Cyber Threats Targeting Mergers and Acquisitions

Cyber Threats Targeting 

Mergers and Acquisitions 

1

Table of Contents 

Executive Summary ............................................................................................................. ..3 

1. Introduction ..................................................................................................................... ..4 

2. Associated threat actors................................................................................................. ..5 

FIN4...................................................................................................................................... ..5 

DarkHotel............................................................................................................................. ..5 

Other historical cases and risks.......................................................................................... ..6 

3. Steps of the Merger/Acquisition Process...................................................................... ..7 

Preparation for acquisition and/or valuation....................................................................... ..7 

Marketing.............................................................................................................................. ..9 

Due Diligence....................................................................................................................... ..9 

Negotiations, signing (and announcements)....................................................................... 10 

Waiting period and final merge............................................................................................ 10 

5. Conclusion........................................................................................................................ 11 

End notes.............................................................................................................................. 12 

Appendix 1: 10 Risk Considerations for Mergers and Acquisitions................................... 13 

2 

© All Rights Reserved

Executive Summary 

Global merger and acquisition (M&A) activity reached record-breaking deal values in 2015 at 

over $4 trillion, with the resulting deals expected to add $1.5 to $1.9 trillion in value to these 

companies. 1 In 2016, high levels of activity are expected to continue. 

While mergers and acquisitions propel companies forward, the M&A process also fuels 

significant opportunities for cyber criminals. Failure to secure sensitive information during 

this time opens the door to threat actors looking to profit by exploiting financial markets and 

proprietary intellectual property (IP). Given the value to be gained once the companies are 

combined, it’s safe to say that ensuring successful integrations will be a priority on boardroom 

agendas. Security, both during the M&A process and after the deal is closed, will play a central 

role in positive outcomes. 

In this report, Digital Shadows examines cyber risks or possible degradation to a company’s 

security posture as a result of the M&A process. The report takes historical cases of threat 

actors and applies other likely threats across the five-stages that companies typically go 

through during a merger or acquisition. Along each stage new risks emerge and advanced 

attackers, well-versed in corporate espionage techniques, stand to profit. Individuals’ behaviors, 

unintentional clues and vulnerabilities in inherited network infrastructure and software can all 

present risk. However, organizations armed with these insights can better understand the threats 

they face and mitigate accordingly. 

3

1. Introduction 

Mergers and acquisitions can be exciting, but they are also marked by hectic, stressful and 

frustrating periods. Vigilance is required at all stages throughout the M&A process, as a failure to 

secure sensitive information constitutes both a threat to the organization and an opportunity for 

threat actors. Over the past several years, there have been notable examples of organizations facing 

cyber threats as a result of vulnerabilities that have emerged while going through a merger or 

acquisition. But what can organizations do about this? By understanding both how and at what stage 

of the M&A process these threats occur organizations can mitigate them. 

4 Any additional information can go here as a part of the footer 

(Edit the C-Master to update this text)

2. Associated threat actors 

While corporate espionage is nothing new, its impact on the financial market and proprietary IP 

by exploiting corporations involved in standard business practice has become more prevalent in 

recent years. Following are a few examples of methods used by cybercriminal groups to profit from 

companies going through the M&A process. 

FIN4 

First reported in December 2014, a threat actor group identified as FIN4 attempted to access 

the email accounts of senior leadership across 100 publicly traded companies or advisory firms 

that provide M&A services such as investor relations, legal counsel and investment banking. The 

group used common financial investor and shareholder-themed social engineering lures to gain 

information likely intended for use in insider trading. 

In December 2015, the FBI disseminated an advisory to private industry warning that criminal actors 

are targeting privileged information about companies to facilitate securities fraud. The advisory 

noted that traders might seek this kind of information from hackers-for-hire on the criminal 

underground and referenced FIN4 as a group engaged in this kind of behavior. Tactics include the 

use of phishing emails to distribute Trojans armed with keylogging capabilities and injection of 

malicious code into the macros of email attachments designed to dupe victims to enter their e-mail 

credentials. This data is then sent to the attackers. Specific information about the extent of such 

malicious activity was not provided, but it is likely that the advisory was prompted by a rise in this 

type of activity. 

