Companies going through a merger or acquisition, as well as their lawyers, financial advisers, and other associated firms are all tempting targets for cyberattackers, according to a new report from Digital Shadows.
The attackers use public sources for the first round of information gathering, then spearphishing and malware campaigns against targeted individuals. They are often undetected because many companies still ignore cybersecurity when doing due diligence, the report said.
The attackers are "apex predators" said Rick Holland, the company's vice president of strategy.
"This is not your run of the mill Nigerian email phishing scam," he said.
Once they successfully hack into a company, attackers will their look for information that can help them manipulate financial markets, while other attackers steal intellectual property or personal or other data that they can monetize.
Rick Holland, the company's vice president of strategy at Digital Shadows
"With intellectual property theft, it is more difficult to see how it is monetized," Holland added. The stolen information could be used by foreign governments or business competitors, and the payoff could take years.
To protect themselves, companies should be conducting cybersecurity due diligence, he said.
In addition, companies shouldn't wait and see if they've been targeted.
"I would assume that you are being targeted," he said. "Especially if you are in the legal industry, banking industry -- anyone involved in the supply chain for mergers and acquisitions, you are definitely going to be targeted. If you have high-value intellectual property, I would assume that you are being targeted."
For example, at the end of 2015, the FBI warned advisory firms that securities traders were using hackers-for-hire to attempt to access the email accounts of over 100 executives in order to get privileged information about companies and conduct securities fraud.
Another group targeted the hotels where executives were staying, infiltrating the hotel's networks and using very precise information about their targets to infect them with malware.
Global merger and acquisition activity reached record-breaking deal values in 2015 at over $4 trillion. In 2016, high levels of activity are expected to continue.
The risk of attack starts before an official merger announcement is even made, while companies are still in the preparatory stages.
Attackers look for clues that a company may be considering a merger or acquisition in its job postings, industry gossip, and data leakage on social media or blogs. Other signs include a slowdown in a company's feature release cycle, or staff reductions during a period of profitability.
[ MORE TO LOOK OUT FOR: On the hunt for merger or acquisition? Make sure your target is secure ]
This is a period of tension and uncertainty within companies, and employees may be more vulnerable to spearphishing campaigns, or may even intentionally leak data, said the report.
As the merger process advances and becomes public, more attackers will appear, but companies will continue to remain more vulnerable for some time, due to disenfranchised employees, and the inheritance of vulnerable network infrastructure.