Cyber espionage is getting renewed attention as fresh evidence emerges of online break-ins at U.S. research labs and targeted phishing against corporations and government agencies here and abroad.

It's no wonder that research firm SANS Institute has ranked cyber espionage No. 3 on its ”Top Ten Cyber Menaces for 2008,” just behind Web site attacks exploiting browser vulnerabilities and botnets such as the infamous Storm. 

“Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals,” SANS Institute claims. “The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source.”

Alan Paller, director of research at SANS Institute, adds that people should be aware that an “extraordinary treasure chest of information has been stolen,” and “the same people doing the military espionage are engaged in economic espionage using the same or very similar techniques to steal information from organizations that are working on business ventures in the attackers' country.” He offered no estimate as to how much cyber espionage is costing organizations.

Click to see: Top five cyber security menaces for 2008

Many have seen some form of cyber espionage up close.

“Absolutely there's espionage,” says Michele Stewart, manager of data security at Orlando-based AirTran Airways.
Members of AirTran's executive management team were recently targeted by phishing e-mail that sought to trick them into divulging confidential corporate information as well as attempted to place bot malware on their computers, she says. (Learn more about Messaging Security products from our Messaging Security Buyer's Guide.)

“The e-mail did get through our filter, but fortunately [our team] had the presence of mind to realize something strange was going on,” Stewart says. AirTran, which relies on Lancope network-behavior-analysis equipment to watch for anything outside the norm and conducts awareness training with employees, doesn't know who was targeting it, she says.

Separately, the U.S. Department of Energy's Oak Ridge National Laboratory (ORNL) last month acknowledged that about a dozen staff members fell for phony e-mail urging them to go to phishing sites or open attachments with malware.