How Private Equity Hackers Choose Their Targets

Private equity firms sit at the intersection of high value financial transactions, sensitive deal data, and an expanding portfolio of technology heavy portfolio companies – and it’s this combination that makes PE an attractive target for cyberthreat actors.

For hackers, it’s the information they can collect from PE that’s appealing – it's the understanding of how a business operates. The level of detail, knowledge, data and insights available to PE hackers offers them a window into a wide variety of different portfolio companies. There is a real possibility that a PE firm becomes the spring board into other organisations in the same way that the technology provider is frequently a way into additional businesses. 

The recent Thomas Murray webinar The Art of the Hack: How Cyber Criminals Are Targeting Private Equity, saw PE expert, Ed Starkie, and ethical hacker, Hassan Mahmud, discuss exactly how deal hackers identify vulnerabilities, and the methods they use to extract value and destabilise firms.

So, how do hackers select their targets? 

When opportunity knocks

Typically, when hackers target an organisation, they're looking to see where there’s an opportunity. So, from an external point of view, they’re looking at whether they can attack them from there. They’ll look at whether firms are in merger talks, for example, or if they’re being bought by a PE house (or anyone else). There might also be changes taking place in an organisation that can offer a way in for cybercriminals.

For hackers, opportunities always exist, but there are a lot of fast-moving parts to consider. They will sometimes target a person directly, saying that they're from one of the merging companies and that they need access to something. Or it might be that they send out an email to employees saying they need to complete ‘X’ training to be onboarded - onto new systems for example - and then those unfortunate employees will click through and provide a way in.

The value of intellectual property 

Another area hackers seek to exploit is intellectual property (this has been seen a lot with gaming organisations). Hackers act because companies have intellectual property; they have code. Organisations are attacked that don't necessarily release a lot, but they have this valuable intellectual property. For example, there might be a firewall company with code that’s not very open source (not open to the internet). Gaining access to this code will then allow a hacker to embed vulnerabilities. 

Ultimately, it will depend on what the hacker’s eventual goal is - if it's mass internet compromise or if it's targeting a specific organisation to make some money. If there’s a lot of financial activity taking place or if the companies involved are very well known, they can then be targeted as well.

One thing you often see is a specific organisation or industry coming under fire from a specific group of bad actors. Where there's a group, there will be conversations and group dynamics that lead to a consensus around attacking a particular group for a particular reason – with some industries targeted more than others (retail for example). With this kind of focus the threat actors gain the benefit of greater industry knowledge and specialism, particularly on the terminology used, and the common technology and its likely use within the business.   

Preparing for the inevitable

Regarding external negligence, the human aspect, where there are a number of changes taking place, it's not that people's defences go down, it’s that they’re likely being bombarded with information that they may miss, or something they may need to do to ensure their company remains safe from external threat actors. So, while there are a multitude of things going on around an acquisition, there may also be a hacker taking advantage and sneaking under the radar, or the radar of one of your key trusted parties who is also working on a transaction or supporting your business function. .

It's important to remember that it’s not a case of ‘if’ you have a cyberattack, it's a case of ‘when’ it will happen. So, it's about being prepared for that scenario. In this context, a private equity organisation carries an almost disproportionate degree of importance. Whether or not you use the term ‘pivotal’, a PE firm is one that sits at the heart of an ecosystem, and that gives potential access to other associated targets. It’s for this reason that these companies should always consider the value of ongoing cybersecurity monitoring.  

5 Key Takeaways from a Deal Hacker

Also from this series, read 5 Key Takeaways from a Deal Hacker to find out what PE firms should look for when doing cyber deal due diligence. 

The Private Equity Cyber Security Checklist

For private equity partners and portfolio managers focused on value creation, understanding and mitigating cyber security risk is critical. 

Explore our Cyber Security Checklist for Private Equity for 10 essential steps to improve cyber security, protect portfolio investments, and maximise exit value.