'Spear-Phishing'

“An increasing number of hackers have turned professional. Some who once attacked IT systems for the intellectual challenge and to match wits with (or to aggravate) others in their field have discovered strong financial rewards in online crime.”

That’s one of the conclusions of a report issued yesterday by Deloitte. And a timely conclusion it is. An alarming new investigative report by The Christian Science Monitor indicates that the IT systems of three major oil companies have been hijacked by spyware that has enabled hackers to steal valuable competitive data.

According to the Monitor’s scoop, the companies -- Marathon Oil, ExxonMobil, and ConocoPhillips – “didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them.”

The attackers apparently used a “spear-phishing” technique in which a fake e-mail is sent to specific executives in order to trick them into clicking on a link and downloading the malware that then spreads through their system and lays low until called on.

“You can’t get rid of this attacker very easily,” one source told the Monitor. “It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.”

China is being blamed again, but the responsible party, to a large extent, should be immaterial to policy-makers. If you leave a pot of gold unprotected, somebody will try to steal it, and their nationality is irrelevant. The larger question is whether oil companies, which control a valuable resource, and others responsible for key infrastructure are doing what they need to do. And, if not, what should be done about it.

“Today’s cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile, long-term presence in IT environments,” the Deloitte report says. “Meanwhile, many organizations may be leaving themselves vulnerable to cyber crime based on a false sense of security, perhaps even complacency.” -- TL