During WWII on the Pacific Front, the Allied strategy was to slowly conquer small islands off the coast of their main targets, enabling Allied forces to build strength and stealth. Breaching smaller islands was much easier than taking on the super power that was Japan. The term “Island Hopping” was born from this practice.
Just like the generals of the armed forces, cyber criminals and threat actors are cunning and strategic. By attacking the supply chain and third parties around larger organizations, they can island hop their way into larger networks – and they have been. 50% of today’s attacks leverage island hopping, and the biggest target on the list? Managed service providers (MSP).
When organizations need a function they don’t have the resources to support internally, they typically leverage the services of a MSP, and in the case of cybersecurity, a MSSP (managed security services provider). Whether the reason is to satisfy compliance regulations like we see in the healthcare industry, or the organization is too small and can’t afford an in-house cybersecurity team, MSSPs provide invaluable services to small and large businesses alike. Like any other third party provider, MSSPs can have virtually unlimited access to their customer’s networks.
Network-Based Island Hopping
There are several different types of island hopping, including network-based, watering hole attacks, and reverse business email compromise (BEC). By infiltrating one network, the cyber criminal can then hop onto an affiliate network. When perpetrated against a large corporation, the results can be catastrophic.
Wipro Island Hopping Breach
In April 2019, Wipro — India’s third largest IT outsourcing company — became aware of abnormal activity on several employee’s accounts. These employees were targeted by an advanced persistent phishing campaign, perpetrated through a remote access screen sharing tool. The threat actors then gained access to Wipro’s client’s networks using the same technology. By using trusted programs used by IT providers, the attackers can easily trick employees to escalate their privileges, providing the threat actor access to more and more. At least 12 of Wipro’s clients were breached in the attack.
Post breach, Wipro is developing a private email network to minimize breaches through their email system. Though they are attempting to spare clients from future breaches, they have already suffered millions in stock losses—India has sold “enemy” Wipro shares to the tune of $166 million USD. An April report into the breach investigation revealed that Wipro systems may still be compromised, allowing the threat actors further access to client networks.
The Wipro breach perfectly demonstrates that island hopping is a successful tactic to gain access to dozens of networks through third parties. Though this risk is fairly new on the scene, its perpetrators are using the same TTPs as other actors. Without visibility into third parties and vendors, your organization is vulnerable to their weaknesses—as well as yours. One simple phishing campaign caused all of this. We see this time and again—even the most advanced actors use the simplest attack vectors. Why? Because employees fall for them. Every. Single. Time.
How to Stop Island Hopping
By recognizing the common signs of these attacks, you could potentially save your organization and your clients from suffering a breach. Another way to combat these simple TTPs is to practice good cyber hygiene, including:
- Think before you click
- Secure your passwords and enable 2FA
- Patch & update your software