Technology companies offer an attractive “gateway” to other orgs, Cisco researcher tells IT Brew.
Hack what you know, apparently.
According to a report from security-research team Cisco Talos, Q2’s threat actors targeted technology more than any other sector, including healthcare, pharma, and retail. The findings, published in a July blog post, revealed a 30% increase in tech-sector engagements compared to Cisco’s previous quarter—a sign that attackers consider the field to be one with bonus prizes.
“You’re definitely seeing hackers become increasingly aware that if you attack someone who provides a service to a lot of different customers, you have a lot of follow-on opportunities,” David Liebenberg, head of strategic analysis at Cisco Talos, told IT Brew.
Organizations in the technology sector, which Talos said accounted for 24% of 2024’s second-quarter engagements, offer attractive gateways to threat actors “given their significant role in supplying and servicing a wide range of sectors,” according to the blog post.
Recent attacks have demonstrated how one compromise can unlock many:
- In June, data-cloud company Snowflake investigated cyberthreat activity targeting users. A Mandiant report at the time warned of systematic access of accounts belonging to at least 165 Snowflake customer organizations.
- A June cyberattack on automotive-tech provider CDK, used in more than 15,000 dealerships, according to its website, led to outages across North America.
“Because the world really operates on tech, if you can find a way to compromise a tech company, or get into a tech company, or modify the code of a tech company, you probably will have more capabilities than if you were to target a certain company,” Brian Jack, CISO at security-awareness and training company KnowBe4, told IT Brew. (KnowBe4 itself faced a recent infiltration attempt from a remote hire, according to a July 23 blog post from its CEO.)
“Because of the complexity in the supply chains, there’s more opportunity, right? Especially if you’re relying on small vendors that you haven’t really vetted,” Frank Teruel, CFO of bot-management company Arkose Labs, told IT Brew.
The technology organizations Cisco studied—including software companies, software-as-a-service providers, and hardware manufacturers, Liebenberg said—often support critical infrastructure, which means “they have minimal tolerance for downtime and may, therefore, be more likely to pay extortion demands,” the Talos researchers wrote.
The Talos report, generated from Cisco’s incident-response data, also noted that, for the third straight quarter, compromised credentials on valid accounts were the most observed means of access—a finding especially relevant to tech-sector attacks.
“If you’re a cloud data storage provider, for instance, and you have tons of customers’ information that you’re in charge of, and an attacker compromises you, they can get valid, legitimate credentials for all those downstream customers. And now, all of a sudden, they have a diverse set of organizations that they can target for follow-on attacks,” Liebenberg said.