Let’s Not Downplay the Threat of Cyber Attacks in Commercial Real Estate

In July 2021, a ransomware gang named BlackMatter emerged from the internet’s dark corners. A threat intelligence software company, Flashpoint, said the cyber criminals had similarities with other notorious ransomware gangs, ones with names like REvil and DarkSide, and that they could’ve been successors to those groups. BlackMatter posted a notice on online forums in July that they were looking to buy access to infected corporate networks in the U.S., Canada, Australia, and the U.K. The criminals targeted large corporate networks with more than $100 million in revenues.

One of the companies targeted may have been Marcus & Millichap, the commercial real estate brokerage that was hit by a cyberattack in 2021. The publicly traded brokerage revealed in an 8-K filing with the SEC in September 2021 that it had been the victim of a cyberattack. They claimed there was no evidence of a data breach and didn’t identify the attack as a ransomware incident. The SEC filing said the firm responded quickly, securing and restoring all essential IT systems without material disruption to its business, and there was “no misuse of personal information.” As of late 2021, the investigation into the attack was ongoing, but Marcus & Millichap hasn’t said much about it since. The brokerage didn’t respond to a request for comment.

It’s possible the BlackMatter ransomware group was behind the attack, according to some cybersecurity experts. A BlackMatter ransomware sample found online with a ransom note had a suggested link between the ransomware sample and Marcus & Millichap. The note doesn’t name the company specifically, but it references systems connected to the brokerage’s domains. Other forum posts online from hackers have made more direct references to Marcus & Millichap. A Microsoft community post from 2020 referenced the company and a note that said, “If you are not going to contact us in the next 3 days, we will prepare your data for the publications. Your personal company info will be leaked and will be in the news. This will lead to a fall in your stock.”

In the SEC filing, Marcus & Millichap said it carries cyber insurance that it expected would cover the costs of the incident. But the company hasn’t disclosed if the incident was a ransomware attack and if the company paid a ransom to the criminals. 

If a ransom had been paid, it was probably costly. BlackMatter attacked several U.S.-based companies in 2021 and demanded ransom payments ranging from $80,000 to $15 million in Bitcoin and Monero, according to the federal Cybersecurity & Infrastructure Security Agency. BlackMatter operated as a ransomware-as-a-service model, enabling the ransomware’s developers to profit from cybercriminal affiliates who used the cyber weapon against corporate victims. By November 2021, the BlackMatter group had reportedly shut down after getting too much attention from law enforcement. But the way it typically works with these groups is they make several big attacks, lay low when the heat is on, and then re-emerge from the darkness later under a new, rebranded name and with a different piece of ransomware.

While this is one isolated and possibly close-call incident, there are plenty of other examples of real estate companies being the targets of cyberattacks. The Counselors of Real Estate, a real estate consultancy, listed cybersecurity interruptions as one of the top 10 issues affecting commercial real estate in 2022-2023 in a recent report, alongside inflation and interest rates, ESG regulation, and hybrid work. “We are in a new era of cybersecurity risks in commercial real estate, driven by decades of technological advances that impact all buildings’ physical and environmental functionality,” the report states.

A vast attack surface

Cybersecurity isn’t typically high on the list of issues talked about in commercial real estate, and, relatively speaking, the industry is a less desirable target than other sectors like banking and finance, education, and healthcare. But while the threat is relatively low compared to other industries, it’s rising and has become more of a concern. Real estate transactions contain tons of personal information, including financial data, Social Security numbers, and insurance information. Real estate firms also work with various vendors, and transactions can include several parties, giving cybercriminals ample opportunities and targets to attack. A survey by KPMG found that 30 percent of real estate organizations had a cybersecurity incident within the last 2 years, but only 50 percent of firms said they were prepared to prevent one.

The good news for real estate executives and firms is that not everyone thinks the threat of cybersecurity is Code Red. Anna Scherbina, Professor of Finance at the Brandeis International Business School, studied the effect of cyber attacks on the U.S. economy while working as a senior economist at the White House’s Council of Economic Advisors from 2017 to 2019. Scherbina said that when examining the threats to different industries, real estate wasn’t as interesting a target for cybercriminals. 

“Real estate really just has buildings and not as much personally identifiable information or information that threat actors really want,” Scherbina said. “Commercial real estate has been targeted by more ransomware attacks, but these attacks can happen, and no one finds out because companies will pay the ransom and keep things private.” She added that real estate firms also don’t have much intellectual property, which makes them less attractive targets to cyber criminals.

Phillip Kibel, Associate Managing Director of Moody’s Investor Service, agreed with Scherbina. He told me there’s a growing cybersecurity threat in real estate, but the threat level is still low. “There’s a minimal number of incidents, and the cost and consequences to companies and REITs are low,” Kibel said. “An office building can get attacked and shut down for a couple of days, and it’s not that big of a deal.”

However, Kibel and Scherbina both said the increasing connectivity of smart buildings is more of a concern. Many modern office buildings run between 15 to 30 different operational technologies and computer systems simultaneously. Increasingly, all these systems run on a common network infrastructure with the ability to be centrally accessed. Many IoT devices in commercial buildings have weak security protocols, making them a vast attack surface. Cybercriminals infiltrating building networks through these devices are rare but could become a growing concern, given so many buildings are adopting these technologies.

A prominent example of an IoT-based attack happened to Target back in 2013 when hackers gained access to the retail giant’s network using login credentials stolen from one of the company’s HVAC contractors. The HVAC firm, Fazio Mechanical Services in Sharpsburg, Pennsylvania, had access to Target’s network to remotely monitor temperature and energy consumption at various stores. The data thieves entered the network after stealing the credentials from the HVAC vendor, then jumped into Target’s payment systems.

