We hear it all the time from the virtual stage of regional SecureWorld conferences: Cyber risk is business risk.
Here is more evidence that a view like that is accurate.
Hedge fund firm: profits way up before the cyberattack
Levitas Capital was making a killing.
The firm's key hedge fund was up 20% in 2020 thanks to economic chaos happening around the globe. Its website says the company specializes in capitalizing on volatility.
The changes from the pandemic had been good for profits.
However, the pandemic also drove record usage of Zoom around the world. And hackers took advantage of this trend to launch a silent cyberattack against Levitas Capital—one it never saw coming.
"There were so many red flags which should have been spotted," says Michael Fagan, who co-founded Levitas Capital and spoke recently to the Australian Financial Review.
Hedge fund firm cyberattack started with a Zoom invite
Phishing emails during the pandemic skyrocketed, as attackers rushed to take advantage of the newly remote workforce and the tools they required to stay connected.
And Fagan clicked on a phishing email that appeared to be a legitimate Zoom invite.
According to a report, when he clicked on the link in the bogus invite, it installed malware onto his computer. This gave attackers access to corporate email.
Attackers then used their illegal access to read up on inside information contained in these emails. And they turned their reading into profits: the hackers acted like representatives of the company and authorized millions of dollars in transfers to foreign banks accounts.
Business email compromise attack works to transfer millions
Business Email Compromise (BEC) involves exactly what the name implies: a business email is compromised or hacked into.
The hackers often use automated programs to look for key terms in emails which may reveal who can authorize large money moves, when invoices are due, or when major money might be coming in.
All of this information can help the attackers look and act like they belong because they know information that an outsider would not.
In this case, the attackers posed as someone from the firm and reached out to a third-party vendor called Apex. Apex was the fund administrator who held and distributed the money.
The hackers requested that Apex transfer $1.2 million to a specified account. At this point, a safety net kicked in for a moment:
"The fund administrator, Apex, did call Mr. Fagan to verify the transaction, but he was at the gym and said he would call back before approving any payments.
When he returned to the office he emailed Apex but received no reply or call back. The $1.2 million was transferred... that day, September 16."
Why would the fund administrator do such a thing?
"In the background, the fund later learned, the hackers had sent another email to the fund administrator Apex authorising the transaction, as they had taken control of the hedge fund's email system."
Keep in mind here that there was no more communication on this transfer because Fagan knew he had not authorized it. But the hackers knew they had.
BEC attack trend: after one successful transfer, hackers want more
And this is how a BEC attack unfolds.
If money goes out to a criminal account and is undetected, hackers come back for more.
The Australian Financial Review picks it up from here:
"A week after the first transaction, another fake invoice was wrongly authorised from the Levitas account. This time $2.5 million was sent to the Bank of China in Hong Kong to a company called Pavelin Limited... on the same day—September 22—the trustee received further instructions from the administrator to send $5 million to East Grand Trading at the United Overseas Bank in Singapore. The same red flags were evident on the invoice, but again, no verification calls were made. The money was approved for transfer."
The hacker was sending emails to Apex, once again, to authorize the transactions. Hackers posed as co-founder Fagan.
When money continued to flow out, the firm knew something was up and made urgent calls to stop these transfers. Only the initial $1.2 million got away. The rest of the transfers were stopped before the money headed to accounts in Asia.
But for Levitas Capital, the reputational damage was too much.
Cyberattack fallout: largest investor pulls money from firm
Remember what a great year the firm's hedge fund was having? Its largest investor was about to invest another $16 million because it was so pleased.
Instead, following the BEC attack, that investor pulled its money out and the hedge fund collapsed.
Yes, cyber risk is business risk.
And Business Email Compromise is big business, stealing billions from companies around the world. Listen to the SecureWorld podcast interview with a top BEC investigator from the U.S. Secret Service: