In 2015, a record $5 trillion dollars was tied up in mergers and acquisitions (M&A) deals, according to JP Morgan. So far, mega deals in 2016 include Microsoft’s purchase of LinkedIn, Shire’s acquisition of Baxalta, and Marriott’s acquisition of Starwood. These market-moving events often involve a massive expenditure of capital and are largely conducted in secret to comply with legal requirements, making them attractive targets for cybercriminals and nation-state threat groups alike. Threat actors are primarily driven by three motives related to M&A activity:
Additionally, acquisition targets may be compromised prior to the M&A for reasons wholly unrelated to the transaction. Enterprises should be especially alert for malicious cyber activity before, during, and shortly after M&A-related activities, ensuring that due-diligence processes incorporate assessments of each party’s cyber security practices.
M&A activity generates significant amounts of sensitive corporate communications, which cyber criminals may attempt to obtain and exploit for financial gain. For example, cyber criminals could attempt to gather data about a company's operations, financial status or future plans, which could then be used in stock market trades. To obtain such sensitive information, attackers can target the companies directly involved in the M&A activity themselves or other organizations involved in the deal, such as law firms and PR agencies.
The U.S. Securities and Exchange Commission (SEC) in 2015 announced that since at least 2010, two Ukrainian cyber criminals breached multiple newswire services and distributed pre-release information to a rogue network of international traders and hedge fund managers.
In 2013 and 2014, a group of cyber criminals known as FIN4 sought to acquire information about M&A discussions in order to game the stock market. The group frequently used M&A and SEC-themed lures with Visual Basic for Applications (VBA) macros implemented to steal the usernames and passwords of key individuals. Many of FIN4’s lures were apparently stolen documents from actual deal discussions that the group then weaponized and sent to individuals directly involved in the deal. FIN4 typically included links to fake Outlook Web App (OWA) login pages designed to capture the user’s credentials. Once equipped with the credentials, FIN4 then obtained access to real-time email communications and presumably insight into potential deals and their timing.
One side involved in M&A negotiations could use cyber espionage to acquire sensitive information about a deal counterparty in an attempt to obtain more favorable terms. Based on past threat actor activity, we have observed multiple China-based threat actors breach companies to observed this type of activity in sizeable deals involving Chinese state-owned enterprises.
High tech companies in particular face an evolving cyber risk as Chinese interests advance toward acquisition of technology and expertise that will sustain the country’s economic growth through a shift to an economy built on knowledge-based products and services. During the past decade, flush with cash and often with state backing, Chinese companies have snatched up well-known Western companies in industries ranging from agriculture to energy to consumer products. The Wall Street Journal reported that as of May 2016, Chinese companies have struck over $110.8 billion in overseas deals, surpassing the $106.8 billion in deals done in 2015, despite a slowdown in the Chinese economy.
As recently as late 2015, we have observed several likely China-based threat groups targeting companies engaged in M&A-related activity. At least four different China-based APT groups conducted computer network intrusions that we believe were primarily motivated by the targeted companies’ involvement in an acquisition.
In 2015, Mandiant conducted a compromise assessment for a business services company. We identified two periods of activity by the China-based threat group APT8 within the network, the most recent of which coincided with the victim company's participation in acquisition negotiations. Although our visibility into APT8's operations was limited, the threat group possibly sought information pertaining to the negotiation and acquisition itself, based on the timing in which APT8 resumed their activity within the network.
Mergers and acquisitions often result in an increased attack surface for the companies involved. As two or more companies integrate their IT assets, a group that has compromised one company could potentially use that access to compromise the other(s). For instance, the Australian telecom firm Telstra in 2015 announced that the networks of a recently acquired subsidiary, Pacnet, were exploited.
Although the most obvious example of the increased attack surface issue is when M&A activity causes companies to combine their networks, it can also include factors such as one company’s particular susceptibility to social-networking attacks or vulnerabilities in products produced by one of the companies. In other words, strong security practices at one company can be obviated by poor practices at the other.
This threat is likely elevated during and immediately after a merger or acquisition, since IT employees at the purchasing company may not have had time to analyze the security posture of the purchased company, or the combined staffs are unable to comprehensively monitor the entirety of the newly combined network. Mergers and acquisitions also generally increase the opportunities for “lateral compromise” by targeting trusted relationships (i.e., the relationship between the companies involved in the M&A activity). When a well protected network recognizes a less secure network as trusted, the overall security posture of the combined network is lowered, allowing intruders to gain access by exploiting hastily-granted trust between systems.
Mandiant has observed instances where APT actors were able to regain a foothold in an organization’s network following remediation by compromising the network of an affiliate. Actors targeting companies during M&A activity could use similar tactics to move laterally from one company to another.
An example of this is when Mandiant performed an incident response investigation for Company A, where we identified the presence of several advanced threat actors. After remediating Company A’s networks, an APT group attempted to re-compromise the network through a sister organization (Company B), which had also been previously compromised. Although this effort failed, a different APT group was able to regain access to Company A’s systems through a strategic web compromise embedded on Company B’s website. Our investigation of the sister company’s network revealed that the vast majority of stolen data there pertained to the network infrastructure linking the organizations.
Another example occurred at Company C, where we identified four APT groups active in a network. Analysis about the timing and behavior of at least one of these groups suggested that they were able to leverage their previously attained access at Company D (a sister organization) to access Company C’s network. During our investigation at Company D, we discovered at least two threat groups, with activity dating back three years earlier. We believe these actors used information harvested from Company D’s network to help exploit Company C in a subsequent operation.
