A recent study reported that most organizations partner with an average of ten third-party vendors to help them manage and grow their operations. Researchers also noted that a glaringly high 98% of organizations were found to have existing vendor relationships with at least one third-party that has experienced a breach in the last two years.

A breach in one vendor’s network can serve as a gateway to compromising the rest of the supply chain, but how can a business effectively manage risks coming from vendors over which they have no operational control? In this post, we explore how to build a third-party risk management program and offer guidance on best practices for responding to a breach in a vendor partner.

A Brief History of Software Supply Chain Attacks

Digital supply chain attacks represent a strategic shift for cybercriminals, offering a pathway to compromise multiple organizations through a single, often unsuspecting, point of entry. By infiltrating suppliers’ networks, adversaries can inject malicious code, compromise data integrity, and even manipulate physical processes in manufacturing and distribution. Attacks using this approach have risen in the last five or six years as evidenced by a number of high-profile incidents such as:

• NotPetya (2017) – malware entered systems through the compromised update process of Ukrainian accounting software, MeDoc. Initially disguised as ransomware, it was later revealed to be a destructive wiper malware, causing widespread disruption globally. Its impact was particularly severe due to its ability to spread rapidly across networks.
• BitPay/Copay (2018) – Attackers compromised the Copay wallet software supply chain, injecting malicious code that enabled them to steal cryptocurrency. The breach highlighted the vulnerability of cryptocurrency wallets, impacting users who unknowingly installed the compromised software.
• ShadowHammer (2019) – A sophisticated attack targeted the update process of ASUS Live Update Utility, compromising its distribution channel. Millions of users unknowingly downloaded a malicious version, allowing attackers to conduct targeted espionage. The attack was serious due to its widespread scope and the potential for espionage on a massive scale.
• SolarWinds (2020) – A highly sophisticated supply chain attack compromised the update mechanism of SolarWinds’ Orion software, impacting major organizations and government agencies. The attackers gained unauthorized access, posing a severe threat to national security by compromising critical systems and sensitive data.
• Kaseya (2021) – Exploiting a vulnerability in the Kaseya VSA software, REvil launched a ransomware attack that affected numerous managed service providers (MSPs) and their clients. This incident demonstrated the potential for cascading effects, impacting a large number of organizations through a single supply chain compromise.
• International Committee of the Red Cross (2022) – A cyber espionage group compromised the update mechanism of the ICRC’s software. The attack posed significant risks due to the sensitivity of the organization’s operations and the potential compromise of confidential humanitarian data.
• SmoothOperator (2023) – A supply chain attack attributed to North Korean-aligned threat actors on 3CX, a VoIP phone software supplier, involved the insertion of malicious code into software updates. The compromised updates affected numerous downstream clients. 3CX claims to have 600,000 customer companies across a broad range of industry verticals including automotive, hospitality, MSPs and Manufacturing.

Two main factors contribute to the increasing prevalence of digital supply chain attacks. Firstly, the growing complexity and interconnectivity of supply chains provide a broader attack surface for adversaries to exploit. Secondly, the reliance on digital technologies and the adoption of Industry 4.0 practices introduce new vulnerabilities. Smart manufacturing, IoT devices, and cloud-based systems, while enhancing operational efficiency, have all created new potential avenues for exploitation.

For small to medium-sized businesses (SMBs), the supply chain ecosystem often involves smaller vendors with limited cybersecurity resources, making them attractive targets for attackers seeking a foothold into larger enterprises. This interconnected web of dependencies, combined with the evolving sophistication of cyber threats, creates a perfect storm for the proliferation of supply chain attacks.

Storing Up Trouble for the Future | Data Breaches & Leaks

A major concern after a compromise of a third-party vendor is the potential misuse of data acquired from the breach. This ill-gotten information can become a potential tool for future malicious activities, ranging from identity theft and fraud to account abuse and external account takeover attacks. A third-party might be compromised while hosting a company’s data, or attackers may initially target the third party and then leverage that access to breach the target organization’s IT systems.

In the case of the 3CX attack, security researchers have found that stolen data from an older cyberattack on a different software firm was then used to launch the attack on 3CX. Given the intricate degree of connection between global vendors, it is likely that 3CX was not the only company compromised in the earlier-attack.