DarkHotel 

As early as 2007, a group named DarkHotel waited for their specific victims, comprised of corporate 

executives and high-tech entrepreneurs travelling to various international hotels, to connect to 

the hotel Internet. At which point DarkHotel would infect them with a rare APT Trojan. They relied 

heavily on the very strong likelihood that their targets would connect over a hotel’s wired or wireless 

network. The attackers also compiled extremely precise targeting information about the victim’s 

visit, much like they would for a a spear-phishing attack. In preparation for the attack, DarkHotel 

members gathered the target’s expected arrival and departure times, room number and full name, 

among other information. This data enabled the attacker to present the malicious content precisely 

to the individual target with minimal risk of raising suspicion. 

5

Other historical cases and risks 

Further evidence of a company experiencing increased cyber risks during the M&A process was 

demonstrated during the Marriott Corporation acquisition of Starwood Group in 2015. On November 

16, 2015, the Marriott Corporation announced that it was to acquire the Starwood Hotels Group 

(including Sheraton, Westin, W, and Sheraton Four Points). On November 20, 2016, Starwood 

released a statement that it had been the victim of a point-of-sale malware breach. Third-party 

assessment of this acquisition questioned whether the Marriott Corporation had sufficiently probed 

this as a potential threat vector, as well as what impact the disclosure of this breach would have to 

Marriott. 

A note by Ernst & Young (EY) on the changes to IT infrastructure and processes resulting from 

mergers and acquisitions further highlights this type of risk. The note states that a proposed 

acquisition by a foreign organization had to be postponed indefinitely when it came under 

government scrutiny due to concerns that some of the software used by the acquiring company 

could expose the target company to “unacceptable cyber risks.” 2 This reinforces the concern that 

inherited infrastructure and software can represent a threat. 

Internal threats are another serious consideration for companies going through an M&A process. 

Reports have cited challenges to information security during M&A due to the perception by 

employees of an increased likelihood of redundancies or undesirable change. Employees are a 

demonstrable risk when disenfranchised. For example, on February 24, 2015 it was reported that 

an IT manager had used their access to an ex-employer’s servers to erase data (some of which was 

intellectual property). 3 Furthermore, a former employee of Gucci was charged for erasing data from 

and shutting down the servers of Gucci after having been fired. 

6

3. Steps of the Merger/Acquisition Process 

While evidence shows that corporate espionage is alive and well, and that actors have been 

successful in infiltrating many organizations with novel and indirect approaches, it’s important to 

understand where in the standard M&A process attacks can occur, and why. 

Figure 1 - The merger and acquisition process. 

While each merger or acquisition process will have its own nuances, all tend to follow the five broad 

stages illustrated in Figure 1. The following sections provide an overview of the cyber threats an 

organization is likely to face at each of these five stages. 

Preparation for acquisition and/or valuation 

The first identifiable stage of the process is the preparation for the acquisition or valuation of 

an organization. At this point, even though an official announcement has not been made, an 

organization is already vulnerable to threats. The potential buyer and the seller are both potential 

threat vectors. Organizations may take steps to make themselves more appealing to deal makers 

– perhaps through activity such as a second round of funding or other business decisions. Keen 

financial analysts may draw conclusions for themselves based on this activity, examples of which 

can be seen in public news posts such as Fortunes’ Term sheet blog, or as a result of inadvertent 

data leakage on social media or blogs. 

Sensitive information need not be explicit, however. As Figure 2 demonstrates, company-published 

job postings to sites such as LinkedIn looking to hire someone with M&A experience, or a person 

that would typically lead or be involved in the process such as a corporate development executive, 

can be a clue that M&A activity is in the offing. 

7

Figure 2 - The ease of access to information about individuals likely involved in M&A processes. 

Further information may be garnered from executives and employees within areas of 

business such as finance or corporate development, who may be subjected to unsolicited 

and even targeted emails with malicious payloads masquerading as company documents. 

There is no shortage of ways in which sensitive information may be exposed. For example, 

while the cloud is used more frequently throughout the enterprise, USB flash drive reuse is 

still rampant and a way to spread malware. Man-in-the-Middle malware attacks through an 

Internet browser can steal information the unsuspecting target innocently enters. And as 

evidenced in the reports of DarkHotel, there is also the added issue of traveling executives 

who may use unsecured wireless Internet connections while in transit or at a hotel. Such 

behavior can lead to system compromise and theft of personally identifiable information 

(PII), intellectual property, or proprietary and sensitive customer data that may be used in 

furthering access or attacks. 

