Risks Posed by Sensitive Corporate Communications, Broadened Attack Surface
In 2015, a record $5 trillion dollars was tied up in mergers and
acquisitions (M&A) deals, according to JP
Morgan. So far, mega deals in 2016 include Microsoft’s purchase of
LinkedIn, Shire’s acquisition of Baxalta, and Marriott’s acquisition
of Starwood. These market-moving events often involve a massive
expenditure of capital and are largely conducted in secret to comply
with legal requirements, making them attractive targets for
cybercriminals and nation-state threat groups alike. Threat actors are
primarily driven by three motives related to M&A activity:
- Stealing non-public information leading up to the deal’s
announcement for future financial gain.
sensitive financial information generated during the M&A
- Exploiting the increased attack surface created by
companies combining their operations.
Additionally, acquisition targets may be compromised prior to the
M&A for reasons wholly unrelated to the transaction. Enterprises
should be especially alert for malicious cyber activity before,
during, and shortly after M&A-related activities, ensuring that
due-diligence processes incorporate assessments of each party’s cyber
Trove of Documents to Exploit Capital Markets
M&A activity generates significant amounts of sensitive
corporate communications, which cyber criminals may attempt to obtain
and exploit for financial gain. For example, cyber criminals could
attempt to gather data about a company’s operations, financial status
or future plans, which could then be used in stock market trades. To
obtain such sensitive information, attackers can target the companies
directly involved in the M&A activity themselves or other
organizations involved in the deal, such as law firms and PR agencies.
Securities and Exchange Commission (SEC) in 2015 announced that
since at least 2010, two Ukrainian cyber criminals breached multiple
newswire services and distributed pre-release information to a rogue
network of international traders and hedge fund managers.
In 2013 and 2014, a group of cyber criminals known as FIN4
sought to acquire information about M&A discussions in order to
game the stock market. The group frequently used M&A and
SEC-themed lures with Visual Basic for Applications (VBA) macros
implemented to steal the usernames and passwords of key individuals.
Many of FIN4’s lures were apparently stolen documents from actual deal
discussions that the group then weaponized and sent to individuals
directly involved in the deal. FIN4 typically included links to fake
Outlook Web App (OWA) login pages designed to capture the user’s
credentials. Once equipped with the credentials, FIN4 then obtained
access to real-time email communications and presumably insight into
potential deals and their timing.
Seeking Insights to Gain the Upper Hand in Negotiations
One side involved in M&A negotiations could use cyber espionage
to acquire sensitive information about a deal counterparty in an
attempt to obtain more favorable terms. Based on past threat actor
activity, we have observed multiple China-based threat actors breach
companies to observed this type of activity in sizeable deals
involving Chinese state-owned enterprises.
High tech companies in particular face an evolving cyber risk as
Chinese interests advance toward acquisition of technology and
expertise that will sustain the country’s economic growth through a
shift to an economy built on knowledge-based products and services.
During the past decade, flush with cash and often with state backing,
Chinese companies have snatched up well-known Western companies in
industries ranging from agriculture to energy to consumer products.
The Wall Street Journal reported that as of May 2016, Chinese
companies have struck over $110.8 billion in overseas deals,
surpassing the $106.8 billion in deals done in 2015, despite a
slowdown in the Chinese economy.
As recently as late 2015, we have observed several likely
China-based threat groups targeting companies engaged in
M&A-related activity. At least four different China-based APT
groups conducted computer network intrusions that we believe were
primarily motivated by the targeted companies’ involvement in an acquisition.
In 2015, Mandiant conducted a compromise assessment for a business
services company. We identified two periods of activity by the
China-based threat group APT8 within the network, the most recent of
which coincided with the victim company’s participation in acquisition
negotiations. Although our visibility into APT8’s operations was
limited, the threat group possibly sought information pertaining to
the negotiation and acquisition itself, based on the timing in which
APT8 resumed their activity within the network.
