You might have seen this week’s story about how Ukrainian and other anti-Russian hackers brought down parts of Aeroflot’s networks, resulting in massive flight delays and cancellations. It turns out these hackers have had access to the airline’s systems for a year or more, and only recently have begun to play their hand. The hackers coordinated their efforts with numerous drone attacks on civilian airports and other Russian military targets, which has disrupted internet services across Russia to try to disconnect the drones from their commanders.

Despite sanctions, a predicted dearth of spare parts, and other restrictions, Aeroflot has flown millions of passengers in the past year. A report from Finland recently found about $1B in parts being purchased through cut-outs and other third-parties located in China and the UAE. It also didn’t hurt that at the onset of the war and subsequent sanctions, Russia seized about 500 planes that were present in the country, once owned by other airlines. (One crashed shortly after I wrote this post, the cause could be a lack of parts.)

As I was researching this story, I came across a tale from one of my IT contacts. He told me about a situation that happened about ten years ago at a mortgage services company that he was working with as a consultant. “On my first day I found most of their 2000 servers hadn’t been patched, for years! Many were running out of support for their operating systems and applications. The place was a cyber nightmare waiting to happen.” He eventually got the company to agree to patching and upgrading their servers. “Thankfully, we got everything fixed and put in a good security monitoring and incident management system. But then, a few weeks after the new security systems went online, the company detected an attempted breach.”

What happened was the attackers had been spending months accumulating intelligence and doing research into the corporate management chart by dialing into various public phone numbers and taking note of any names, departments and other info attached to those phone numbers. “Essentially, they built a phone book of the company. They then searched names to identify the exec’s, their admins, and anyone who would have elevated access to the company’s systems.” Thus began their second phase to spoof caller IDs to the company’s help desk, and phishing their targets, sending malware-laced emails under the guise of fixing some made-up cyber problem.The assembled phone book was used to give the phishing more cred.

“That morning four people took the bait and ran the attached file. Our security tools quickly spotted the problem. If this had happened a few weeks sooner it would have been very, very bad.”

Lesson learned: hackers can take their time to learn your vulnerabilities, and map your weaknesses. You have to be in the long game too.