Building a Third-Party Risk Management (TPRM) Program

Based on the latest findings from the Ponemon Institute, third-party-based cyber attacks have increased from 44% to 49% year over year with key reasons including:

• Low rates of access governance and visibility control implementation at the organizational level via identity and access management tools
• Overprivileged vendor accounts and lack of zero-trust policies implemented at the network level
• Lack of continuous monitoring of third-party access to network resources and critical data

Establishing a robust Third-Party Risk Management (TPRM) Program is essential for business leaders to safeguard their organizations from potential introduced by their external partners.

The following questionnaire can be used as a guideline to get started:

Establish a Standard Vendor Assessment Process

• What base contractual obligations outlining security responsibilities are required for the industry and business?
• What due diligence practices, including the evaluation of the vendors’ cybersecurity measures, regulatory compliance, and overall risk posture, are in place
• What cybersecurity frameworks are required for the third-party vendor? Are they fully compliant with those regulations and been audited to ensure compliance with regulatory requirements?
• Does the vendor have a history of suffering data breaches?
• What laws are in place within the vendor’s country that require them to disclose data or other important information?

Get to Know Your Vendor’s Cybersecurity Strategies

• What is the level of sensitivity of the data or services the vendor expected to handle?
• Is the vendor able to provide the required industry standard security certifications?
• Does the vendor have cybersecurity insurance?
• Does the vendor’s tool stack and system support single-sign on (SSO)?
• What types of data will the vendor’s system or service be storing, processing, and/or accessing?

Establish All Contractual Security Expectations & Requirements

• What cybersecurity service level agreements (SLAs) are needed for the partnership?
• What current security risks does the vendor face, or foresee itself facing in the near future? What solutions or processes are in place to mitigate these risks?
• What security measures are currently in place to fulfill capabilities like continuous monitoring, breach alerts/notifications, endpoint/cloud/identity security, data access, etc.

What To Do If Your Third-Party Vendor Is Compromised

In the event that a third-party vendor is under active cyberattack or has found evidence of breach, business leaders and security teams can use the below checklist to act quickly and contain the potential fallout.

1 – Containment, Remediation & Documentation

Activate the incident response plan (IRP) immediately. This involves isolating the compromised systems, containing the breach, and assessing the extent of the damage. At the same time, establish secure communication lines with the affected vendor to collect any crucial insights or details into the nature of the attack, what potential data was compromised, and any details on pathways exploited by the cyber attackers. To do so, interview those who first discovered the breach and document the investigative process.

2 – Forensic Investigation & PR Communications

Forensic investigations play a critical role in uncovering the origins and methods of the cyberattack. Engaging cybersecurity experts to conduct a thorough analysis can help determine the extent of the compromise, identify the specific tactics used by the attackers, and provide valuable insights to fortify defenses against similar threats in the future.

Initiate any public relations and external communications strategy to provide transparent and timely communication with relevant authorities, customers, stakeholders, and the public to maintain trust and credibility. Craft clear and accurate messages that outline the incident, the steps taken to address it, and the measures implemented to prevent future occurrences.

3 – Thorough Reviews & Intel Sharing

Collaboration and transparency are crucial in this phase. All affected parties can mutually benefit from sharing threat intelligence and agreeing on next steps to remediate the vulnerabilities that led to the breach. Simultaneously, organizations should initiate a thorough review of their own systems to assess whether the breach has cascaded into their networks, and if so, take immediate steps to address and neutralize the threat.

4 – Lessons Learned, Audits & Continuous Improvement

Post-incident, a rigorous evaluation of the vendor’s cybersecurity practices can help prevent future attacks. This includes a reassessment of the vendor’s security protocols, risk management strategies, and overall cybersecurity hygiene. A thorough audit will help determine the effectiveness of the vendor’s response to the incident and ensure that appropriate measures are in place to prevent a recurrence.

As part of the ongoing cybersecurity strategy, organizations can prioritize continuous monitoring and assessment of their third-party vendors. This involves regularly scrutinizing the security posture of vendors, ensuring compliance with established security standards, and staying vigilant for emerging threats. Establishing a robust vendor risk management program that includes periodic security assessments, penetration testing, and vulnerability scanning help maintain a proactive posture going forward.