New Companies, New Attack Surfaces
Mergers and acquisitions often result in an increased attack surface
for the companies involved. As two or more companies integrate their
IT assets, a group that has compromised one company could potentially
use that access to compromise the other(s). For instance, the Australian
telecom firm Telstra in 2015 announced that the networks of a
recently acquired subsidiary, Pacnet, were exploited.
Although the most obvious example of the increased attack surface
issue is when M&A activity causes companies to combine their
networks, it can also include factors such as one company’s particular
susceptibility to social-networking attacks or vulnerabilities in
products produced by one of the companies. In other words, strong
security practices at one company can be obviated by poor practices at
This threat is likely elevated during and immediately after a merger
or acquisition, since IT employees at the purchasing company may not
have had time to analyze the security posture of the purchased
company, or the combined staffs are unable to comprehensively monitor
the entirety of the newly combined network. Mergers and acquisitions
also generally increase the opportunities for “lateral compromise” by
targeting trusted relationships (i.e., the relationship between the
companies involved in the M&A activity). When a well protected
network recognizes a less secure network as trusted, the overall
security posture of the combined network is lowered, allowing
intruders to gain access by exploiting hastily-granted trust between systems.
Mandiant has observed instances where APT actors were able to regain
a foothold in an organization’s network following remediation by
compromising the network of an affiliate. Actors targeting companies
during M&A activity could use similar tactics to move laterally
from one company to another.
An example of this is when Mandiant performed an incident response
investigation for Company A, where we identified the presence of
several advanced threat actors. After remediating Company A’s
networks, an APT group attempted to re-compromise the network through
a sister organization (Company B), which had also been previously
compromised. Although this effort failed, a different APT group was
able to regain access to Company A’s systems through a strategic web
compromise embedded on Company B’s website. Our investigation of the
sister company’s network revealed that the vast majority of stolen
data there pertained to the network infrastructure linking the organizations.
Another example occurred at Company C, where we identified four APT
groups active in a network. Analysis about the timing and behavior of
at least one of these groups suggested that they were able to leverage
their previously attained access at Company D (a sister organization)
to access Company C’s network. During our investigation at Company D,
we discovered at least two threat groups, with activity dating back
three years earlier. We believe these actors used information
harvested from Company D’s network to help exploit Company C in a
Business leaders responsible for M&A business strategy should be
aware that threat actors often target companies engaged in mergers and
acquisitions, and that malicious activities such as phishing attacks
will likely increase during such periods. Additionally, a data breach
or severe security posture weaknesses could negate the business
strategy of acquisition due to the often-high cost of fixing
weaknesses or conducting incident response. Technology risk should be
evaluated and incorporated into the overall business risk strategy
before an M&A transaction is completed. In addition, companies
engaged in M&A should ensure that an examination of cyber security
is included as a key component of the due diligence process.
Today cyber due diligence is oftentimes performed superficially and
as an afterthought. This examination should include details of the
company’s security capabilities such as data safeguards, access
controls, threat detection, incident response and infrastructure
security controls, the threat landscape of the organization, any
records of past attacks, and any underground actors known to be
particularly interested in targeting the company. Allowing sufficient
time (four to six weeks) to perform an actual compromise assessment on
the sellers’ infrastructure will provide the optimal visibility into
the security posture of the acquisition.
When sufficient time is provided and cyber due diligence is
conducted, senior executives at the acquiring organization will
understand the business threats and technology risk posed by the
acquisition target, enabling them to incorporate this information into
the overall enterprise risk picture for informed decision-making. In
the majority of transactions, the decision to move forward with the
acquisition will still continue; however, senior executives will be
better equipped to make informed decisions about:
- Deal value
- Cost of remediation of
security weaknesses or breach response
- Return on investment
of the acquisition
- Purchase of a cyber insurance to
- Probability and cost of future litigation
resulting from a breach
When to Start Cyber Security Due Diligence
It’s important for all parties to a transaction to work with their
respective counsel to ensure any cyber due diligence activities are
performed in a compliant manner (e.g., to avoid creating privacy
issues) and in a way that helps preserve any available legal privileges.