The consequences of the breach were massive. The hackers stole 40 million credit card numbers, making it one of the biggest data breaches in history at the time. Target eventually agreed to pay $18.5 million to settle claims by 47 states and Washington, D.C., to resolve a multi-state investigation. The retailer said the entire incident cost the company at least $202 million.

Many corporate occupiers, contractors, and landlords have wised up to this threat since Target’s major hack in 2013, but IoT devices and sensors are still seen as one of the weakest links in building network cybersecurity. And while real estate firms may not always be directly attacked by hackers, they are often the first line of defense in protecting their tenants. The most valuable and sensitive information inside a building is often at the tenant level, and building owners’ networks and systems can be entry points for attacks.

The threat of commercial building cyber attacks can even come from nation-states in some cases. A very recent example is the websites for O’Hare and Midway airports in Chicago being taken offline by a denial of service attack allegedly from a Russian hacking group. A U.S. Secret Service agent on the Electronic Crimes Task Force said the attack was a “warning shot.” Local, federal, and state governments have also been attacked recently. The Chicago Department of Aviation said the denial of service attack didn’t affect security or operations at the airport, and the websites got back up and running, but it showed some vulnerabilities. It’s also a stark reminder that building owners with government tenants should be on high alert.

A threatening environment

The reality is no industry is immune to cyber threats anymore, as cybercrime has grown exponentially in recent years. One in three organizations suffered a ransomware incident over the past 12 months, according to a 2021 survey by the International Data Corporation. Forty-four percent of the attacks targeted the education and retail sectors, but business, professional and legal services are also a big target. Many of these companies are large corporate office occupiers, such as accounting, consulting, and law firms, and they have highly sensitive data and the financial resources to pay substantial ransomware demands.

The U.N. Security Council said in 2020 that there was a 600 percent increase in malicious emails worldwide, and it was estimated that a cyberattack happens somewhere in the world every 39 seconds. Building owners and real estate companies will have to get increasingly sophisticated in preparing and guarding against cyberattacks beyond the basics of having strong passwords.

For example, in its bulletin about one ransomware threat, the Cybersecurity and Infrastructure Security Agency strongly advises implementing network segmentation. Hackers use system and network discovery techniques to map and gain visibility. To limit this threat, companies segment networks that prevent ransomware spread. Segmenting controls traffic flows between and access to subnetworks and restricts the threat’s movement. Endpoint detection and response tools also help detect abnormal activity on networks and log and report all network traffic, so it’s a way to catch ransomware early.

Cybersecurity awareness training is also vital for building owners, property managers, and real estate employees, not all of which may not be the most tech-savvy. Real estate employees need to know how to identify common attacks like phishing and business email compromise and how to respond if one happens. In 2019, during a particularly bad year for real estate cybersecurity threats, residential brokerage Compass had an FBI agent run a seminar for its employees on various threats they may encounter. The brokerage scheduled the session after seeing an uptick in attempts to breach company email accounts. Cybersecurity awareness training ideally shouldn’t be a one-and-done thing, either. Cyber threats evolve rapidly, so frequent training reminders are necessary to keep pace with how quickly things change.

Real estate firms and building owners who allocate more resources to cybersecurity are making wise investments because cyber attacks are getting more expensive. The average data breach cost increased to $4.24 million in 2021, according to IBM, the highest average total cost IBM has reported in the past 17 years. Cybercrime was estimated to inflict global economic damages of $6 trillion in 2021, according to Cybersecurity Ventures. To put that gigantic number into context, it would amount to the world’s third-largest economy after the U.S. and China. Cybercrime is exponentially larger than the damage inflicted by natural disasters every year, and it has become more profitable than the global trade of all major illegal drugs combined.

The real estate industry is paying more attention to cybersecurity, but there are still plenty of examples of companies and building owners who get caught off guard. In September 2019, residential brokerage The Corcoran Group was hacked, and a mass email containing agent splits, marketing budgets, and commissions was sent to their entire company. A Corcoran employee’s email account was compromised, and the highly sensitive information was leaked, no doubt causing tons of turmoil at the brokerage. Following the attack, other residential brokerages were on high alert, and Nest Seekers International CEO Eddie Shapiro said his company was facing attacks on a weekly and sometimes daily basis with “every possible phishing attempt and viruses.”

Other, more targeted industries have been dealing with cyber attacks for years and may be more prepared than the real estate industry and building owners. The experts I talked to somewhat downplayed the cyber threat to real estate, but perhaps this type of thinking engenders too much complacency. Real estate can be like low-hanging fruit for cybercriminals and hackers, and even if big attacks like the one on The Corcoran Group are rare, they can have huge consequences.

Ransomware groups like BlackMatter may not always be interested in commercial buildings and real estate firms, but sometimes they are. Marcus & Millichap hasn’t disclosed if their 2021 attack was ransomware and BlackMatter was behind it, but some cybersecurity experts have suggested it was, meaning a particularly notorious group of cybercriminals had a major real estate firm in its crosshairs. With the increasing digitization of real estate processes and smart buildings, the attack surface for the industry is growing every day. So, let’s not downplay the threat of cyber attacks in real estate. The exponential rise in cybercrime in the past few years means that every industry needs to be on high alert. Building owners and real estate firms have plenty of things to worry about today, from high inflation and interest rates to ESG regulations, but cybersecurity may need to start making its way closer to the top of the list of concerns.

Image - Design