Ultimately, the key to navigating the aftermath of a third-party vendor cyber compromise lies in a combination of rapid response, open communication, collaborative remediation efforts, and a commitment to ongoing vigilance and risk management.

Conclusion

Given the amount of sensitive data and assets organizations share with their third-party vendors, any attacks they face can reverberate through the entire network and set off a chain reaction. Global reliance on third-party vendors in the business landscape comes with a set of inherent cyber risks that organizations across all industries must grapple with. These risks stem from the closely-connected nature of supply chains, where vendors often have access to sensitive data and systems.

To safeguard organizations from third-party related cyber risks, C-level executives and security leaders continue to rely on autonomous, AI-driven cybersecurity platforms like SentinelOne for all-around protection. Learn how SentielOne’s Singularity XDR defends across all possible attack surfaces by contacting us today or booking a demo.

Last week in Boca Raton, Florida, SentinelOne hosted OneCon, our first-ever customer conference, which brought together some of the brightest minds from the cybersecurity community today.

Even in its earliest stages, we envisioned OneCon to be the industry’s most forward-thinking event, aimed at exploring new and innovative ways of thinking about security. For those who weren’t able to join us in person, read on for a round-up of all of the highlights from this year’s gathering.

Key News at OneCon23

Recognizing the business imperative of embedding a comprehensive security approach across the organization, we kicked off OneCon with the launch of PinnacleOne, a new strategic risk analysis and advisory group to support today’s organizational leaders. Led by industry experts Chris Krebs and Alex Stamos, Pinnacle One will help today’s executives with unparalleled intelligence, risk management insights, and transformative strategies to navigate today’s ever-changing threat landscape.

For this event, our focus was equipping customers with the innovative technology required to tackle both present and future cybersecurity challenges. In today’s ever-changing threat landscape and uncertain economic environment, enterprises are looking to increase efficiency, focus on what’s important, and accelerate their security operations to stay ahead of attacks.

To help our customers secure now and in the future, SentinelOne announced a unified set of innovations for the Singularity Platform:

• Purple AI (Beta), an AI assistant to unify, accelerate, and simplify SecOps workflows
• Singularity Endpoint’s new unified agent, covering endpoint and identity attack surfaces for continuous, real-time protection
• Singularity Cloud Workload Security’s integration with Snyk to deliver code-to-cloud security
• Singularity Data Lake, a central, unified solution for security and IT analytics streamlining ingestion, normalization, and visualization for rapid queries, retention, and processing.

“Enterprises don’t just need a robust and capable platform, they also need intelligent automation that simplifies the analyst experience and boosts the productivity of their security teams” shared Ric Smith, Chief Product & Technology Officer at SentinelOne, in his OneCon keynote. “Guided by our belief that the fusion of design-driven product development and AI culminates in an unparalleled security experience, the Singularity Unity Release is meticulously crafted to heighten user experience and fortify security measures.”

PinnacleOne Advisory Group | Unparalleled Insights & Transformative Risk Management

In the face of increasingly complex and vulnerable systems, enterprise leaders contend with a changing global business landscape and developing geopolitical risks that, to cybercriminals and nation-state threat actors, creates avenues for attack.

To support C-suite leaders, SentinelOne launched PinnacleOne at OneCon as a strategic risk analysis and advisory group. Through PinnacleOne, customers will have access to an elite team of experts, led by industry experts Chris Krebs and Alex Stamos, who will help today’s executives with unparalleled intelligence, risk management insights, and transformative strategies.

It all comes back down to the idea of fostering open communication and community. PinnacleOne was created as a direct response to those asking for help in solving the big security challenges and making sure their future path is a safe one. SentinelOne gives a warm welcome to Krebs, joining SentinelOne as Chief Intelligence and Public Policy Officer and President of PinnacleOne and Stamos, who will serve as Chief Trust Officer for SentinelOne.

“In launching PinnacleOne, we are providing access to top experts who can help enterprises think bigger and broader than the siloed approaches of today.”, said Tomer Weingarten, CEO, SentinelOne. “Our holistic approach to risk management will empower organizations to adapt and move forward with confidence across all products and environments.”

For more information on the PinnacleOne Advisory Group, read our Press Release here.

