Robert M Lee, CEO of Dragos, a cybersecurity firm, recently received a message. A sophisticated criminal hacking group breached Dragos's employee email account and threatened to expose the company's data unless a ransom was paid.
Refusing to negotiate, Lee faced an escalation from the hackers. They obtained details like his son's passport information, school details, and phone number. The message was clear; pay up or put your family at risk.
"When it comes to your child's safety and well-being, everything changes," said Lee, who boasts experience in the US military and National Security Agency (NSA).
According to cybersecurity professionals in Western countries, threats have become increasingly tangible. Computer engineers hired by companies to combat hacking groups are now becoming targets.
A group threatened Lee, although he chose not to disclose their name. The group was known for engaging in a practice called "swatting." This involves alerting the authorities about an armed attack, which leads to a police SWAT team being dispatched to the target's home.
Essentially they intend to put someone's life at risk. Law enforcement advised Lee that his best course of action in such a situation would be to lie down on the floor.
The threats made by these criminals are wide-ranging and quite inventive. For example, one hacker from Ukraine sent a gram of heroin through the mail to Brian Krebs, who's now a cybersecurity analyst but used to work as a journalist. Additionally, they sent Krebs a floral arrangement shaped like a cross through a local florist.
Some victims of hacking have been instructed to transfer money into bank accounts belonging to cybersecurity professionals to frame them for activities. In another incident, a Korean hacking group posed as security researchers on LinkedIn and sent prospective contacts malware disguised as an encryption key.
"We're an organization that frequently exposes actors, so we must prioritize our security from various angles; as a company, as individuals, and in physical terms," explained Charles Carmakal, the Chief Technology Officer at Mandiant Consulting. This renowned firm is called upon to investigate breaches, such as the recent incidents at the State Department and other US agencies.
"I choose not to visit countries specifically because I've been quite outspoken about offensive cyber operations originating from those nations," he revealed. "Considering that I expose highly sophisticated intrusion operations, I exercise great caution and mindfulness regarding the potential of becoming a target myself."
The fact that criminals based in Eastern Europe, China, or North Korea can target security professionals located in Western Europe or the US underscores the nature of this industry that profits billions of dollars from its victims.
Carmakal highlights that these threats often emanate from entities rather than governments. These criminals typically engage in espionage or disinformation campaigns. They are adept at swiftly shifting their focus to new operations when one is thwarted.
"These individuals are people, teenagers and individuals in their twenties who are not employed by hacking companies nor affiliated with military or intelligence organizations," he explained. "They operate without any rules of engagement. With abundant time at their disposal, they push boundaries and inflict significant harm on individuals making it all feel incredibly real."
For professionals residing outside the United States, this issue becomes more tangible. One researcher from Eastern Europe, who prefers to remain anonymous, shared an experience of returning home to discover that his residence had been expertly searched by "well-trained, discreet and highly skilled" individuals. These intruders turned off his home security system but overlooked a newly installed nanny cam placed in the living room by his wife.
Weeks before this incident, the researcher uncovered an espionage operation conducted by a Russian government agency targeting the email systems of a NATO government. Following the search of his home, he encountered consequences. His bank account was hacked into, his company tax documents were tampered with and released on the dark web, and even personal family photographs were traded as trophies within hacker networks.