Utilizing Island Hopping in Targeted Attacks

September 25, 2014

Every company is a potential cyber-attack target; even if they’re not the "end target." This is what "island hopping" aims to achieve.

Island Hopping, also known as “leapfrogging” was formerly known as a military strategy in which attackers initially concentrate their strategy on entities that were not their original targets but can be leveraged in order to get to the original target.

Island hopping or “leapfrogging” is also being applied in targeted attacks, where attackers carry out the technique by not going straight to the target company. Instead, attackers go after their target’s affiliates first – preferably smaller companies who may not be as protected. These targeted companies may be from any industry of any size, including small businesses, payroll and HR services, healthcare firms, and law firms.

Attackers that use the island hopping technique may then use these companies to gain access to the affiliate in order to get to the target company. Another way it is applied is when the attacker moves laterally within the target network itself. Attackers usually scan for other systems connected to the one initially compromised and attempt to penetrate them as well.

Target data breach

One of the most notable cases of a targeted attack that used the island hopping technique was the Target data breach early 2014. The story behind the Target data breach inevitably revealed that Fazio Mechanical Services, a heating and refrigeration firm, reported that their systems were abused by cybercriminals in order to breach the retail giant. Multiple sources close to the investigation reveal that credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.

Recommendations and countermeasures

It is recommended for IT administrators to look out for these signs of a potential data breach:

  • Injected DNS records -Attackers often tamper with DNS records in order to make sure that connections to their C&Cs are not blocked.
  • Failed/irregular logins - Checking for failed login attempts, as well as successful ones made at irregular time periods can reveal attackers’ attempts to move within the network.
  • Unknown large files are often an indicator of a data breach and may need to be checked as it may contain data stolen from within the network. Attackers often store these files in their targets’ systems prior to exfiltration
  • It's important to study the warnings issued by your security solutions even though most warnings flag non-malicious files.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.