Corporate Espionage — The Rise of The Cyber-Mafia
Corporate espionage, while a great backdrop for a riveting spy movie or novel, is not very entertaining for the company or government agency that becomes the victim. Corporate espionage has evolved from an employee selling business secrets to a competitor or a hired person infiltrating the company and stealing industrial or government secrets, to the use of computer networks and advanced technology to gain unapproved access to confidential information. This evolved type of corporate espionage is termed cyber-espionage.
The current generation of cyber-criminals now resembles traditional Mafia organizations and gangs of the past that have a willingness to intimidate, threaten, and steal from victims. They have changed cybercrime from isolated and individualized attacks into attacks run by distinct groups of individuals. The 2017 Malwarebytes paper, “The New Mafia: Gangs and Vigilantes,” breaks out these cyber-gangs into four distinct groups of cyber-criminals: traditional gangs, state-sponsored attackers, ideological hackers, and hackers-for-hire. The cyber-attacks on businesses have been steadily increasing and that 2017 Malwarebytes paper reported, “the average monthly volume of attacks rose 23%.” The reason for this rise, as stated in the paper, is that “they are attracted by the potential for riches and power and have increasingly resorted to fear, intimidation and a feeling of helplessness to achieve their aims. Similar to mobsters who would muscle their way into a business and make demands, cyber-criminals are taking command of computers and sensitive personal information to threaten victims.”
We are seeing state sponsored attacks coming from China, Russia, North Korea, and the US (who can forget Stuxnet and the NSA leak that revealed tools and vulnerabilities that were used by them). In the news, groups such as Patchwork (aka Dropping Elephant), Bronze Butler (aka Tick), “Mia Ash” (aka Cobalt Gypsy or OilRig), and Fancy Bear (aka APT 28) are making headlines as they target companies and government agencies around the world.
Who Have Been The Targets?
High-profile personalities, such as important members of government, Business-to-consumer (B2C) online retailers, telecommunications and media companies, aerospace researchers have been targets. Others that are being targeted are:
- Financial institutions
- Heavy industry
- Manufacturing
- Networks that are for a country’s critical infrastructure, such as power grids and hospitals.
We can see examples of such engagements with the “Mia Ash” attack that went after men in telecommunications, government, defense, oil, and finance. This was a cleverly crafted fake persona that was built in social media and was used to entice an unsuspecting victim to follow and “like” this fake photographer named Mia Ash. After several interactions that built rapport and trust, the attacker would send a “photography survey” to the victim that was an attachment with concealed malware. Once the attachment was opened, the malware would install and give complete control of the compromised machine to the attacker and access to network credentials. Then there was the attack by Fancy Bear, where Hilary Clinton’s campaign chairman, John Podesta, received an email that appeared to be from Google. The email alerted him that someone was using his password to access his Google account and that he should change his password, which he complied with, thus providing attackers with his login credentials. Another example is the attack on Japanese enterprises by the group known as Bronze Butler, where the victim would receive an email with a Flash animation attachment that would install malware on to the victim’s pc to get access to the networks of organizations associated with critical infrastructure, heavy industry and manufacturing.
What Are The Goals of These Groups?
These cyber-criminal groups are looking to gain access to mobile devices, networks, and email accounts. What are they after?
- Retrieving contacts
- Location information (especially of military personnel)
- Disrupting political activity
- Pictures
- Files that can contain network and system configurations
- Product specifications
- Emails
- Meeting schedules and minutes
- Sensitive business and sales related information
- Intellectual property related to technology and development
With this information, nation states can gain the upper hand or competing companies can go right into production without the need for research and development.
How Are They Doing It?
Thanks to the researchers at Trend Micro, who reported on the group Patchwork, and Secureworks, who reported on the group Bronze Butler, we can see an impressive list of tools that these cyber-criminal groups are using to accomplish their attack . These tools allowed them to:
- Gain remote access
- Steal files
- Corrupt systems
- Take screen shots
- Retrieve passwords from memory
- Log keystrokes
One other tool that was commonly used in these attacks, was the use of Social Engineering, particularly the use of Spear Phishing.
