The Journal The Authority on Global Business in Japan

It may not have been very sophisticated, and the three young perpetrators were quickly identified and arrested, but the hacking of 45 Twitter accounts belonging to politicians, celebrities and technology moguls on July 15 has left security expert John Kirch “shaken.”

One week later, Naver, South Korea’s largest internet portal, confirmed that it was moving its overseas backup data center from Hong Kong to Singapore, due to concerns that Chinese authorities could use the far-reaching new legislation to access user information.

Kirch, a senior executive at technology security developer Uppsala Security, told The ACCJ Journal that if two teenagers and a 22-year-old can defeat the safety protocols of one of the world’s largest and most influential social media platforms, then something is amiss.

“It looks as if the damage was limited, and they were able to quickly find the hackers, but the implications of what might have happened are staggering,” he said.

According to media reports, two hackers from Florida and a teenager from Great Britain used spear-phishing techniques to convince Twitter employees to provide sensitive information, such as passwords, that enabled them to access the personal accounts of Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Kanye West, and others.

The hackers sent tweets from the compromised accounts stating that anyone who transferred cryptocurrency to a specific Bitcoin wallet would receive double in return.

Authorities believe the three men had obtained about $110,000 before they were traced and arrested.

“Twitter got very lucky,” said Kirch. “What would have happened if it had not been a couple of kids looking to make a quick buck, but was something far more dangerous? This could have been someone from abroad who got access to Joe Biden’s account, stayed dormant for weeks or months, observing and collecting information, and then acted just before the US election. The damage to the United States, and globally, could have been tremendous,” he said.

“Unfortunately, Twitter has something of a history of being hacked, it happened in August 2019, when the account of their chief executive officer, Jack Dorsey, was hacked. And, before that, in 2010, then-President elect Obama was hit,” he added.

And if it can happen to a high-profile, media-savvy organi­zation that should have all the security safeguards in place, Kirch cautions, it can happen to any company.

According to industry statistics, global security breaches have increased by 11 percent since 2018, and an even more alarming 67 percent since 2014. Hackers attack every 39 seconds, for an average of 2,244 incidents each day. Their weapons include malware, denial-of-service attacks, phishing, malicious code, ransomware, and botnets.

Fully 43 percent of the breach victims were small businesses, with companies in the financial and manufacturing sectors found to have the largest number of exposed sensitive files. In the healthcare industry alone, losses in 2019 were estimated at $25 billion, while supply chain attacks were up 78 percent year over year. In Japan, the cost of cybercrime has increased by 30 percent since 2018.

According to Kirch, there are three broad categories of hackers, although there may be some crossover between them:

  • Organized criminals
  • Hacktivists
  • State-sponsored hackers

Organized criminals are usu­ally just looking to make money, often by selling data or revealing corporate secrets. About 71 percent of all breaches are financially motivated.

Ideologically driven hacktivists are motivated by political, social, environmental, or other such reasons and set out to disrupt the operations of their targets—although they are also often open to the idea of making some money out of their work, Kirch said.

State-sponsored hackers are trying to access company data­bases for research or other sensitive information that could help their industries; or want to access political, economic, or military data.

Jenifer Rogers, general counsel for Asia at Asurion and a vice president of the American Chamber of Commerce in Japan (ACCJ), said the WannaCry ransomware attack of May 2017 came as a shock to many companies that had previously not paid adequate attention to their cybersecurity.

“There is no question that we are seeing more incidents today, and this is now one of the main issues that keeps CEOs up at night, simply because there are just so many ways that a company or organization can be attacked,” she said.

The only solution is to implement as many defenses as possible.

“It can be as simple as ensuring that firewalls are in place, employees are trained—and trained again—so they can rec­ognize a threat, that passwords are changed, operating systems are updated, and security software is regularly updated and enhanced,” added Rogers, who also serves on a few Japanese company boards as a non-executive director.

“Companies need to identify their vulnerabilities. And, because the techniques used by the hackers are constantly evolving and becoming more sophisticated, a company has to do the same to keep their security up to date.

“We live in an increasingly interconnected world, and we’re going into 5G now, so we have to be aware that one hack could bring the whole thing down.”

She also believes that the threat has only intensified since the start of the coronavirus pandemic, with companies being forced to make hasty decisions to better protect their employees’ health, such as suddenly asking all employees to work remotely.

At the same time, the accompa­nying economic downturn has put a strain on companies financially, and so funds that were to have been invested in cybersecurity may not be—or will be postponed—as the situation has forced executives to use their funds for immediate business and operational needs instead of the increasing IT security needs of their business.

“We are in a very challenging environment now, and I think that a lot of Japanese companies were not prepared for some­thing like this and being required to tell their staff to work remotely,” she said. “A lot of companies had not invested in the infrastructure or tested for this sudden shift and dependence on remote working, and were not aware of the new vulnera­bilities that would be introduced by people needing to access company data from their homes.

“It was a scramble at the outset, and I still don’t think that many have adequate precautions in place, especially smaller companies,” Rogers said.

Phishing attacks have a greater chance of success when staff work remotely.

Many experts believe that it is virtually impossible to prevent malware attacks.

