Island hopping probably sounds more like an activity you would carry out in the Bahamas rather than an attack strategy, but it’s actually used quite often by cybercriminals to attack networks without directly hacking into them. So what is an island hopping attack and how can you protect against it?
What is an island hopping attack?
The term “island hopping” comes from World War II. US forces wanted to reach mainland Japan and had to move from island to island, using each as a launching pad for the next, with the mainland as the main objective. It was known as Leap Frog at the time.
In an island-hopping attack, threat actors go after their partners and other external partners, using their cyber vulnerabilities to gain access to your more secure network. These threat actors are entities or individuals that engage in actions that undermine or have the potential to affect your organization’s cybersecurity. They can go to great lengths to bypass their target’s firewalls, and one efficient method is island-hopping.
Manufacturing, financial, and retail companies are primarily targets of this form of cyberattack. In cases like these, the target’s security systems are airtight and largely immune to direct invasions, so hackers pose as considerably less secure partners.
The target organization trusts these partners and they are connected to its network. Hackers exploit the trust relationship and attack the complex defense mechanisms of the real target through their weak links with other organizations.
How does the Island Hopping attack work?
Island hopping attacks are effective because they do not trigger alerts in the target’s security system. These alerts are typically triggered when an attempt is made to enter the host’s network from an untrusted or unregistered device. Partner entries are rarely marked; threat actors take advantage of this lapse.
There are three standard methods that threat actors adopt in their island-hopping mission.
1. Network-based attack
This method consists of infiltrating an organization’s network and using it to access another associated network. In this attack, the threat actors typically go after the organization’s Managed Security Service Provider (MSSP).
MSSPs are IT service providers that sell security to small businesses and large organizations, protecting them against cybersecurity threats. They use software, or a team of personnel, to respond to these threats as soon as they occur. Many companies outsource their IT security department to these MSSPs, making the vendors a target for hackers.
2. Watering hole attacks
This form of island-hopping involves infiltrating sites frequented by the primary target’s customers, business partners, and employees. Bad actors assess the security of sites and enter malicious links when they find weaknesses.
These links lead to compromised platforms that automatically inject malware into the computer. Once the injected malware is operational, threat actors can use the collected information to gain access to the primary target.
3. Commercial Email Compromise
A phishing scam is usually the first step in this method. Cyber criminals pose as a reputable commercial entity. Yahoo, Facebook and popular commercial banks are mostly used in these attacks as hackers send malicious links in spam emails.
Once the bait is taken and the link is clicked, hackers use malware to compromise the user’s computer. This method is aimed at high-ranking officials or executives of the organization.
Keylogger software is sometimes used here to steal the email accounts of these executives. Sensitive information is slipped from email accounts and is then used to infiltrate the targeted organization.
Island Hopping Precedents: Target and SolarWinds
In 2013, one of the largest US retailers, Target, was caught up in an island-hopping nightmare. And in 2020, SolarWinds, an IT management provider, fell victim to an island-hopping attack.
Target: The Nightmare of a Holiday Season
Threat actors compromised Target’s point-of-sale system and stole the financial information of around 40 million customers. This resulted in Target paying the most data breach settlement.
$18.5 million was agreed to settle 47 states and the District of Columbia after hackers stole most of the retail giant’s customer credit and debit card information during the 2013 holiday season. Data breach cost Target more than $300 million. But this was not a direct attack on the company’s servers.
It started with Fazio Mechanical Services, another company that provides heating and cooling for Target. They experienced a malware attack two months before the Target breach. The threat actors took the email credentials and used them to access Target’s servers.
This attack affected more than 18,000 companies and even US government departments. All those affected had one thing in common: an IT management provider called SolarWinds.
As with island hopping attacks, SolarWinds were not the primary target. With the number of US government departments affected, there were rumors that the the hackers were backed by the Russian governmenthoping to destabilize the United States Congress.
SolarWinds first confirmed the attack in December 2020, though it went under the radar for several months. In March 2021, hackers stole the email credentials of the Department of Homeland Security, despite the fact that most government departments had warned their employees to shut down Orion, the affected SolarWinds product. The attacks also affected the Departments of Energy, Treasury and Commerce, Mimecast and Microsoft.
How to protect yourself from island hopping attacks
With the prevalence of island-hopping, you must take steps to prevent your network and servers from being attacked by malicious parties. Here are some ways you can do this.
1. Use multi-factor authentication
Multi-factor authentication involves using various verification checks, such as fingerprints and ID confirmations, to confirm the identity of anyone trying to access your network. This additional layer of security, while tedious, is always useful. Hackers with stolen login credentials will find it nearly impossible to pass a fingerprint confirmation check or facial ID check.
2. Have an incident response plan on standby
Island-hopping attacks take many forms, and sometimes regular security protocols may not be enough to prevent any occurrence. Your security software must be constantly updated as island-hopping attacks become more sophisticated. Also, it’s better to have an incident response team on standby to deal with unforeseen threats that can bypass security and deal with the latest threats.
3. Embrace the latest cybersecurity standards
Many organizations recognize the risks of island hopping and have established cybersecurity standards for any potential partners and associates. Advise current partners to update their security systems; those without advanced controls should have restricted access to your network.
Don’t be a victim: restrict access or upgrade your security
Island hopping attacks have become more frequent. Organizations with lax security protocols are at risk of falling victim to threats unless they update their systems.
However, more is needed. External partners without advanced security systems are a risk and should not have unlimited access. If it is impossible to limit access, such partners must update their systems.