Purple AI | Empowering Analysts to Detect Earlier, Respond Faster & Stay Ahead of Attacks

SentinelOne is proud to be a pioneer in the application of AI to cybersecurity with the industry’s first AI-powered security platform. At OneCon, we announced our continued leadership with the beta release of Purple AI – our generative AI assistant that unifies, accelerates, and simplifies SecOps to help protect what matters most.

Today’s SecOps teams must contend with long alert queues, thousands of investigation hours, and complex configuration tasks, all compounded by a growing skills gap putting pressure on advanced analysts. This leaves little time for proactive threat hunting and results in analyst burnout and an overtaxed SOC.

Purple AI is a force multiplier that saves time and resources for security teams by scaling autonomous protection across the enterprise. Unify your workflows with a single place to access data across the platform and partner logs, and scale collaboration across teams using notebooks, which can save, tag, and export investigation workflows.

Simplify the complex by using natural language to streamline threat hunting and investigations. Every level of analyst is empowered with instructional hunting prompts, AI-powered auto-summaries, suggested queries, and actionable next steps. Finally, accelerate SecOps workflows with Purple AI’s auto-investigations* to collect evidence from the Singularity Data Lake, generate reports, and help determine a verdict for detected threats.

Underpinning it all, know that your data and privacy are protected. Purple AI models do not train using your data or requests, and we never share your processes or insights with other customers. To learn more, sign up for a demo today.

*Coming post-GA

Endpoint Security | Advanced Protection for Identity and Exposure Management

SentinelOne’s platform strategy focuses on enterprise-grade prevention, detection, and response across all attack surfaces from endpoints and devices to servers. The Singularity Platform Unity Release enhances customers’ endpoint security experience through new features like Identity (conditional access and breached password detection) and Attack Surface and Exposure Management (prioritizing and managing vulnerability exposures).

These new features will be seamlessly delivered in a single, rebootless agent with advanced behavioral detections built-in.

Cloud Security | Delivering Enhanced Protection with CNAPP

As part of the 12-month roll-out, the Singularity Platform will soon feature a comprehensive Cloud-Native Application Protection Platform (CNAPP) designed to safeguard public and private cloud infrastructures. By combining both agent and agentless capabilities, the platform will provide robust run-time protection and real-time defenses against threats, misconfigurations, and exposed secrets.

All of these features are set to integrate seamlessly with Singularity Operations Center and Data Lake, providing customers with deep visibility and operational governance over their entire digital estate.

The SentinelOne & Snyk Integration | Cloud Workload Protection From Build Time to Runtime

The complexity of the modern software supply chain and supporting apps makes prioritizing fixes a challenge for software developers and security teams. To solve this, SentinelOne has joined forces with Snyk, a leading force in developer security to announce a new cloud-native security integration.

The OneCon crowd was first to hear about this latest integration, which works by correlating SentinelOne-identified cloud runtime threat detections together with vulnerabilities found by Snyk in container images. The integration empowers cloud security, application security, and developer teams to more effectively collaborate and address the root cause of rising issues.

While developers are under increasing pressure to build applications faster, they must also work with their security teams to secure both their build and runtime environments. The SentinelOne & Snyk integration supports this process by providing security teams the means to manage application risks in the cloud. This in turn simplifies the prioritization and remediation focus for developers.

The integration is now available to SentinelOne and Snyk customers through the Singularity Marketplace. Learn more about the integration here.

Singularity Data Lake | Cost-Effective, High Performance Security & Log Analytics

Singularity Data Lake enables organizations to centralize and transform data for cost-effective, high-performance security and log analytics. This consolidated, AI-powered security and log data platform brings together Security Information and Event Management (SIEM), Extended Detection Response (XDR), and Log Analytics solutions. By streamlining cybersecurity and IT operations, it reduces complexity and enhances effectiveness in managing security.

Singularity Data Lake leverages the Open Cybersecurity Schema Framework (OCSF) to normalize all types of data, offering a full view of an organization’s security and data analytics. Its cloud-native architecture and marketplace of connectors simplify data importation and promote cost efficiency and scalability, leading to significant cybersecurity cost savings.

