Aeroplane part maker claims cyber-fraud cost it €50 million

An Austrian firm that supplies parts for Airbus and Boeing has admitted that it was the victim of cyber-fraud that cost the company €50 million.

So-called whaling attacks target high-level executives for large amounts of money
So-called whaling attacks target high-level executives for large amounts of money

Facc AG, a manufacturer of aeroplane parts, has admitted in its third quarter financial report that cyber-criminals targeted the firm's accounting department and managed to defraud it of €50 million (£38 million).

“FACC´s IT infrastructure, data security, IP rights as well as the operational business of the group are not affected by the criminal activities,” the report said. The firm did not give any further details about the attack.

“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” it added.

While the amount is large, Facc stressed that this would not pose an “economic threat to the company” and that it brought in the Austrian Criminal Investigation Department to conduct an investigation.

The news of the cyber-fraud led to the firm's share price dropping by 17 percent, according to reports by Bloomberg.

Tim Erlin, director of security and product management at Tripwire, told SCMagazineUK.com that there are a number of possible schemes that could result in financial losses that would generally be categorised as cyber-fraud.

“It's unclear from the published data which scheme affected FACC AG,” he said. “We've seen a rise in so-called ‘whaling attacks' specifically aimed at compromising executives, and $54 million would certainly be the largest whale to be harpooned yet.”

“Education is a big part of fighting fraud. Other businesses need to know what happened here in order to protect themselves in the future.”

James Maude, senior security engineer at Avecto told SC that it was more likely that the attack was the result of a well-orchestrated social engineering campaign. “These kind of attacks are becoming bolder and targeting many organisations using spoofed emails to request and authorise transactions,” he said.

“Engineering and manufacturing companies are a prime target as they often conduct large transactions with foreign banks so are less suspicious. These attacks are well researched and often exploit information harvested from compromised users to build a profile of an organisation including what company procedures are, what email signatures look like and when the CEO is traveling or difficult to contact. We commonly see banking trojans and backdoors installed on compromised machines which attempt to gather as many logins and credentials as possible in order to build these profiles,” he said.

 “There is a clear target size in financial fraud campaigns – companies large enough that employees don't see the CEO day-to-day but small enough that there aren't sign off procedures on large expenses,” added Maude.

Radware director of security solutions, Werner Thalmeier, told SC that for organisations to protect themselves against this kind of attack, they need to be prepared and build their own “borders” to protect their infrastructure and assets.

“As network attacks become more sophisticated and easier to execute, business should expect the number of attacks on multiple vectors to continue to increase. With that in mind, education about the stages of an attack is crucial and must become an important component of your defence strategy for attack management,” he said.

Catalin Cosoi, chief security strategist at Bitdefender, told SC that employees should get acquainted with internal data handling policies and also report any suspicious emails or internet-related activities to IT personnel. “This culture could not only help identify cyber-attacks, but also help the IT department improve and even set up new security mechanisms aimed at preventing attacks,” he said. 

The attack follows the revelation on 19 January that Crelan bank in Belgium had been defrauded to the tune of €70 million (£53 million) by phishing attacks. The bank said the fraud was discovered during an internal investigation.