All of these factors can lead to information about the deal being exposed earlier than 

the organization intended – information that is highly valuable to those with nefarious 

motivations. 

8

Marketing 

Marketing plays an important role in the M&A process, but it can also provide clues that threat 

actors may act upon. These clues are not always easily visible and spelled out. In fact, to the public 

these marketing activities may appear as business as usual, but to a trained analyst an identifiable 

pattern and opportunity can emerge. Some signals might appear in the form of a company visibly 

slowing down its cycle of new feature releases or showing a strength in profitability but meanwhile 

quietly reducing staff. Such activities can leave organizations open to threats. For example, based 

on such clues an attacker may target someone in corporate development with a one-page company 

summary designed to look like an M&A document, but in reality is part of a spear-phishing 

campaign. Or, in cases where a reduction in staff is occurring and speculation of M&A activity 

begins to spread, employees who are feeling overworked and at risk of losing their jobs may seek to 

intentionally leak data at the expense of the organization. 

Due Diligence 

Due diligence is one of the most important stages of the M&A process; it is an opportunity for 

the acquiring company to carefully review the target company with a fine-toothed comb to better 

understand their strengths, weaknesses and risks. That said, it’s important to ask the right 

questions as they relate to security and integrity of the organization. For example, the company in 

question may have previously experienced a data breach that was either never detected or never 

fixed. Similar issues may include the acquisition of insecure network infrastructure and software. A 

failure to detect these issues at this stage could have significant long-term effects for the acquiring 

company. To this end, Appendix 1 provides guidelines and recommendations for organizations to 

understand how they can mitigate such risks as part of the due diligence process, prior to finalizing 

the deal. 

It is also important to note that, at this stage of the process, the amount of data that is shared 

increases dramatically and so does the risk of a data breach. As such, organizations may well 

experience an increase in spear-phishing attempts as attackers strive to take advantage of a surge 

in valuable data that exchanges hands during due diligence. 

9

Negotiations, signing (and announcements) 

Towards the end of the M&A process, unknown and unnecessary data leakage can occur from 

employees across social media and blog platforms. Organizations that lack policies, mobile device 

management (MDM) and endpoint protection will be particularly vulnerable. Corporations should 

also be mindful of personal devices used on corporate networks or Internet of Things (IoT) devices 

that may be insecure and also contribute to data leakage. 

While all employees should be vigilant at this stage, it is executives who are particularly susceptible 

to leaking data. Poorly secured (or compromised) personal devices, as well as the use of such 

devices in the workplace, can inadvertently expose sensitive documents. The real-world element 

also cannot be ignored. For example, threat actors may watch physical behavior and travel of 

executives or staff where meetings and document reviews may occur. This demonstrates the 

lengths to which bad actors will go in order to acquire extremely valuable information. 

Once an announcement is made and the typical chaos and confusion ensues as IT systems and 

organizations merge, the floodgates will open. Lesser actors will jump into the fray, launching 

phishing and spam campaigns as well as possibly hacktivist attacks and disruptions, against both 

organizations. 

Waiting period and final merge 

The final stage of the process – when the majority of the hard work is already done –¬ is the waiting 

period before the final merge. The main risk at this stage comes from employees who fear a job 

loss or change. Staff may draw their own conclusions, recognizing redundancies or anticipating 

undesirable changes to their role or responsibilities. This can lead to disenfranchised behavior, 

which in turn may lead to negative social media and public outcry or protest, theft of intellectual 

property, or worse. 

In addition, if an attacker has established a foothold in a merging network, this is an optimal time to 

observe behavior and communication between the two organizations and patiently wait for access, 

or utilize that knowledge for social engineering. 

10

Conclusion 

There is demonstrable evidence to suggest that companies going through the M&A process have 

been targeted by malicious actors. Although specific information on threat actors targeting M&A 

processes is limited, clearly there is ample opportunity. A number of factors both prior to and after 

a successful bid by the acquiring company have the potential to degrade the acquiring company’s 

security posture. These include the inheritance of vulnerable network infrastructure and software 

and disenfranchised of employees who perceive threats to their job security or satisfaction. 