Singularity Data Lake empowers organizations to confidently navigate the ever-evolving threat landscape. By providing centralized data management, faster detection, advanced analysis, and enhanced investigation capabilities, these solutions offer more than just another cybersecurity product – they comprise a comprehensive data platform that drives business value and keeps organizations secure in today’s digital landscape.

Conclusion

We created OneCon as a space for cyber defenders to learn, share, and equip themselves with the tools and inspiration to confidently tackle today’s security challenges.

For the SentinelOne team, true enterprise-wide security lies in proactively and comprehensively securing the entire organization with the power of AI. In the face of a changing threat landscape, we are glad to be in the company of leading cybersecurity experts who are ready to collectively shift with us.

We’d like to thank all of our sponsors, guest speakers, partner presenters, support staff, event organizers, and most of all, our attendees for an amazing OneCon23. From all of us at SentinelOne, we look forward to seeing you at next year’s event!

Contact us to learn more about what we are doing to evolve the cyber defense industry or book a demo to get more in-depth experience with our newest integrations and security offerings.

The Good | Russian National Linked to Ryuk Ransomware Laundering Schemes Sanctioned By US Authorities

One of Ryuk ransomware’s many affiliates just had a target placed on their back by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Ekaterina Zhdanova was sanctioned this week after being identified as a key player in laundering millions of dollars in cryptocurrency. Zhdanova leveraged her expertise in cryptocurrency and blockchain networks to circumvent anti-money laundering controls.

The OFAC and blockchain analysis experts highlight her use of a vast global network of money launderers to obscure her financial activities while expanding her clientele. Most notably, Zhdanova is believed to have aided the Ryuk ransomware operation, laundering over $2.3 million in suspected ransom payments for one of its known affiliates.

Ryuk ransomware operators made global headlines during the COVID-19 pandemic after extorting healthcare facilities for astronomical ransoms. Her work with the Ryuk affiliate involved the use of a fake investment account and real estate transactions to conceal the origins of the ransom payments.

A long list of malicious transactions follow Zhdanova. Authorities say that she has also been identified in helping Russian oligarchs evade Western sanctions set after Russia’s invasion of Ukraine. In addition, she facilitated the transfer of over $100 million for a Russian oligarch to the United Arab Emirates, orchestrating cases where her clients could obtain UAE tax residency, ID cards, and bank accounts.

Now, Zhdanova faces a freeze on all her U.S.-based assets, and U.S. individuals and entities are barred from transacting with her. This move underscores the U.S. government’s commitment to curbing money laundering activities, especially those linked to ransomware operations and the evasion of international sanctions.

The Bad | BlazeStealer Malware Hidden in Python Open-Source Packages Target Software Developers

Software developers are, once again, being targeted by threat actors through trojanized code libraries. Security research this week highlights at least eight developer tools published since January containing hidden payloads that are now reaching thousands of downloads.

So far, all eight in this series of packages have used Python programming language and are prefixed with the “pyobf” string to mimic genuine obfuscator tools like “pyobf2” and “pyobfuscator”. The latest in the string of malicious packages is called “pyobfgood”, which like its seven predecessors poses as a legitimate obfuscation tool for developers to defend against reverse engineering and code tampering.

In the case of the “pyobfgood” package, malware called BlazeStealer is installed as soon as the unsuspecting developer runs the code, giving the threat actor capabilities such as exfiltrating detailed host information, setting up keyloggers, stealing passwords from web browsers, downloading sensitive files, recording both screen and audio, and encrypting files for potential ransom. A list of the malicious package names and indicators of compromise may be found here.

Developers remain a lucrative target for threat actors, given their work with both sensitive and valuable information. Open-source libraries also continue to draw attention. In late September, a 10.0-level vulnerability in the LibWebP image library was exploited in the wild, and just last month a flaw found in curl, a widely-used open-source command-line tool, was described as one of the most serious bugs found in the tool for some time.

For now, the Biden administration and CISA have placed an open call out for support in securing the nation’s open-source software and have several ongoing security initiatives for the broader open-source ecosystem.

The Ugly | SaaS Analytics Firm Advise API Key Resets After AWS Account is Compromised

After evidence of a breach surfaced last Friday, Sumo Logic officially disclosed the incident this week, notifying users that its Amazon Web Services (AWS) account was compromised using stolen credentials. The Californian data analytics firm has confirmed that its systems, networks, and customer data remain unaffected.

