[BreachExchange] The Gray Market: Why a Colossal Hack of US Interests Should Wake Up the Art Industry to Cybersecurity Threats (and Other Insights)

[Audrey McNeil]

https://news.artnet.com/opinion/gray-market-solarwinds-hack-1932967

ONCE MORE INTO THE BREACH

Last Sunday, Reuters broke the news of what appears to be one of the most
expansive, longest-running, and most damaging hacks in US history. The
story should also double as a visceral reminder that, as the art market
continues its aggressive march into enhanced online sales and global
connectivity, cybersecurity deserves far more attention than it’s likely
gotten during this anarchic year.

First uncovered by the cybersecurity firm FireEye, the mega-breach
qualifies as what experts call a “supply-chain attack.” Rather than
directly infiltrating their targets by stealing employees’ usernames and
passwords, hackers instead broke into software that the true targets
installed from a legitimate third-party supplier as part of a regular
systems update. The corrupt software then provided the assailants a
difficult-to-detect back door into the end user’s network—a back door that
has been swinging open for six to nine months, per multiple reports.

Central to the debacle is a Texas-based IT company called SolarWinds, which
produces software that manages the server networks of major public and
private clients alike. According to Reuters, the firm’s “customers include
most of America’s Fortune 500 companies, the top 10 US telecommunications
providers, all five branches of the US military, the State Department, the
National Security Agency, and the Office of President of the United
States.”

While the full extent of the SolarWinds breach will not be known for
months, Microsoft confirmed that the hackers exploited at least “40
companies, government agencies, and think tanks,” per the New York Times.
“Nearly half” of that cohort’s members are private tech companies, with
“many” specializing in cybersecurity. An earlier Times story identified the
Department of Homeland Security and “parts of the Pentagon” as confirmed
government victims.

Secretary of State Mike Pompeo stated on Saturday that US officials “can
say pretty clearly” that the culprits were Russian state actors. Russian
officials have vigorously denied responsibility.

Despite the fog of cyberwar, there is a strong belief that the damage is
extensive. In a New York Times op-ed last Wednesday, Thomas Bossert, the
homeland security advisor for former president George W. Bush, contends the
hackers “most certainly” gained “complete control” over hundreds of the
networks they infiltrated, giving them “the power to destroy or alter data
and impersonate legitimate people.” He suggests they also retain passive
spying privileges inside many more systems.

So how scared should the art industry be about this digital debacle? As
usual, there is good news and bad news…

ART OF THE STEAL

Let’s start with the positive side. Put simply, the art industry is nowhere
near large or consequential enough to attract digital espionage as
laborious and sophisticated as the kind at the crux of the SolarWinds
story. According to Bossert, supply-chain attacks can take years to
execute, which is why they are “almost always the product of a
nation-state.”

But the bad news is twofold: first, the arts ecosystem is still valuable
enough to attract small-time cyberthieves; and second, most of the
industry’s participants are still so ill-fortified that even relatively
simple hacks can be devastating.

In case it slipped your mind at some point during daily life’s monthslong
meltdown into experiential fondue, hackers have spent the past few years
assailing different facets of the art ecosystem with a variety of
techniques. A lawsuit filed in January sprung from a cyberthief’s
interception of a $3.1 million wire transfer between a Dutch museum and a
British dealer during the would-be sale of a John Constable painting. The
culprit used what’s known as a “man in the middle” attack, in which a
hacker infiltrates a company’s email system and begins impersonating the
buyer and seller to divert communications and funds their own way before
disappearing.

The same technique played a central role in what The Art Newspaper called a
“cyber crime wave” that washed through galleries including Hauser & Wirth,
Simon Lee, and Thomas Dane in 2017. (Hauser & Wirth managed a “full
recovery” of the funds in question, but Lee and Dane were not as
fortunate.)