Business leaders responsible for M&A business strategy should be aware that threat actors often target companies engaged in mergers and acquisitions, and that malicious activities such as phishing attacks will likely increase during such periods. Additionally, a data breach or severe security posture weaknesses could negate the business strategy of acquisition due to the often-high cost of fixing weaknesses or conducting incident response. Technology risk should be evaluated and incorporated into the overall business risk strategy before an M&A transaction is completed. In addition, companies engaged in M&A should ensure that an examination of cyber security is included as a key component of the due diligence process.
Today cyber due diligence is oftentimes performed superficially and as an afterthought. This examination should include details of the company’s security capabilities such as data safeguards, access controls, threat detection, incident response and infrastructure security controls, the threat landscape of the organization, any records of past attacks, and any underground actors known to be particularly interested in targeting the company. Allowing sufficient time (four to six weeks) to perform an actual compromise assessment on the sellers’ infrastructure will provide the optimal visibility into the security posture of the acquisition.
When sufficient time is provided and cyber due diligence is conducted, senior executives at the acquiring organization will understand the business threats and technology risk posed by the acquisition target, enabling them to incorporate this information into the overall enterprise risk picture for informed decision-making. In the majority of transactions, the decision to move forward with the acquisition will still continue; however, senior executives will be better equipped to make informed decisions about:
It’s important for all parties to a transaction to work with their respective counsel to ensure any cyber due diligence activities are performed in a compliant manner (e.g., to avoid creating privacy issues) and in a way that helps preserve any available legal privileges.
Cyber security should be planned for like any other due diligence – as early as possible. Because of some fairly specific requirements to ensure the quality of cyber security due diligence, some language may need to be inserted into agreement documents such as a Letter of Intent (LOI). This will enable key components of a cyber security due diligence, such as network monitoring.
M&A due diligence teams sometimes contain information technology (IT) subject matter experts (SMEs) who are occasionally asked to also provide an opinion on cyber security posture; however, cyber security is a specialized field, and if security expertise is not available on staff, due diligence providers should start planning to retain outside resources.
The following are factors that should be incorporated into effective cyber security due diligence planning. Note that M&As can vary widely in terms of ramp-up time. Some allow for a very short due diligence effort, while longer deals can afford months to assess risk. Business decisions control this pace, not the due diligence team – therefore it is important to have relatively quick and lightweight cyber due diligence options as well as longer, more in-depth approaches.
If the window for due diligence is short (e.g., 1-2 weeks), there is still substantial cyber security due diligence that can be accomplished to provide a high-level view of the risk levels of the seller’s environment. A week provides time for cyber security experts to conduct documentation review and interviews with seller staff, which they then analyze in a focused risk framework. The product of this activity should be a quantified risk assessment across important cyber security domains (e.g., data safeguarding, infrastructure security, and others) that results in a brief, easy-to-understand report on risk and general recommendations for the buyer.
Even minimal cyber security due diligence should have a technical component to provide an objective view of the health of the seller’s security posture. One of the most important aspects of a technical assessment is creating a historical scorecard going back in time: Have the seller’s computers been compromised in the past, and what was the character of those breaches (advanced and persistent, commodity, insider, financial fraud, etc.)? The Freshfields survey discovered 90% of respondents believed that a past breach could reduce the value of a deal.
Also important is a current snapshot: detecting malicious activity (or the lack of such activity) from the seller provides insight into the overall security posture and types of possible intruders already in place. This information needs to be derived and analyzed in a relatively short time frame. With this kind of analysis, the buyer already can act knowledgably and prevent major missteps.
In-Depth Due Diligence
If more time is available, more detailed and granular cyber security due diligence is possible. In addition to a risk assessment conducted by cyber security analysts, software agents can be deployed in the seller’s network to report on the state of the endpoints.
Network monitoring can examine traffic to and from the network for a period of time to collect very detailed information on the state of the organization’s cyber security and what compromises are already happening, or have already happened. This allows the buyer to know the seller’s environment inside and out from a real-world risk perspective, and would provide both the high-level view needed to inform decisions and granular detail to estimate remediation costs.
Only with due diligence can risk be incorporated in planning, with various planned costs and benefits. Without due diligence, there are only unexpected costs and reputational impacts.
Information gathered during due diligence can be further used to guide post-acquisition activities.
A fairly common follow-on activity, particularly with mergers, is integration of the two companies’ IT infrastructure. In the long run, this should reduce costs and ease management; however, in the short-term it can create its own set of problems and become a long-term effort.
One of the first questions to answer is: what can be trusted? Is it safe for the buyer to connect to certain acquired systems? Can two-way trust relationships be established? All of these depend on assessing the security of both the overall environment and specific systems. Cyber security due diligence provides a good start down this road, and can allow for a level of effort and cost estimates to be made and included in IT planning.
The impact of adverse cyber security events has been felt by businesses for some time, and paying a little attention to the news gives some sense of the scale of the challenges that have emerged as even local businesses become exploitable by global criminals. Cyber security risk is not science fiction, even though it has essentially been treated as science fiction by being left out of M&A processes. Acquiring companies and due diligence practitioners must now catch up to the reality of the costs and risks that cyber security issues create, and the benefits that cyber security due diligence can bring. Doing so will eventually separate successes from the also-rans.
For more information on how Mandiant Consulting can help before, during and after a merger or acquisition, visit Fireeye.com/services.html.