Upon detection, Sumo Logic was able to lock down the exposed infrastructure and rotate all potentially compromised credentials. So far, the company has implemented additional security measures such as enhanced monitoring and vulnerability scanning to help prevent similar occurrences in the future. Continuous monitoring of network and system logs is also ongoing to identify any signs of additional malicious activity.

In response to the breach, Sumo Logic has advised its customers to rotate credentials used for accessing its services as well as those shared with the company for accessing other systems. Specifically, customers were urged to reset API access keys, Sumo Logic-installed collector credentials, third-party credentials stored for data collection purposes, and user passwords to Sumo Logic accounts.

While an investigation is ongoing, regular updates are being posted in the company’s Security Response Center. Sumo Logic has also pushed out a playbook instructing customers on how to update their API keys. Known for its cloud-native SaaS analytics platform, the firm offers log analytics, infrastructure monitoring, and cloud infrastructure security to over 2000 customers including 23andMe, GoFundMe, Mattel, and SEGA.

Threat actors continue to keep AWS accounts in their sights due to the wealth of sensitive data and critical services hosted on the platform. As a major cloud service provider, it is seen as a springboard into a vast number of businesses, government agencies, and high-profile organizations.

Access to the internet and social media platforms lies in the backpocket of nearly every user in the world. From a security point of view, one of the fastest rising concerns is how this level of connectivity is being used to spread discord and division both quickly and across huge numbers of users.

According to the latest global survey by the United Nations, more than 85% of people are concerned about the impact of disinformation. Some 87% believe that misinformation, disinformation, and malinformation (MDM) campaigns have already left a negative impact on their country’s politics and would play a significant part in future elections.

Since the consequences of MDM extend far beyond the digital realm, threat actors including nation-states, advanced persistent threat (APT) groups, cybercriminals, and hacktivists are increasingly turning to deceptive tactics to target victims and pursue their objectives.

This blog explores the evolving threat of MDM campaigns and their role in the cyber warfare arena, exposing the strategies used by threat actors and the risks posed to organizations, businesses, and society at large.

Misinformation Campaigns | The Snowball Effect of Mistakes & Fake News

Misinformation, often stemming initially from genuine mistakes or inaccuracies, has had a long and storied history. In the last two decades alone, several notable misinformation cases have threatened public safety:

• Iraq War and Weapons of Mass Destruction (WMD) – In 2003, faulty and exaggerated reports of Iraq’s apparent possession of weapons of mass destruction, as promoted by some government officials and the media, played a significant role towards catalyzing the U.S.-led invasion of Iraq. Over the course of nine years, millions of displaced Iraqi victims, and a death toll numbering at 4500 American and 185,000 Iraqi lives, the Iraq War is still widely viewed as a foreign policy disaster.
• Pizzagate – During the 2016 US presidential election cycle, one man’s personal email account was hacked in a spear phishing attack. After the emails were leaked, conspiracy theorists falsely claimed that they hid coded messages leading to an alleged human trafficking ring run by high-ranking Democratic party officials. After one pizzeria in Washington, D.C. was pinpointed as a trafficking establishment, an armed individual entered the pizzeria to “investigate” the claims, opening fire and threatening the employees.
• COVID-19 Misinformation – Throughout the height of the COVID-19 pandemic, a barrage of fake news and misinformation circulated widely, impacting public health and security. Unfounded claims about the virus’s origins, treatments, and preventive measures have led to confusion, noncompliance with public health guidelines, and life-threatening consequences. Health misinformation directly contributes to the spread of disease and the cases seen during the pandemic highlighted the gaps in content checks on popular social media platforms.

Today, misinformation campaigns have evolved into a more sophisticated form, with threat actors purposefully exploiting the echo chambers of social media to propagate false information or “fake news”. The manipulation of algorithms, the use of deepfakes, and hijacking of “For You” pages (suggesting trending topics) have all contributed to an efficient spread of deceptive content.