Further risks can be presented during the M&A process through the sharing of documents and 

the location of meetings if they are based in public locations. Data leakage, data loss and the use 

of insecure public networks are all factors that may degrade a company’s security posture. Finally, 

the awareness of malicious actors to the on-going bid and M&A process increases the targeting of 

the companies involved as malicious actors attempt to capitalize on opportunities presented by the 

changes happening within each company. 

By understanding threats that tend to occur at these various stages, organizations can be better 

prepared for the process. To reap the benefits of a merger or acquisition, security must be a 

forethought, not an afterthought. The due diligence stage allows organizations to gain a deeper 

understanding of what they are getting before signing on the dotted line. But regardless of where an 

organization is in the M&A process, it is important to remember that operational security practice 

can dramatically impact profitability. Throughout the discussions, and before plugging in the 

network cable or allowing the two networks to connect, organizations must be sure to understand 

what’s on the other side, and the risks present. 

End notes 

1. http://www2.deloitte.com/uk/en/pages/financial-advisory/articles/deloitte-m-and-aindex.html 

2. http://www.ey.com/GL/en/Services/Advisory/EY-cybersecurity-cyber-threat-flash-pointsmergers-and-acquisitions 

3. http://www.theregister.co.uk/2016/02/24/it_manager_goes_to_jail/ 

11

10 Risk Considerations for Mergers and Acquisitions 

1. Infrastructure 

• Provide logical and physical diagrams of the networks and 

locations 

• List all network hardware in place 

• List of routers including locations, manufacturer, model 

and rules 

• List of access control policies, mechanisms and network 

segmentation 

• List of domain names used with any hardware of software 

(e.g. email domains and aliased domains) 

• List of tag holders, domain name servers and expiry dates 

for the above domain names 

• List of databases, including locations, versions and 

accesses 

• List of Cloud and Software as a Service providers: 

• List of what services are used, content hosted and 

geographic locations 

• List of agreements and contracts including dates and details 

of all parties 

• List of any other services, applications, protocols, ports and 

other software installed on the network and hardware not 

included above 

• Cloud based file storage 

• OS providers, versions and licenses 

• Schedule and project plan of all ongoing or planned 

infrastructure updates or upgrades, including location, models 

and versions. 

• Expected timeline of completion 

2. Operations 

Security, 

Testing, and 

Mitigations 

• List all network security systems including location, 

manufacturer, model and rules 

• Firewalls 

• Intrusion detection and prevention systems, including 

network and host based detectors 

• List and description of certificates (e.g. SSL and PKI) used, 

including integrity report (Qualys) 

•List all email security and protection services (such as 

anti-malware, anti-spam, anti-phishing) including licenses, 

manufacturer, models, rules, incident reports and activity 

logs 

• List of logging systems and storage locations 

• List and description of access control, authentication and 

session management mechanisms 

• List of remote access methods, protocols and use 

policies 

• List all patch management solutions including patching policy, 

schedule for the last 6 months and any exceptions 

• List of any relevant data loss prevention or endpoint protection 

capabilities, and associated policies, activity logs and updates 

• Schedule of vulnerability assessments, penetration tests, code 

reviews and audits 

• Dates and scope 

• Results and exceptions 

• Risk mitigation undertaken 

• Schedule and documentation of actual known information 

security breaches, exposures and other incidents for the last 3 

years – identify countermeasures adopted 

• Copy of incident management procedure and details of any 

automated remediation capabilities 

3. Training and 

Awareness 

• Description of security awareness training provided and • Description of methods employees use to report security issues 

evidence of delivery over the last 2 years such as IP protection, including phishing 

phishing, data loss prevention, etc. 