Cyber security should be planned for like any other due diligence –
as early as possible. Because of some fairly specific requirements to
ensure the quality of cyber security due diligence, some language may
need to be inserted into agreement documents such as a Letter of
Intent (LOI). This will enable key components of a cyber security due
diligence, such as network monitoring.
M&A due diligence teams sometimes contain information technology
(IT) subject matter experts (SMEs) who are occasionally asked to also
provide an opinion on cyber security posture; however, cyber security
is a specialized field, and if security expertise is not available on
staff, due diligence providers should start planning to retain outside resources.
What Cyber Security Due Diligence Should Be
The following are factors that should be incorporated into effective
cyber security due diligence planning. Note that M&As can vary
widely in terms of ramp-up time. Some allow for a very short due
diligence effort, while longer deals can afford months to assess risk.
Business decisions control this pace, not the due diligence team –
therefore it is important to have relatively quick and lightweight
cyber due diligence options as well as longer, more in-depth approaches.
If the window for due diligence is short (e.g., 1-2 weeks), there is
still substantial cyber security due diligence that can be
accomplished to provide a high-level view of the risk levels of the
seller’s environment. A week provides time for cyber security experts
to conduct documentation review and interviews with seller staff,
which they then analyze in a focused risk framework. The product of
this activity should be a quantified risk assessment across important
cyber security domains (e.g., data safeguarding, infrastructure
security, and others) that results in a brief, easy-to-understand
report on risk and general recommendations for the buyer.
Even minimal cyber security due diligence should have a technical
component to provide an objective view of the health of the seller’s
security posture. One of the most important aspects of a technical
assessment is creating a historical scorecard going back in time: Have
the seller’s computers been compromised in the past, and what was the
character of those breaches (advanced and persistent, commodity,
insider, financial fraud, etc.)? The Freshfields survey discovered
90% of respondents believed that a past breach could
reduce the value of a deal.
Also important is a current snapshot: detecting malicious activity
(or the lack of such activity) from the seller provides insight into
the overall security posture and types of possible intruders already
in place. This information needs to be derived and analyzed in a
relatively short time frame. With this kind of analysis, the buyer
already can act knowledgably and prevent major missteps.
In-Depth Due Diligence
If more time is available, more detailed and granular cyber security
due diligence is possible. In addition to a risk assessment conducted
by cyber security analysts, software agents can be deployed in the
seller’s network to report on the state of the endpoints.
Network monitoring can examine traffic to and from the network for a
period of time to collect very detailed information on the state of
the organization’s cyber security and what compromises are already
happening, or have already happened. This allows the buyer to know the
seller’s environment inside and out from a real-world risk
perspective, and would provide both the high-level view needed to
inform decisions and granular detail to estimate remediation costs.
Only with due diligence can risk be incorporated in planning, with
various planned costs and benefits. Without due diligence, there are
only unexpected costs and reputational impacts.
Information gathered during due diligence can be further used to
guide post-acquisition activities.
A fairly common follow-on activity, particularly with mergers, is
integration of the two companies’ IT infrastructure. In the long run,
this should reduce costs and ease management; however, in the
short-term it can create its own set of problems and become a
One of the first questions to answer is: what can be trusted? Is it
safe for the buyer to connect to certain acquired systems? Can two-way
trust relationships be established? All of these depend on assessing
the security of both the overall environment and specific systems.
Cyber security due diligence provides a good start down this road, and
can allow for a level of effort and cost estimates to be made and
included in IT planning.
The Future Has Already Been Here
The impact of adverse cyber security events has been felt by
businesses for some time, and paying a little attention to the news
gives some sense of the scale of the challenges that have emerged as
even local businesses become exploitable by global criminals. Cyber
security risk is not science fiction, even though it has essentially
been treated as science fiction by being left out of M&A
processes. Acquiring companies and due diligence practitioners must
now catch up to the reality of the costs and risks that cyber security
issues create, and the benefits that cyber security due diligence can
bring. Doing so will eventually separate successes from the also-rans.
For more information on how Mandiant Consulting can help before,
during and after a merger or acquisition, visit Fireeye.com/services.html.