Robert M Lee, the CEO of cyber security company Dragos, recently received a chilling message. A criminal hacking group had infiltrated Dragos’s employee network and threatened to release the company’s confidential data unless a ransom was paid. But when Lee refused to negotiate, the hackers took it a step further. They discovered personal information about Lee’s son, including his passport, school, and telephone number. The message was clear: pay up or your family is in danger.
According to several cyber security professionals, online threats have become increasingly real in recent times. These experts are often called in by companies to combat hacking groups, but now they themselves are becoming targets. The criminal group that targeted Lee was known for “swatting,” a dangerous practice where someone falsely reports an armed attack, leading to a SWAT team being sent to the victim’s home.
The threats faced by these professionals are diverse and often inventive. For example, one Ukrainian hacker sent a gram of heroin to the home of Brian Krebs, a journalist turned cyber security analyst. They even went so far as to have a florist deliver a giant bouquet in the shape of a cross to Krebs’s home. Some victims have been instructed to send money to the bank accounts of cyber security professionals in an attempt to frame them. In another case, a North Korean hacking group posed as security researchers on LinkedIn and sent malware disguised as an encryption key to potential contacts.
Charles Carmakal, the CTO for Mandiant Consulting, which investigates major breaches, including recent ones at the State Department and other US agencies, emphasized the need for security professionals to be cautious. He personally avoids visiting certain countries due to his outspokenness about offensive operations from those nations. He acknowledges that these threats often come from criminals rather than governments, as criminals are not bound by rules of engagement and can bring significant harm to individuals.
The ability of criminals based in eastern Europe, China, or North Korea to target security professionals in western countries highlights the transnational nature of the cyber security industry, which generates billions of dollars from its victims. Carmakal notes that these criminals are often young individuals with no affiliation to hacking companies or military/intelligence organizations. They operate with no rules of engagement and have an unlimited amount of free time, causing significant distress to their victims.
For professionals outside the US, the threats feel even more tangible. One researcher, who chose to remain anonymous, returned home to find his house expertly searched by “well-trained, discreet, and extremely professional” individuals who disabled his home security. However, they missed a nanny-cam his wife had placed in the living room. This incident occurred after the researcher identified a Russian government agency responsible for an espionage operation against a NATO government’s email systems. Following the search, his bank account was hacked, his company’s tax documents were altered and released on the dark web, and his family photographs were traded as trophies on hacker networks.
Another researcher from a different eastern European country shared a similar experience. He was followed on a skiing trip, received threatening phone calls, and had to reassure his wife after she received doctored pictures of him with a female colleague. This researcher described the situation as textbook harassment and extortion.
Cybersecurity analysts try to avoid provoking or mocking the hackers they identify, focusing their reports on the technical aspects of the breaches. Some, like Rafe Pilling from SecureWorks, protect junior employees by taking on the role of the public face of their organization.
However, some analysts warn that the situation is exacerbated by the deep involvement of western companies in Ukraine’s cyber security. Ukraine has faced relentless and sophisticated cyber attacks, and experts fear that if the situation continues to escalate, someone may lose their life.
Overall, the article highlights the growing dangers faced by cyber security professionals as online threats become increasingly real and personal.