Executive Summary

In September 2019, Nikkei, a prominent financial media organization based in Japan, became the target of a sophisticated Business Email Compromise (BEC) attack. This incident resulted in the unauthorized transfer of approximately $29 million from Nikkei America, Inc. to cybercriminals. The attackers successfully impersonated a Nikkei executive, deceiving an employee into executing the fraudulent transaction. This report delves into the technical intricacies of the BEC attack, explores the exploitation tactics used, and provides actionable mitigation strategies to safeguard against such threats.

Technical Information

Business Email Compromise (BEC) is a highly targeted form of cybercrime that exploits the trust and authority associated with business email communications. Cybercriminals employ a combination of social engineering and technical intrusion techniques to gain access to legitimate business email accounts. Once compromised, these accounts are used to initiate unauthorized wire transfers, often involving substantial sums of money.

The BEC attack on Nikkei involved the impersonation of a senior executive, a common tactic in such scams. The attacker crafted convincing emails that appeared to originate from the executive's account, instructing an employee to transfer funds to a specified account. This method leverages the inherent trust within corporate hierarchies, making it challenging for employees to discern fraudulent requests from legitimate ones.

Globally, BEC attacks have resulted in significant financial losses, with the FBI reporting over $1.3 billion in losses in 2019 alone. High-profile cases, such as those involving Facebook and Google, underscore the widespread nature of this threat. In these instances, attackers impersonated employees of well-known companies, leading to substantial financial losses.

The MITRE ATT&CK framework provides a comprehensive overview of the tactics and techniques employed in BEC attacks. Key tactics include Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Specific techniques relevant to BEC include Phishing (T1566), Valid Accounts (T1078), Email Collection (T1114), and Data Encrypted for Impact (T1486).

Exploitation in the Wild

BEC attacks are characterized by their stealth and precision. In the case of Nikkei, the attacker meticulously crafted emails to mimic the communication style of the impersonated executive. Indicators of Compromise (IOCs) in such attacks often include unusual email activity, unexpected requests for financial transactions, and anomalies in email headers or metadata.

The exploitation of BEC vulnerabilities is not limited to a single industry or region. Financial institutions, media companies, and multinational corporations are frequent targets due to the high-value transactions they conduct. The global reach of BEC attacks necessitates a comprehensive understanding of the threat landscape and proactive measures to mitigate risks.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups have not been directly linked to the Nikkei incident, BEC attacks are commonly associated with financially motivated threat actors. Groups such as APT38, known for their focus on financial institutions, have been implicated in similar operations. These groups leverage sophisticated techniques to infiltrate corporate networks and execute high-value financial fraud.

Affected Product Versions

BEC attacks do not target specific software products or versions. Instead, they exploit vulnerabilities in human behavior and organizational processes. As such, any organization conducting financial transactions via email is potentially at risk. The focus should be on strengthening email security protocols and employee awareness to mitigate the threat.

Workaround and Mitigation

To defend against BEC attacks, organizations should implement a multi-layered security strategy. Email security solutions, such as advanced filtering and threat detection systems, can help identify and block phishing attempts. Regular cybersecurity awareness training is crucial to equip employees with the knowledge to recognize and report suspicious emails. Implementing multi-factor authentication and verification procedures for financial transactions adds an additional layer of security. Finally, organizations should develop and regularly update an incident response plan to swiftly address and mitigate BEC attacks.

References

For further reading and resources, please refer to the following links: HackRead Article on the Nikkei BEC Attack (https://hackread.com/bec-attack-nikkei-employee-transfers-29-million-scammers/), MITRE ATT&CK Framework (https://attack.mitre.org/), and FBI Internet Crime Complaint Center (IC3) Reports on BEC (https://www.ic3.gov/).

Rescana is here for you

At Rescana, we are committed to helping our clients navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate cyber threats. We encourage you to reach out to us at ops@rescana.com with any questions or concerns regarding this report or any other cybersecurity issues. Our team is here to support you in safeguarding your organization's digital assets.