One of the biggest threats to corporations is not malware, phishing or even IT based. The biggest threat we are currently seeing is the ramping up of technical attacks that are outside of IT. Many of the incidents we are currently tracking are based on surveillance, infiltration of systems through physical attacks as well as corporate espionage targeting executives and board members. Below we talk about some of the most recent attacks we have observed and give some suggestions on what can be done to stop these attacks. In many of these cases we observed IT based attacks AFTER the original attacks.
The case of the leaking boardroom
Late last month a customer reached out to ask for advice after confidential meeting information was being talked about in a company by those not in the meeting. At first it was thought that one of the executives discussed the topics with an employee which caused the information to spread throughout the company. Upon interviewing the 6 people in the meeting, none admitted to telling anybody about what was discussed.
At this point we determined that we had to take a closer look. We checked for common things such as audio leakage from the room. The result of this check determined that it was not possible to hear the conversations in the general vicinity outside the board room. The next thing we checked was the computers, laptops and tablets that were being used and once again we came back with no findings. Some of the newer malware out there today allows the threat actors to take screenshots and record audio but no attack vector from the IT systems in the room could be confirmed.
A check of the phone lines in the room led to a discovery of a recording device on the other side of the building in a telecommunications cabinet. One of the backup pairs in the phone system was jumped to a line recorder in a closet and was recording everything that occurred in the board room. Upon setting up hidden camera's in the room it was discovered that a mid level office employee was recording everything that occurred in the board room and was reporting information back to a competitor and also talking about it with other employees in the building. Had the person not said anything, they may have gotten away with this activity for far longer than the few weeks we suspect that the activity was occurring. Since prosecutions in this space are rare the company terminated the "employee" to eliminate the issue.
How did this happen? : This type of activity happens when adversaries hire people to infiltrate companies to obtain insider information. This has occurred in high tech industries and is a frequent tactic of China, Russia, Israel and many other countries.
Who carried out the attack? : In this case it was believed but not confirmed that the attack was carried out by a highly technical IT firm based out of Israel. Israel is known to spy not only on adversaries but also businesses, highly technical firms and other Governments.
How to prevent this type of attack: The most common way to prevent this type of attack is to hire a qualified TSCM engineer(s) to carry out technical inspections or survey's to ensure that these methods are not being employed by competitors, nation state actors or others. Frequent inspections and baseline inspections allow qualified TSCM engineers to uncover these attacks. Less than 8% of corporate companies perform this type of inspections or have trained employees available to look for technical attacks within the enterprise.
The Case of the Jumping Point
Another recent case involved an employee bringing into work a personal device, in this case a Kindle book reader. Network administrators noted strange network activity from a device that they could not locate. In this case the device was connected to the companies guest network so the impact was lessened but the activity may have compromised accounts of users of the network for a period of at least 6 weeks.
In this particular case, the employee followed the companies rules for personal devices in the work area. Employees were authorized to use the guest network for personal phone and device usage. A review of the Kindle like device showed that a threat actor had implanted malware on the Android based device. Large transfers were sent daily that were encrypted and it is not known what information was being leaked out of the work site but it is believed to have been recorded audio based on the size. Just because the device was not connected to an internal network doesn't mean that an attack won't be successful. We believe that for a period of approximately 6 weeks that the financial information of the company was being observed via customized malware. We could tell that the microphone of the device was engaged when utilizing a utility to determine what hardware was engaged when the device was turned on and the information was being reported back to a known C2 server of a middle eastern country.
How did this happen? : A device used for reading books and accessing the Internet was connected to a corporate network. The authorized use of the network allowed a device infected with malware to send suspected voice recordings of sensitive financial information. Even if the device was not connected to the work network information could still be sent when the device was connected to a network in the future.
Who carried out the attack? : The attack was believed to have been carried out by a middle eastern country or threat actor.
How to prevent this type of attack: These attacks are difficult to prevent in that mobile computing devices are in widespread use. Even unconnected devices can record audio and burst transmit them over the network in the future. The best method for preventing this type of activity is to disallow personal computing devices and cell phones in the workplace.
While many companies spend their budget on IT and physical security, often times technical attacks are being overlooked. We believe that 20% of your budget should be spent on technical auditing, training and countermeasures. Frequent inspections can prevent these attacks which are often used to gain access to IT systems. IT engineers and support personnel are frequently spied upon in corporations to get information useful in IT based attacks.
Jigsaw Security has implemented the Jigsaw Threat Mitigation Model* to address often overlooked areas of security. While we do IT security, we excel at preventing technical attack vectors that are not IT based that are often used to gain access to sensitive IT based systems using methods such as social engineering and other method's of eavesdropping.
in 90% of our technical countermeasures engagements we discover some method of technical attack not identified by our clients. Companies are overlooking this often area of security and is costly once a breach has occurred. In many cases even when a remediation team is deployed the root cause of the intrusions cannot be easily identified and the attacker will once again gain access to a network invalidating the remediation efforts.
We highly recommend hiring and implementing a technical surveillance program. For information on how to get your team trained in this skill set please email us or contact us through the website chat feature to talk with a security specialist.
* Note that the Jigsaw Threat Mitigation Model is a protected process of Jigsaw Security Enterprise Incorporated and must be licensed for use unless you have been specifically been granted access to the threat model in Jigsaw Security's training program, Jigsaw University or on site customer training.