Climate Change E-mail Hack Could Lead To Future Attacks
"Because they took a lot of e-mails, there's a little bit of an extra risk. Their company has been a victim of an attack," said Chester Wisniewski, senior security advisor for Sophos. "Once you know everyone's e-mail addresses, it makes you much more susceptible to phishing attacks."
Hackers broke into the e-mail server of the Climate Research Unit at the University of East Anglia, one of the United Kingdom's premier climate research institutes, on Friday, stealing more than 1,000 e-mails and more than 3,800 documents. The CRU hack, which occurred in the weeks prior to a major global climate summit in Denmark slated for December, was confirmed to the BBC by a CRU spokesperson.
Hackers then posted the e-mails and documents onto an anonymous FTP server in Russia, as well as a link to the 61-MB file on the blog Air Vent, accompanied by a note that read, "We feel that climate science is, in the current situation, too important to be kept under wraps. We hereby release a random selection for correspondence, code and documents."
Wisniewski contended that while the hack wasn't used to steal financial information, organizations need to be aware that hackers could use any piece of identifying information to launch phishing and spam attacks or compromise computers in a botnet.
"Every bit of information is important. To be honest our e-mail address, name and title—all these things are important private pieces of information that we should be cautious about disclosing to anyone," he said.
Additionally, security experts say that the hack could set a precedent for other so-called 'hacktivists' to use cybercrime as a tool to further push environmental agendas and other political aims.
"Clearly climate change is a topic which raises strong passions -- but I can't remember an instance of either side resorting to cybercrime and hacking to gather information on the other before," said Graham Cluley, senior technology consultant for Sophos in a blog post. "There is a real danger that some ne'er-do-well could use that information to spam or send targeted attacks against individuals who would have understandably expected their communications to have been held securely."
The CRU hack ignited a flame under the increasingly polarized debate around global warming in the blogosphere as climate change skeptics cited the posted e-mail segments as evidence that climate scientists manipulate data and hide information to support their own political agendas.
Meanwhile security experts underscored that hacking personal data is a crime.
"Whether you are sympathetic to Hadley CRU's views on global warming or not, it shouldn't be forgotten that they are victims of a criminal hack," Cluley said. "Personal information, including the e-mail addresses of scientists working at the organization, is now in the public domain."
Security experts maintain that the incident should serve as a potent reminder for organizations regularly transmitting sensitive information to ensure that they have adequate security infrastructure in place to reduce the risk of a cyber attack.