Sales aren’t the only point of digital vulnerability for the arts, either.
In May 2019, the Asian Art Museum of San Francisco was hit with a
ransomware attack, in which hackers take control of a target’s digital
infrastructure and threaten to corrupt or obliterate it unless the victim
coughs up a sizable fee (usually payable in cryptocurrency).

Fortunately, the Asian Art Museum managed to thwart the attack with the
help of the city’s IT experts. But Tyler Cohen Wood, a cybersecurity
consultant and the former cyber deputy chief of the Defense Intelligence
Agency, told my colleague Sarah Cascone at the time that he was “surprised
that hacking hasn’t happened at more museums.” The reason? Their records
contain a treasure trove of personal and financial information on donors
and their collections.

Even art-services providers have been breached. In February 2019, a
“large-scale hack” of 16 websites led to data on one million Artsy users
being made available on the dark web—just a small tranche of a package of
617 million sets of online-account details collectively priced at under
$20,000. The Artsy data exposed by the breach was relatively harmless;
according to Artsy’s then-CTO Daniel Doubrovkine, it mainly consisted of
users’ names, emails, and IP addresses, and there was “no evidence that
commercial or financial information was involved.”

A similar episode played out just this September, when the infiltration of
a cloud-computing company named Blackbaud resulted in personal information
on donors to roughly 200 US and UK institutions winding up in hackers’
hands. Luckily, as in the Artsy breach, Blackbaud asserted that financial
details were not among the pilfered data.

Still, these episodes should have been a wake-up call to the whole industry
about the importance of cybersecurity—an importance that has only increased
during our forced pivot online.

HOME ALONE

Setting aside the rise in digital transactions, the number of soft spots in
the art industry’s cyber-defenses has greatly increased thanks to the
work-from-home surge. This shift in white-collar labor practices has meant
more digital communication reliant on personal telecom networks, equipment,
and protocols, all of which tend to be less standardized—and therefore less
secure—than even modest corporate equivalents.

Hackers have already exploited this change at the financial apex of the
private sector. Over the summer, the New York Times relayed that Symantec
Corporation, a cybersecurity subsidiary of enterprise-software giant
Broadcom, “reported that Russian hackers had exploited the sudden change in
American work habits to inject code into corporate networks with a speed
and breadth not previously witnessed.” In the crosshairs were at least 31
companies “including major American brands and Fortune 500 firms.”

Although Symantec did not publicly disclose the names of the targets or the
value of the ransoms, the cybercriminals (who dubbed themselves Evil Corp.
in smirking honor of the hacker-centric cable drama Mr. Robot) had demanded
fees north of $10 million in previous attacks.

Similar to the SolarWinds mega-breach uncovered last week, the scale of the
potential payoffs sought by Evil Corp. ensures that the arts likely don’t
have to worry about this group in particular. (The Times reported that Evil
Corp’s malware “looked for a sign that the computer was part of a major
corporate or government network” before striking.)

But as we’ve seen again and again, our niche business has proven to be
low-hanging fruit for much less advanced digital brigands. In the sudden
transition to mass work from home, as well as a challenging (to say the
least) fiscal year, how many dealers, institutions, auction houses,
advisors, and art-services companies have had the wherewithal to even
review, let alone upgrade, their cyberdefenses?

How many who have managed to weather the storm so far feel like now is the
time to focus on this hard, boring, and potentially expensive element of
their operations? How many are hoping that the approaching end to lockdown
life is near enough that they can skate by without reworking their digital
infrastructure?

At the same time, how many hackers probing the business landscape for
weaknesses are asking these same questions—and answering them with the same
low estimates that I am?

It’s not a thought that will warm up many art professionals as we plunge
into this uniquely dark winter. But as is so often the case, what we least
want to think about is what we most need to.

That’s all for this week. ‘Til next time, remember what might be the only
point where cybersecurity experts and therapists agree: it’s almost
impossible to meaningfully connect without making yourself vulnerable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201221/e3e1acb3/attachment.html>