Disinformation Campaigns | Sowing the Virtual Seeds of Discord

Disinformation campaigns work by deliberately spreading false information to deceive, manipulate, or sow discord. These campaigns target many at once, influencing elections, escalating geopolitical tensions, and creating real-world security threats. To date, state-sponsored actors, hacktivists, and criminal groups continue to conduct disinformation operations on a global scale through propaganda, political manipulation, and psychological warfare. Some notable examples include:

• Russian Interference in U.S. Presidential Elections – During the 2016 election cycle, Russian state-sponsored actors leveraged social media to launch a multifaceted disinformation campaign to influence election outcomes and erode public confidence in the American government. This campaign raised concerns about national security and the resilience of democratic institutions against cyber threats. Foreign actors including Russia and Iran again attempted to interfere during the 2020 cycle by promoting false narratives about election fraud, aiming to undermine public trust in the democratic process.
• Brexit and Scottish Independence Referendums – A U.S. Senate report in 2018 stated that Russia had sought to influence democracy in the United Kingdom through “disinformation, cyber hacking and corruption”, and that researchers had identified 150,000 Twitter accounts with various ties to Russia that disseminated messages about Brexit before the referendum, indicating “that the broader aim was to magnify societal discord”. In January 2023, the European Court of Human Rights sought a response from the British government to a legal claim that it had failed to properly investigate Russian interference in both the Brexit referendum and the 2014 Scottish referendum on independence. A 2020 British Intelligence and Security Committee was said by the same report to have found credible evidence Russia had tried to influence the Scottish referendum.
• French Presidential Election – In the lead-up to the 2017 French presidential election, various state-sponsored and non-state actors launched disinformation campaigns to influence the election’s outcome. Spreading doctored tweets and emails, the actors attempted to threaten the security of the electoral process and public trust in specific electoral candidates.
• Ongoing ​​Disinformation in the Russia-Ukraine War – Ukraine has been a hotspot for disinformation campaigns for several years, driven largely by Russia’s efforts to shape narratives, undermine the Ukrainian government, and influence events in the region. These campaigns, which claim Ukrainian aggression or exploit ethnic divisions within Ukraine for example, are part of a broader information warfare strategy that continues to be used to exploit political and social fault lines.

Malinformation | Branching Information Warfare Into Identity-Based Attacks

Malinformation campaigns are a more recent development in information warfare. These involve the release or distribution of truthful and legitimate private information for malicious intent. Malinformation often originates from data breaches or social engineering, where sensitive personal or corporate data is stolen or leaked and then published out of context. Victims of malinformation are then usually subject to doxxing, swatting, or other means of blackmail and harassment. These campaigns also harm organizations by publishing trade secrets, confidential data, or proprietary information. Infamous examples of malinformation cases are:

• LinkedIn Data Breach – In 2012, a massive data breach exposed the passwords of millions of LinkedIn users. Many victims experienced extortion attempts when hackers threatened to reveal their compromised LinkedIn credentials unless a ransom was paid. Four years later, reports alleging the sale of the stolen credentials on the dark web surfaced, showing how potent breaches like this can be in both the short and long run.
• GamerGate – A controversy that began in 2014 within the gaming industry but quickly escalated into a vicious online harassment campaign. Women and marginalized communities in the gaming industry were being targeted with doxxing, swatting threats, and harassment. The campaign highlighted the dark side of online communities and the impact of malinformation on personal security.
• Political Doxxing During the Hong Kong Protests – During the pro-democracy/anti-government protests in Hong Kong in 2019, an unprecedented wave of doxxing campaigns targeted activists as well as police officers and journalists. Individuals on both sides of the protest line saw their private information (names, photos, ages, and occupations) shared across social media apps like Telegram.

MDM Tactics Move Into the Corporate World | How to Protect Enterprises & Organizations

In 2018, tech manufacturer Broadcom Inc. received a forged memo allegedly signed by the U.S. Department of Defense, asking for a review of their upcoming $19 billion dollar acquisition of CA Technologies by the The Committee on Foreign Investment in the United States (CFIUS). CFIUS is tasked with reviewing international deals for potential security risks to the nation. Since the acquisition of CA Technologies by Broadcom involved only American companies, the review has no basis, triggering suspicion.

