Mergers and acquisitions make for a busy time for businesses. Unfortunately for them, they can also be a busy time for attackers.
According to researchers at FireEye, a number of advanced persistent threat campaigns have selected mergers as opportune times to strike.
“Over the last few years, concerns over economic espionage have led to greater scrutiny of mergers and acquisitions involving foreign companies – particularly in industries with sensitive technologies and operations that could pose broader economic and security threats,” blogged FireEye’s Jen Weedon. “However, entering into a merger or acquisition with a foreign company is not the only way nation-states conduct economic espionage via cyber means, nor are nation-states the only perpetrators of intellectual property theft.”
These attacks typically take two forms: either breaching one of the merging company’s subsidiaries or partners to gain access to the target company’s environment, or compromising and stealing data from a corporation involved in business talks with a foreign company in order to provide the other side with insider information, Weedon blogged.
“We have seen China-based threat groups previously compromise targets by taking advantage of trusted relationships and bridged networks between companies,” she explained. “Regardless of their method of entry, these actors are often in search of the same thing: intellectual property and proprietary information that can provide their own constituents with a business advantage, whether through adopting a rival’s technology and products, securing advantageous prices, or any other tactic that could give them a leg up.”
“We investigated one incident,” she noted, “in which two threat groups compromised a company shortly after it acquired a subsidiary. The threat actors used their access to the initial company’s network to move laterally to the subsidiary, which had recently developed a proprietary process for a significant new healthcare product. Once inside the subsidiary’s network, the threat groups stole data that included details on the product’s test results. We believe the threat groups sought to give that data to Chinese state-owned companies in that industry for fast-tracking the development of their own version of the groundbreaking product.”
Getting inside information is also a key motive for attackers during acquisition periods, Weedon added. Rather than go after intellectual property, these attackers look for information such as executive emails, negotiation terms and business plans.
“During one investigation, we found that a China-based threat group had compromised a company that was in the process of acquiring a Chinese subsidiary – a move that would have significantly increased the victim company’s manufacturing and retail capacity in the Chinese market,” blogged Weedon. “The threat actors accessed the email accounts of multiple employees involved in the negotiations in what was likely a search for information pertaining to the proceedings. We believe that the threat group then used the stolen information to inform Chinese decision makers involved in the acquisition process, as the Chinese government terminated the talks shortly after the data theft occurred.”
Companies involved in mergers and acquisitions need to be aware of the risks they face from threat actors intent on conducting economic espionage, she added.
“Entering into a merger or acquisition with an organization that has unidentified intrusions and unaudited networks places a company at risk of compromise from threat actors who may be waiting to move laterally to the newly integrated target,” she blogged. “Similarly, companies, and the law firms representing them, involved in negotiations with Chinese enterprises face risks from threat groups seeking to provide the Chinese entity with an advantage in negotiations.”
“Compromise and economic espionage can have profound impacts on a company’s finances and reputation at any time, but particularly when they are risking hundreds of millions to billions of dollars on M&A,” she blogged.