Spear Phishing is defined as the, “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.” (Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails) TrendMicro reported in their blog, “Untangling the Patchwork Cyberespionage Group,” that spear phishing emails were Patchwork’s, “staple doorways into their targets, using emails that contained website redirects, direct links, or malicious attachments.” Patchwork would target individuals by crafting a sociopolitical email tailored to that person’s beliefs and route them to a news site with malware-ridden documents.
According to the Secureworks analysis on the Bronze Butler group, it said that they “used spear phishing, strategic web compromises, and an exploit of a zero-day vulnerability to compromise targeted systems.” Secureworks reported that Bronze Butler crafted emails in native Japanese and, “used phishing emails with Flash animation attachments to download and execute Daserf malware (used to gain remote shell, execute commands, upload and download data, capture screenshots, and log keystrokes) and has also leveraged Flash exploits for strategic web compromises.”
Another aspect of Social Engineering that attackers use, as in the case of the “Mia Ash” attack, is the use of Social Media to entice potential victims. Once the attacker has built rapport and trust, the victim will believe that they are talking to a real person and then will comply to most requests made by the attacker.
With no sign that attacks are slowing down and the increasing degree of sophistication in the attacks, what is a corporation or government agency to do? What can be done to prevent and protect from the attacks being successful? How can those trade secrets be kept safe?
What Can Be Done?
Be proactive. Don’t wait until an attack happens to react. If we were in a boxing ring, we wouldn’t wait to get punched before we did something, so let’s not wait until we get attacked before we do anything. Take some of these preventive measures now:
- Corporations should make sure all operating systems and applications are updated. (If you have legacy systems, employ virtual patching, as this will help prevent security gaps)
- Use a Firewall.
- Use a sandbox.
- Use of intrusion detection and prevention systems will help in detecting potential issues in the network.
- Enforce the principle of least privilege access, including blacklisting and securing the use of tools usually reserved for system administrators, such as PowerShell.
- Use of Network segmentation and data categorization help prevent lateral movement and further data theft, while behavior monitoring and application control/whitelisting block anomalous routines executed by suspicious files.
- Deploy a secure email gateway or other email filtering appliance to secure email and prevent the transmission of sensitive data.
Be security conscious when it comes to information you make public on any social media platform. The use of social media by Cobalt Gypsy and spear phishing by Bronze Butler highlights the importance and the need of ongoing social engineering training. Clear guidelines for social media usage, as well as education for identifying potential phishing lures, are essential for employees. This education should encourage critical thinking by getting them to answer the following questions before reacting to certain scenarios:
- Who is this person?
- Are they known by either me or the company?
- If they indicate that they know someone you know, do they really?
Clear company policies should be in place for reporting potential phishing messages received through corporate email, personal email, and social media platforms. Companies need to create an environment where an employee can build their confidence in making good choices and are encouraged to report any incident without the fear of reprisal for making a mistake. Employees should share experiences and have open dialogue about security incidents because this will lead to knowledge and confidence that will enhance the ability for all employees to protect themselves and the company. This shouldn’t be just for the IT team or just the average employee, as the Malwarebytes paper points out that “the extent of cybercrime and the depth of the strategies needed to combat must be central to general business strategy – thus, it must become the domain of chief executives.” Yes, all management needs to buy into the security strategies and not think they are the exception to the rule, especially since they hold the keys to the kingdom.
To most people, cyber espionage may not seem to influence their lives, but its costs on a corporation or government can be significant. The impact can vary significantly from monetary loss to physical infrastructure damage, and the cost can range from insignificant to devastating. Think about it, if the company you work for took a sizeable hit and had to downsize or close its doors because of an attack, how might that affect you? Let’s all do our part in combating these gangs of cyber-criminals by following the suggestions that we discussed. Let’s educate each other, work together as a team from the CEO all the way down, be more aware and make more educated choices when we click on something and what we post in social media, and don’t be afraid or ashamed to report when a bad choice is made. It might just save the company and you.
Stay safe and secure.
Written By: Mike Hadnagy
References:
https://www.infosecurity-magazine.com/news/cybercrime-driven-four-distinct/
https://www.malwarebytes.com/pdf/white-papers/Cybercrime_NewMafia.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
https://www.democraticunderground.com/111681236
https://www.wsj.com/articles/an-after-hours-company-visit-spurs-espionage-charges-1505813401
https://www.social-engineer.org/framework/general-discussion/categories-social-engineers/spies-espionage/