“Cybercriminals, more than ever, are targeting the human layer, which is recognized as the weakest link in cyber defense,” said Shuichi Izumo, executive officer and director of global policy and government affairs for Cisco Systems G.K. “This requires orga­nizations to prepare individuals on how to deal with attacks and prevent them.”

And while the National Center of Incident Readiness and Strategy for Cybersecurity has been set up by the Japanese govern­ment to help with com­panies’ concerns, many are reluctant to report incidents as they fear that further infor­mation will be released, or that confirmation of an attack will damage public confidence in their products or services.

Izumo shares concerns that the coronavirus has opened up new loopholes that hackers will be quick to exploit.

“More companies are using the internet for work because of the pandemic,” he said. “This is something that the Japanese government has been attempting to do, either by hosting online meetings or digitizing government infrastructure. But a greater reliance on the internet—no matter how secure the platform—means greater potential access for hackers.”

Another consequence of the pandemic has been hackers switching their attention to biomedical and pharmaceutical companies—particularly those that have announced progress in the search for a coronavirus vaccine. Japan’s Ministry of Health, Labour and Welfare has called on drug developers to increase security measures to frustrate efforts to steal vaccine information. Recommendations include periodic virus scans, educating staff, and increasing the strength of passwords on their platforms.

The potential impact on the healthcare sector was pre­viously brought home to John Carlson, chair of the ACCJ’s Healthcare Committee, in the 2017 ransomware attack on MSD KK, a subsidiary of New Jersey-based pharmaceuticals giant Merck & Co Inc.

“It had a profound impact on the day-to-day operations of the company, and the attack halted the work of thousands of employees globally,” he said. “From commercial to research and development teams, for an extended period of time, it was not possible for employees to use or access their email.”

Cybersecurity is of the utmost importance in the health­care field due to the need to protect patient privacy, as well as the integrity of the data stored by a company, Carlson said. The implications of an unauthorized person accessing an indivi­dual patient’s data and altering something as fun­damental as their blood type or any allergies are poten­tially catastrophic.

In addition, healthcare companies are presently at the fore­front of the global effort to devise treatments for Covid-19, so they hold large amounts of critical data on ongoing clinical trials and developments, as well as similar research in other areas. Having that data compromised and leaked would have an impact on a company’s stock price and reputation.

Increasingly, companies in the healthcare sector are running regular scans of their systems, something that might previously have been more infrequent. Many are also conducting unan­nounced tests of staff to determine whether they access or download suspicious attachments, or click on links, that could be part of phishing attacks. The aim, Carlson said, is to educate employees about what to look for and to report it so that the integrity of the system can be maintained.

According to Izumo, major companies are now offering rewards for hackers who are able to detect bugs or identify flaws in their security. Last year, HackerOne, a website where such cybersecurity challenges are presented, saw companies pay out ¥4.2 billion ($40 million) in rewards. Similarly, a growing number of Japanese companies are cooperating with so-called “white hat” or ethical hackers to detect software malfunctions, a practice referred to in the industry as “offensive security.”

Yet Izumo warns that other areas—including the financial, technological and public sectors—will inevitably face an uptick in targeted attacks in the near future due to the amount of money they have at their disposal and their increased vulnerability from the shift to teleworking.

In April, Ari Davies from Deloitte Tohmatsu Cyber LLC produced a webinar on the security implications of company personnel working from home during the pandemic and stated that there is limited precedent to deter­mine precisely how a planet-wide medical crisis will affect com­panies on a global scale.

In the webinar, Deloitte mentioned several coronavirus-specific themes that have been used in recent cyberattacks, and that those attacks could have a higher likelihood of success if staff who are working remotely do not have immediate access to their in-house information technology security teams or their team members for a peer review of suspicious email content.

Deloitte offered, among many, a selection of risk-mitigation measures that should be implemented, including ensuring that all corporate business applications are only accessible via encrypted commu­nications channels, the introduction of multifactor authen­ti­cation mechanisms, and preventing remote systems from being directly connected to the internet.

Other preventative measures included having employees use corporate rather than personal computers whenever possible. Also, users should be particularly careful with emails containing references to coronavirus themes, while antivirus and anti-malware tools must be installed and fully updated.

The warnings are extremely timely. Japanese media reported on August 25 that at least 38 companies have had authentication information stolen by hackers in June and July.

US-based Pulse Secure LLC said that companies including Hitachi Chemical Co., Ltd. and Sumitomo Forestry Co., Ltd. have been the target of attacks and that about 900 items of authentication data that can be used to access VPN servers had been stolen and leaked online.

Kirch concedes that hackers’ capabilities are getting better and that “deepfakes”—falsified video or audio content that seems real—are an emerging cause for concern, yet he is confident that “the good guys will eventually win the cybersecurity arms race.”

“Knowledge is power, and a better approach would be to incentivize the bad actors to work as a team and outsmart the remaining hackers and scammers,” he said. “We need to educate people, to get rid of complacency, and keep reminding organizations that they need to close their security vulner­abilities. If that is done, then yes, the good guys will win.”

Julian Ryall is Japan correspondent for The Daily Telegraph.
Because the techniques used by hackers are constantly evolving . . . a company has to do the same.