Island Hopping is an emerging cybersecurity attack where cybercriminals compromise small and medium businesses moving laterally as the first step in attacking larger organisations. The term is inspired by a war strategy also called island hopping, where the military takes over smaller islands of a country in order to strengthen their base.
Attackers using island hopping attacks will target third-party partners of a larger company, as they are more vulnerable and have little to no cybersecurity defences in place. Then, these cyber threat actors will retrieve credentials from the smaller businesses that can be used to target the larger organisation.
Let’s say a large retail company is in partnership with a small automotive business for their repair services. There are transactions between the two that may have important data, such as sensitive information about a staff's credentials and network systems. Using these, cybercriminals will start their lateral attack to penetrate the larger company.
Cyber threat actors employ island hopping attacks as a strategic manoeuvre, particularly when targeting large companies fortified with stringent security measures. Typically, island hopping attacks involve initiating phishing campaigns against smaller entities, masquerading as the larger corporation to pilfer crucial credentials.
To avoid such attacks, small and medium businesses should be aware that they can also be vulnerable to cyber attacks. These organisations should implement email security and protection, multi-factor authentication, along with incident response plans between the smaller and bigger companies.