Robert M Lee, the CEO of cyber security company Dragos, recently received a disturbing message. A criminal hacking group had infiltrated Dragos’s employee email account and threatened to release the company’s data unless a ransom was paid. But Lee refused to negotiate, prompting the hackers to escalate the situation. They managed to find personal information about Lee’s son, including his passport, school, and telephone number. The message was clear: pay up or your family is in danger.
According to several cyber security professionals, online threats have become increasingly real in recent times. These professionals are often called in by companies to combat hacking groups, but they themselves have become targets. In Lee’s case, the criminal group that threatened him was known for resorting to “swatting” – a dangerous practice where someone falsely reports an armed attack, leading to a SWAT team being sent to the target’s home. Lee was advised by local police to lie down on the floor for his own safety.
The threats faced by cyber security professionals are diverse and often inventive. For example, one Ukrainian hacker sent a gram of heroin to the home of Brian Krebs, a journalist turned cyber security analyst. They followed this up by sending a giant bouquet in the shape of a cross to Krebs’s home. Some victims of hacking have even been instructed to send money to the bank accounts of cyber security professionals in an attempt to frame them. In another instance, a North Korean hacking group posed as security researchers on LinkedIn and sent malware hidden in an encryption key to their contacts.
Charles Carmakal, the CTO for Mandiant Consulting, which investigates major breaches, including recent ones at the State Department and other US agencies, emphasized the need for cyber security professionals to prioritize their own safety. As an organization that frequently exposes threat actors, they must consider their own security from various angles – company, individual, and physical. Carmakal personally avoids visiting certain countries due to his outspokenness about offensive operations from those nations.
The ability of criminals from eastern Europe, China, or North Korea to target security professionals in western countries highlights the transnational nature of the cyber security industry. Carmakal noted that these threats often come from criminals rather than governments, as the latter tend to focus on espionage or disinformation campaigns. The individuals behind these attacks are often young and lack any rules of engagement. They have unlimited free time and are relentless in their pursuit of causing harm.
For professionals outside the US, the threats feel even more tangible. One researcher, who wished to remain anonymous, described returning home to find his house expertly searched by “well-trained, discreet, and extremely professional” men. They disabled his home security system but missed a nanny-cam that his wife had placed in the living room. Prior to this incident, he had identified a Russian government agency responsible for an espionage operation against a Nato government’s email systems. Following the search, his bank account was hacked, his company’s tax documents were altered and released on the dark web, and his family photographs were traded as trophies among hacker networks.
Another researcher from a different eastern European country shared a similar experience. He was followed on a skiing trip, received threatening phone calls, and had to reassure his wife after she received doctored pictures of him with a female employee. He described these incidents as textbook harassment and extortion.
Cybersecurity analysts try to avoid provoking or mocking the hackers they identify, focusing their reports on the technical aspects of the breaches. Some analysts, like Rafe Pilling from SecureWorks, protect junior employees by acting as the face of the organization. However, some experts warn that the situation is worsened by the deep involvement of western companies in Ukraine’s cyber security. Ukraine has faced relentless and sophisticated cyber attacks, leading some to fear that someone may eventually lose their life.
In conclusion, the line between online threats and real-life danger has blurred for cyber security professionals. They face a range of threats, from personal intimidation to physical harm. As the cyber security industry continues to grow, it is crucial for professionals to prioritize their own safety while combating cybercrime.