• Assessment of corporate digital practices and regulatory 

• Proof of staff training on the protection of corporate intellectual 

property related to corporate IT/cyber policies 

• Proof of reputational protection programs 

compliance 

management mechanisms 

4. Agreements, 

Policies and 

Procedures 

• List of licensed or open source software, their authors 

(including if the author/creator was an employee, consultant 

or independent contractor at the time of development) 

• Monitor agreements and support contracts 

•Disaster recovery agreements 

• List of internal and external security policies 

• Software licenses, assignments, contracts, beta testing agreements, 

warranties and guarantees 

• Support and/or maintenance contracts 

• Product documentation and manuals 

• Third-party software 

• Other intellectual property 

5. Intellectual 

Property 

• List of U.S. and foreign trade names, brand names, service 

marks, trademarks, logos, strap lines and slogans 

•List of U.S. and foreign patents, patent rights, designs 

and innovations (wholly or jointly owned) – provide copies if 

applicable 

• List of any and all intellectual property copyrights or 

trademarks – provide information if applicable 

• Copies of terms of use, privacy statement, trademark usage 

guidelines, and any other policies such as content, abuse, 

acceptable use, security and privacy 

• Full details of people responsible for maintenance and 

protection of intellectual property rights and copies of 

correspondence from third parties regarding potential 

infringement of intellectual property rights of others 

12

6. Standards 

and Compliance 

• List any mandatory or optional compliance standards, 

codes of practice or accreditations 

• Evidence of compliance with all above items in this section 

• Copies of governmental licenses or permits to operate in 

business sector, if applicable (e.g. Financial Services Authority) 

7. Risk, 

Insurance and 

Continuity 

• List and provide copies of all company insurance policies 

covering property, liabilities and operations 

• List of any special conditions imposed by insurers 

• List of indemnification policies, business interruption, 

cyber insurance or product liability policies 

• List of any insurance claims for past 3 years 

• Copy of the business continuity plan and schedule of tests 

undertaken 

• Copy of data backup and verification policies, procedures and 

storage providers and/or locations 

8. Staff and 

Resources 

• List of key employees, contractors and vendors who work 

on development, testing, operations or security and an 

organization chart showing line management and functional 

relationships 

• Number of employees and other staff (temporary, 

voluntary, support, etc.) by department and by functional 

area associated with developing, operating and securing the 

network, services, or applications including an indication of 

the percentage of their work that this involves 

• Contracts including information on confidentiality or 

non-competition agreements to which employees are 

subject 

• List of specific agreements with employees, independent 

contractors – provide copies if applicable 

• Copies of consulting and confidentiality agreements and for any 

current or former consultants 

• List any “Arm’s length” back office support (HR, accounting, IT, 

etc.) services, or shared IT infrastructure capabilities 

• List of user groups, roles, geographical locations and 

permissions 

• List of anyone with remote access 

9. Third Party 

• List of other companies, partnerships, individuals or other 

entities who are stakeholders or contributors or suppliers 

• List of agreements with other companies for provision of or 

consumption of products and services – provide copies of the 

agreements if applicable 

• List of confidentiality and non-disclosure agreements to 

which the company is bound or imposes on others – provide 

copies if applicable 

• List of data and formats provided to third parties including 

details of those third parties and the agreements 

• List of data sharing, marketing agreements, co-packaging, 

franchises and referral agreements 

• Lists of any resellers and distributors – if applicable provide 

copies of the written agreements 

• List of agreements or arrangements with company employees 

and shareholders or with any organization they have a 

relationship with – provide copies if applicable 

10. Customers 

• List all customer communication methods 

• List of all social media accounts, business need, use 

policies and authorized users/publishers 

• List of any claims, complaints, litigation arising out of 

social media use (including cyber harassment); online brand 

and reputation assessment 

• List and explanation for any major customers lost over the last 

2 years 

• List of areas where customer supplied content is republished 

or recorded 

13

About Digital Shadows 

Digital Shadows is the only company to provide cyber 

situational awareness that helps organizations protect 

against cyber attacks, loss of intellectual property, and 

loss of brand and reputational integrity. 

Its flagship solution, Digital Shadows SearchLight, is 

a scalable and easy-to-use data analysis platform that 

provides a complete view of an organization’s digital footprint 

and the profile of its attackers. It is complemented 

with support from a world-class intelligence operations 

team to ensure extensive coverage, tailored intelligence 

and frictionless deployment. 

digitalshadows.com 

London 

San Francisco 

Level 39, One Canada Square, London, E14 5AB 535 Mission St, Fl. 14, San Francisco, CA 94105 

+44 (0) 203 393 7001 

info@digitalshadows.com 

+1 (888) 889 4143 

14

Cyber Threats Targeting Mergers and Acquisitions

Create successful ePaper yourself

Delete template?

Save as template?