations are exposed to attacks on their IT environment is nothing new. However, the increasing digitisation and networking of a wide range of devices and systems has made IT landscapes much more complex. Where once office and production networks were separate, many new technical possibilities have emerged:
  • Increasing use of cloud services
  • Data exchange via various supplier or customer portals
  • Internet-exposed microservices and APIs for smart products and sensors
  • Networking of OT infrastructures

The challenge is to establish and maintain a consistent level of security as the attack surface has increased significantly due to the growing number of devices.
 

Attackers from the Internet: Digital Reconnaissance

Attackers can be anywhere in the world trying to attack a company over the Internet. To do this, they explore the organisation's web presence. Possible entry points are systems that receive and process data from external sources. These include:
  • Websites and company portals
  • Cloud environments
  • Perimeter systems (e.g., firewalls, VPN gateways)
  • Workplace systems and employee mobile phones (e.g., via phishing)
Attackers can use various publicly available data sources to launch an attack. One particularly relevant example is the Shodan search engine. Shodan is a search engine that continuously scans the Internet for accessible servers. It checks which network services they provide and saves the information obtained, including screenshots, in a database. The extensive search function allows attackers to search for specific servers:
  • Publicly accessible cameras to gain insights into sensitive company areas, such as office spaces, warehouses, and production halls
  • RDP services used for remote access to desktop systems, where information about logged-in users and accounts may become visible
  • Applications of the organization, such as administrative software, control programs, and hospital information systems

It takes little effort to gather this valuable information, which can be used to prepare targeted attacks such as phishing. In the worst case, criminals find a system that gives them direct access.
 

Attackers on Site: Physical Reconnaissance

Attackers are not limited to scouting organisations via the Internet. They may also look for vulnerabilities on the premises. The site itself represents a significant attack surface, both inside and outside the building:
  • Wireless networks (e.g., Wi-Fi, Bluetooth) are often available outside the building and can thus be attacked unnoticed from outside.
  • IoT networks (e.g., LoRaWAN, ZigBee) may have vulnerabilities that attackers can exploit.
  • Unsecured network interfaces in (semi-)public areas (e.g., lobby, cafeteria, parking garage, conference room) provide hackers the opportunity to gain unnoticed access.
  • Unsecured building entrances and security areas can facilitate physical intrusion by cyber criminals into the company.
  • Unlocked workplace systems are an invitation for attackers to compromise internal data and systems.
 

Internal Attack: The Threat from Within

Attackers can penetrate the internal network in a number of ways, including via the Internet or by overcoming local security measures. In addition to external attacks, the internal attack surface cannot be ignored.

Internal attacks can come from a variety of (malicious) actors, including disgruntled employees who deliberately seek to damage the company or steal confidential information. In addition, opening phishing emails can inadvertently expose the organisation to security risks. Phishing attacks are particularly effective in gaining the trust of employees and gaining access to sensitive information. In many cases, this results in employee accounts being compromised. When this happens, cybercriminals can operate with all of the compromised employee's privileges, which can have serious implications for data security.