Two of the most notable hacks in recent history have been through island hopping attacks. So what are they and how can you stop them?
Island hopping probably sounds more like an activity you'd carry out in the Bahamas rather than an attack strategy, but it's actually used quite often by cybercriminals looking to target networks without directly hacking into them. So, what is an island hopping attack, and how can you protect yourself against it?
The term "island hopping" comes from World War II. The US Forces wanted to get to mainland Japan and had to move from island to island, using each as a launching pad for the next, with the mainland as the primary target. It was known as leapfrogging at the time.
In an island hopping attack, the threat actors go after your partners and other third-party associates, using their cyber vulnerabilities to hop onto your more secure network. These threat actors are entities or individuals that participate in actions that undermine or have the potential to affect your organization's cybersecurity. They may go to any lengths to bypass their target's firewalls, and an efficient method is island hopping.
Manufacturing, financial, and retail businesses are primarily the targets of this form of cyberattack. In cases like these, the target's security systems are airtight and largely immune to direct invasions, so hackers go through considerably less secure partners.
These partners are trusted by the target organization and are connected to its network. Hackers exploit the trusting relationship and attack the real target's complex defense mechanisms through its weak links with other organizations.
Island hopping attacks are effective because they don't trigger alerts in the target's security system. These alerts are usually tripped when there is an attempted entry into the host network from an untrusted or unregistered device. Entries by partners are seldom flagged; threat actors take advantage of this lapse.
There are three standard methods threat actors adopt in their island hopping mission.
This method involves infiltrating an organization's network and using it to hop onto another associate network. In this attack, the threat actors usually go after the organization's Managed Security Service Provider (MSSP).
MSSPs are IT service providers that sell security to small businesses and large organizations, protecting them against cybersecurity threats. They use software, or a team of personnel, to respond to these threats as soon as they occur. Many enterprises outsource their IT security department to these MSSPs, making the providers a target for hackers.
This form of island hopping involves infiltrating sites frequented by the main target's customers, business partners, and employees. Bad actors assess the security of the sites and input malicious links when they find weaknesses.
These links lead to compromised platforms that automatically inject malware onto the computer. Once the injected malware is operational, the threat actors can use the information collated to gain access to the primary target.
A phishing scam is usually the first step in this method. The cybercriminals pose as a reputable business entity. Yahoo, Facebook, and popular commercial banks are primarily used in these attacks, as the hackers send malicious links in spam emails.
Once the bait is taken and the link clicked, the hackers use malware to compromise the user's computer. This method targets high-ranking officials or executives of the organization.
Keylogger software is sometimes used here to steal the email accounts of these executives. Sensitive information is swiped from the email accounts and then used to infiltrate the target organization.
In 2013, one of the US biggest retail companies, Target, was involved in an island hopping nightmare. And in 2020, SolarWinds, an IT management provider, was the victim of an island hopping attack.
Threat actors compromised Target's point-of-sale system and stole the financial information of around 40 million customers. This resulted in Target paying the biggest-ever data breach settlement.
$18.5 million was agreed upon to settle 47 states and the District of Columbia after hackers stole most of the retail giant's customers' credit and debit card information during the 2013 holiday season. This data breach cost Target over $300 million. But this wasn't a direct attack on the company's servers.
It started with Fazio Mechanical Services, another company that provides Target with heating and refrigeration. They experienced a malware attack two months before Target's security breach. The threat actors made away with the email credentials and used that to access Target's servers.
This attack affected more than 18,000 businesses and even US government departments. Everyone affected had one thing in common—an IT management provider called SolarWinds.
As with island hopping attacks, SolarWinds wasn't the primary target. With the number of departments of the US government that were affected, there were rumors that the hackers were backed by the Russian government, hoping to destabilize the US Congress.
SolarWinds first confirmed the attack in December 2020, although it was undetected for several months. In March 2021, the hackers stole email credentials from the Department of Homeland Security, even though most government departments had warned their employees to shut down Orion, the affected SolarWinds product. The attacks also impacted the Departments of Energy, Treasury, and Commerce, Mimecast, and Microsoft.
With the prevalence of island hopping, you should take steps to prevent your network and servers from being attacked by malicious parties. Here are a few ways you can do this.
Multi-factor authentication involves using various verification checks, like fingerprint and ID confirmations, to confirm the identity of anyone trying to access your network. This extra layer of security, though tedious, always proves helpful. Hackers with stolen login credentials will find it almost impossible to get past a fingerprint confirmation check or a face ID verification.
Island hopping attacks take many forms, and sometimes regular security protocols may not be enough to forestall any occurrences. Your security software has to be updated constantly as island hopping attacks become more sophisticated. Also, it's best to have an incident response team on standby to take care of unforeseen threats that can get past security and deal with the latest threats.
Many organizations recognize the risks of island hopping and have set cybersecurity standards for any would-be partners and associates. Advise current partners to upgrade their security systems; those without advanced checks should have restricted access to your network.
Island hopping attacks have become more prevalent. Organizations with lax security protocols risk being victims of threat actors unless they upgrade their systems.
However, more is needed. Third-party partners without advanced security systems pose a risk and should not have unlimited access. If limiting access is impossible, such partners should upgrade their systems.
Oluwademilade is an MUO staff writer focused on everything tech. Since 2019, he has contributed to several websites, and prominent media outlets and professionals in the tech space have acknowledged his writing. Besides writing, Oluwademilade likes to read, play the bass guitar, and travel.