Cyber criminals have four industries in their sights

Although companies of all industries and sizes are currently experiencing a sharp increase in hacker attacks, the intentions of the cybercriminals behind these incidents vary. For all target groups, the illegal publication or disclosure of information is associated with great inconvenience - however, such incidents affect the financial sector and healthcare the most. The broad spectrum of attacks on IT with other intentions currently targets SaaS/software providers in particular, followed by the financial sector, manufacturing companies and the healthcare sector.

Target sector 1: Healthcare

Hospitals, health insurance companies and other healthcare institutions are increasingly relying on platform services to share and manage patient data and other important information. Rationalization pressures and an accelerated digital transformation in the context of the pandemic or initiatives such as electronic patient records are increasing the urge to digitize processes from data exchange to appointment scheduling or even sick notes. In addition, the number of endpoints is growing, for example in the cloud or through the Internet of Things.

The rapidly increasing number of systems, applications and users is expanding the attack surface. Just one attack on an IT service provider such as Bitmark is enough to have a massive impact on a hospital's operations. Hospitals are also lucrative targets for blackmail attacks, as they cannot tolerate downtime or data loss in the interests of patient health or even because of the risk to their lives. Legislators are also tightening or expanding their compliance initiatives. Medical device manufacturers, for example, are now also affected by the new NIS 2 requirements. The grace periods for complying with the GDPR are long gone: the Hamburg Data Protection Commissioner imposed a fine of 105,000 euros in 2022 for repeatedly sending incorrect doctor's letters and a missing log function for accessing patient data.

Target sector 2: Financial service providers

The digitized bank customer of today, who expects the same simplicity of banking transactions on a smartphone as when ordering from Amazon and at the same time the security of a bank vault or the confidentiality of a personal conversation in a branch, is the all-transforming risk factor in eBanking. The target is either the banks themselves or, to the same extent, special service providers such as the account switching partner of Deutsche Bank, Postbank or ING or the savings bank subsidiary Deutsche Leasing. Attackers transfer industry-specific general methods such as ransomware or BEC (Business Email Compromise) attacks to the targeted credit institution: cyber criminals pretend to be managers or other high-ranking individuals in order to trick employees into transferring funds or disclosing confidential information.

Providers of financial services are therefore also under a wide range of regulatory pressure: in addition to the law on banking secrecy and anti-money laundering, the PCI DSS standard for credit cards and traditional industry standards, the Digital Operational Resilience Act (DORA), which has been in force for financial companies and their IT service providers since January, also requires monitoring of anomalous behavior. This requires visibility of systems, processes and data traffic in the IT infrastructure beyond the traditional endpoint.

Target sector 3: Production companies

Digitalized, automated and increasingly cloud-based systems and processes in production and the supply chain are expanding the attack surface. The manufacturing industry is an important target for cyber spies with a state background who want to disrupt critical infrastructures and steal intellectual property. Rheinmetall successfully fended off a suspected Russian attack. Economic interests were the driving force behind the attack on the Bilstein Group, a supplier of automotive spare parts, as an example of the automotive industry under pressure. Inadequate cyber security, vulnerable devices and incorrectly configured systems are risk factors for known attack scenarios, which usually start with a phishing attack. It is therefore not surprising that, in addition to the ISO industry standard ISO 27001, additional regulations are creating new IT homework. NIS 2 is becoming relevant for more and more industrial companies now that the legislator has further expanded the group of affected "important" or "essential" companies and now also includes small companies with 50 employees or more.

Target sector 4: SaaS and software

Software-as-a-service providers and software manufacturers are driving the digital transformation. As early adopters of new technologies, they are the most at risk. The inherently positive will to innovate can expose these companies to new dangers that those involved may not yet fully understand.

As the starting point for far-reaching cascading attacks, the supply chain with software is a gateway with a high dispersion effect for opportunistic, initially automatic attacks. After all, customers can block badly affected products on which they are dependent. In the case of the attack on the provider of the video conferencing app 3CX in April 2023, the attackers knew that they could compromise thousands of other companies with one attack.

The young industry with a high proportion of start-ups also suffers more frequently from a shortage of resources, a lack of cyber security specialists and tight IT budgets. Nevertheless, it still has to face up to the task of cyber security, as investors monitor the efforts of investment candidates in this area when making decisions on venture capital investments, acquisitions or takeovers.

Basic IT protection against generalist attackers

Only some hackers search for industry-specific vulnerabilities from the outset or send spear phishing emails with elaborately researched addressees. The first line of defense in every industry must therefore be state-of-the-art IT baseline protection against opportunistic attackers, which automatically searches for vulnerabilities using various methods.
The basis of such basic IT protection is a comprehensive real-time view of all legitimate, but also potentially anomalous IT processes. Security monitoring must cover the entire infrastructure, i.e. the classic IT endpoints as well as the network itself. It must also include cloud nodes and platforms, Internet-of-Things devices and - if available - OT environments.

External security experts against targeted hackers

However, every industry also requires knowledge of the current attack landscape in its industry. In hybrid opportunistic campaigns, after an automated vulnerability analysis and initial access to the network, only the second stage of an attack is more specific to the industry and the victim. As soon as attackers gain access, they scan the networks and adapt their actions to the respective industry. In healthcare and finance, for example, where sensitive data plays a crucial role, attackers focus on exfiltrating the data that will generate the most revenue or for which companies are most likely to pay a ransom. On the other hand, the uninterrupted production environment is often a prime target for attacks on its availability: attackers could use ransomware here to block systems and cause costly production downtime.

Protection against these targeted threats requires external experts. No IT administrator can know who is currently attacking which application at a competitor that a company may also be using itself. Small to medium-sized companies in particular often do not have the skills and experts to react in time, let alone get ahead of the attackers. Only high-performance security services, such as an external SOC or a managed detection and response (MDR) service with external security analysts, make it possible to proactively detect industry-specific threats and react quickly in the event of an attack. A costly investment in additional internal and often unavailable or unaffordable IT specialists is therefore not necessary. In addition, it can take months or even years to set up an internal SOC team and corresponding infrastructure. This is an unacceptable timeframe given the increasing regulatory and environmental pressures. However, external help also includes cyber insurance or external, professional legal advice and knowledge of the current industry-specific funding baskets.

Author: Jörg von der Heydt, Regional Director DACH at Bitdefender