Although quickly confirmed by the DoD to be fraudulent, the fake missive challenged national security measures in the public eye and caused both companies’ stocks to fall briefly. Examples like this show that the risks of MDM threats not only exist in geopolitical and social spheres, but the corporate sphere, too.

MDM threats in the corporate sector focus on causing brand and reputational damage, loss of customer trust, and both short and long-term financial losses. Disinformation-as-a-Service (DaaS) models, for example, allow malicious actors to purchase tailored MDM campaigns for their specific objectives. DaaS providers leverage a wide array of techniques, including creating and disseminating false narratives, manipulating online content, and conducting social engineering campaigns to achieve their goals.

Why Misinformation, Disinformation & Malinformation (MDM) Is a Cybersecurity Problem

MDM campaigns thrive off of connectivity and globalization to attack human perception both online and offline and have become a key component of modern information warfare. The intersection between MDM campaigns and cybersecurity can be examined across the following areas:

Terrain | Where Threat Actors Operate MDM Campaigns

While social media platforms often act as gateways and amplifiers for MDM campaigns, threat actors also leverage networking infrastructure and routing services to distribute malware, ransomware, and more to perform their malicious tasks. Disinformation and cybersecurity involve many of the same stakeholders within the private sector and the internet technical community.

Tools | Sharing the Same Methods of Attack

There is a substantial overlap between MDM and cybersecurity in terms of attack tools and methodologies. Much like in cyberattack strategies, MDM takes advantage by manipulating their victims’ anxieties and heightened emotions. For example, the deployment of “fearware”, a subset of phishing lures that thrived during the pandemic, preys on misinformation and information gaps. Further, disinformation campaigns and cybercrime tactics both dip into the realm of illegal dark web transactions, ill-got data and assets, and various forms of fraud.

Incentive | The ‘Why’ Behind MDM Campaigns

Hacking, cybercrime, and influence operations offer lucrative opportunities, often outsourced to skilled threat actors or cybercrime-as-a-service infrastructures. While individuals and businesses have increased their preparedness for ransomware attacks, MDM strategies like defamation and extortion are commonly used to inflict long-term reputational harm and secure a financial gain.

Applying Cybersecurity Lessons to Combat MDM Campaigns

Implementing robust cybersecurity practices play an important role in protecting organizations from a wide variety of threats. Cybersecurity practices are designed to identify and detect anomalies in data, network traffic, and user behavior. Advanced endpoint protection solutions can continuously monitor network traffic and identify suspicious patterns or deviations from the norm.

Ongoing monitoring is critical in the battle against MDM campaigns, particularly those feeding off public anxiety about current events. Cybersecurity teams continuously track information sources, social media channels, and online forums for signs of disinformation and misinformation. Automated tools and manual analysis help monitor the spread of false information and gauge its impact. Organizations can employ threat intelligence feeds and social listening tools to stay informed about emerging threats and campaigns.

Following cybersecurity best practices can also help to protect against harm caused by MDM campaigns. Effective best practices include implementing role-based access controls (RBAC), multi-factor authentication (MFA), encryption, and secure coding practices to safeguard information and data integrity. Cyber hygiene, such as regular software patching and updates, can also reduce any known vulnerabilities that malicious actors might exploit.

While cybersecurity best practices are essential, it is important to acknowledge that MDM campaigns are not solely a technical problem. These campaigns often involve psychological manipulation, social engineering, and the exploitation of cognitive biases. To secure from a user point of view, security awareness training educates employees about the risks of falling victim to disinformation campaigns, teaching them to recognize and report suspicious activities.

Conclusion

The evolving threat of MDM campaigns continues to tighten its grip on the digital landscape, impacting geopolitical, social, and corporate spheres. Waves of these campaigns have become a common occurrence in modern cyber warfare, where information is strategically weaponized to manipulate election outcomes, disrupt critical operations, and undermine public trust.

MDM campaigns are a symptom of the dynamic nature of our digital age. In this ongoing battle, knowledge, vigilance, and proactive measures are the best defense against the rising influence of MDM tactics and their role in the realm of cyber warfare.

As businesses navigate these developing threat tactics and techniques, adopting a multi-dimensional security strategy that combines robust preventive measures with XDR capabilities becomes a vital one. To learn more about how SentinelOne’s Singularity XDR can help defend your organization, book a demo or contact us today.