According to Attorney General Rod Rosenstein, Iranians connected to the Islamic Revolutionary Guard Corps (IRGC) were recently charged with conducting a massive cyber theft campaign on American and foreign universities, businesses and government agencies.
AG Rosenstein states:
The stolen information was used by the IRGC or sold for profit in Iran. They hacked the computer systems of approximately 320 universities in 22 countries. 144 of the victims are American universities. The defendants stole research that cost the universities approximately $3.4 billion to procure and maintain.
They also attacked computer systems of the U.S. Labor Department, Federal Energy Regulatory Commission, United Nations, and the states of Hawaii and Indiana.
When hackers gain unlawful access to computers, it can take only a few minutes to steal discoveries produced by many years of work and many millions of dollars of investment.
For many decades, the United States has lead the world in science, technology, research, and development.
Academic institutions are prime targets for foreign cybercriminals. Universities can thrive as marketplaces of ideas and engines of research and development only if their work is protected from theft.
The events described in this indictment highlight the need for universities and other organizations to emphasize cybersecurity, increase threat awareness, and harden their computer networks.
Every sector of our economy is a target of malicious cyber activity. Everyone who owns a computer needs to be vigilant to prevent attacks.
This type of criminal activity does not just cause economic harm. It also threatens our national security. Identifying and prosecuting computer hackers is a priority for the Department of Justice.
Hostile individuals, organizations, and nation-states have taken note of our success. They increasingly attempt to profit from American’s ingenuity by infiltrating our computer systems, stealing our intellectual property, and evading our controls on technology exports.
The FBI Considers These Individuals State-Sponsored Hackers
FBI Deputy Director David Bowdich reports:
“During a more than four-year campaign, these state-sponsored hackers compromised approximately 144 U.S.-based universities and 176 foreign universities in 21 countries… When the FBI learned of the attacks we notified the victims, so they could take action to minimize the impact. And then we took action to find and stop these hackers.”
The special agent from the FBI’s New York Division who investigated the case tells us:
“Their primary goal was to obtain usernames and passwords for the accounts of professors, so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on. That information included access to library databases, white papers, journals, research, and electronic books. All that information and intellectual property was provided to the Iranian government.”
Protect against viruses, spyware, and other malicious code. Make sure each of your business’s computers is equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
Secure your networks.
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
Establish security practices and policies to protect sensitive information.
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies.
Educate employees about cyber threats and hold them accountable.
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business’s Internet security policies and procedures.
Require employees to use strong passwords and to change them often.
Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
Employ best practices on payment cards
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
Make backup copies of important business data and information
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
Control physical access to computers and network components
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
Create a mobile device action plan.
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
Protect all pages on your public-facing websites, not just the checkout and sign-up pages.
Protect information, computers, and networks from cyberattacks. Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
Provide firewall security for your Internet connection. A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
Create a mobile device action plan. Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
Limit employee access to data and information, and limit authority to install software. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs and should not be able to install any software without permission.
The increased frequency of cybercrime of cybercrime incidents has raised concerns and stakes for both small and large businesses. Your IT Managed Services Provider will help you fight and prevent cybercrime of all kinds. They will be your best friend in this regard. Don’t wait to contact them.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.