Criminals recently managed to impersonate an Arrow Electronics executive, prompting the unauthorised transfer of money from the distributor to outside bank accounts in Asia.
The distributor said the criminal fraud will cost the company US$13 million ($18 million) in the first quarter of 2016, according to a report filed Thursday US time with the US Securities and Exchange Commission.
Arrow determined 22 January that it had been targeted, and investigations and legal actions were subsequently launched both internally and by law enforcement. Although the investigation is still ongoing, Arrow said findings thus far indicate the event was isolated and not associated with either a security breach or loss of data.
The ultimate findings and conclusion date of the investigation are still uncertain, according to Arrow. A company spokesman declined to answer additional questions about the attack.
Arrow was most likely the victim of a privileged account attack, where hackers try to break into the accounts of IT leaders or C-suite executives in hopes of disrupting operations or gaining access to proprietary information, according to Jane Wright, a senior analyst focused on security at Technology Business Research.
“This does seem like a significant attack to me,” Wright said.
Privileged account attacks are quite common but are rarely successful at a company as large as Arrow, according to Carl Mazzanti, CEO of US solution provider eMazzanti Technologies. Regularly resetting passwords and uncovering common vulnerabilities through penetration testing are some of the best ways to protect against such an attack, Mazzanti said.
In fact, Mazzanti said he received a “super uncommon” request Thursday US time from other IT distributors (Mazzanti doesn’t work with Arrow) asking him to manually reset his passwords, which he suspects might be a precaution once news of the Arrow attack became public.
Hackers have increasingly turned their focus to breaking into C-suite or line-of-business executive accounts in hopes of stealing unpatented intellectual property such as blueprints or product plans. Wright said, in her experience, going after intellectual property is more common than what happened in Arrow’s situation with actual funds being stolen.
Arrow’s statement about the lack of a security breach or data loss is consistent with a privileged attack, she said, where the attack is isolated and the attacker has no interest in persisting as part of the company infrastructure.
“They’ve chosen one company, one executive, for one purpose,” said Wright, noting that privileged account attackers have a “get in, get out” mentality.
The US$13 million charge Arrow reported is significantly higher than the financial loss from most privileged account attacks, which Wright said typically comes in at around US$2 million to US$3 million since businesses usually are able to shut off the loss of money very quickly.
“Every minute you’re under attack, you’re losing more money,” Wright said.
It’s quite common for hackers to cross state or national borders – as was the case when Arrow’s attackers moved the money into Asian bank accounts – since that increases the complexity of responding by forcing multiple law enforcement agencies to work together.
The FBI is fairly successful in bringing down hackers, Wright said, although their successes are often not publicised. That’s because law enforcement doesn’t want to reveal the full extent of their capabilities since that will prompt future hackers to pursue different attack vectors.
“It [bringing down hackers] happens a lot more than we read in the media,” Wright said.