By Gregory Hale
Social engineering has been around for a while now, but yet people still end up victimized by the subtle questions and promises made by attackers.
A perfect case in point was when one company had an issue involving a competitor where a suspected attacker, located on another continent had just made public a new piece of large construction equipment.
Water Company Operations Breached
IIoT: We Have to get Ahead of This
Attacking an ICS from ‘Inside Out’
Breach at IN Utility
Attacks on Rise, Incident Response Tougher
Security Framework Grows in Usage
At first glance, the equipment looked like an exact copy of a model developed by the manufacturer. What was even more suspicious was the competitor hadn’t traditionally produced this type of equipment and therefore had no past track record in this part of the market. The victim’s concern was not just that this equipment’s design details ended up obtained illicitly, but other projects were also in danger of similar compromise.
It appeared as though the company suffered from a social engineering attack, according to a case history in Verizon’s Data Breach Report 2016. Social engineering attacks rely on influencing or tricking people into disclosing information or conducting an action, such as clicking on a hyperlink or opening an email attachment. Tactics may include deception, manipulation, pretexting, phishing, and other types of scams. Social engineering can be merely a part of an attacker’s overall methodology or the end game itself.
Shortly after initial notification, investigators from Verizon arrived onsite at the victim’s headquarters and set about interviewing stakeholders. Investigators began by working with the design team responsible for the equipment model that was the focus of the cyber investigation. In comparing features listed by the threat actor on their recently released model, the victim’s design team identified several key parts and details that appeared identical to their own model. Many of these design elements were new and unique to the industry, the report said.
After determining it was most likely the equipment model designs had suffered compromise, investigators’ first request was for the names of those employees who worked on the design project for the equipment model involved in the design plan theft.
The first employee interviewed was the chief design engineer for the project. While interviewing him, it became clear he was actively looking for a new job and he might not be employed by the victim much longer. A recruiter had contacted the engineer via LinkedIn, which led to them exchanging emails.
A digital forensic examination of the chief design engineer’s system and associated firewall logs provided evidence of a breach associated with the design plans, which resided on that system. A PHP (scripting language) backdoor shell was on the system. There were also clear indications the attackers had located and copied the file containing the design plans.
In examining the engineer’s email files, investigators found one from the recruiter occurring just prior to the beaconing activity. We then found an employment position-listing document attached to the email embedded with a small piece of malware. Analysis of the malware revealed it contained a known malicious Chinese IP address hard-coded within.
The stolen data included design blueprints for a new and innovative piece of large construction equipment. Through attack profiling, investigators determined the likely attacker was a Chinese hacking group that had long been suspected of being state funded. Intelligence sources indicated these threat actors had performed similar attacks against a variety of victims and provided the stolen intellectual property to state-owned, operated or supported Chinese companies.
The threat actors had done their homework, as they identified the one key employee who would likely have access to the data they wanted — the chief design engineer for the project. The threat actors then established contact with the engineer through a LinkedIn profile under the guise of a recruiter with attractive employment positions and began sending emails containing fictitious employment opportunities. One of those emails contained an attachment that had a malware file embedded in the document. When opened, the malware began beaconing to an external IP address used by the threat actor. The threat actors then installed a backdoor PHP reverse shell on the chief design engineer’s system.
From that beachhead, the threat actors were able to search the data on that system as well as collect sensitive data from network file servers and attached USB hard disk drives. At initial glance, the activity would almost seem normal, as the chief design engineer had legitimate access to all these data repositories. As he was deeply involved with this project, it wouldn’t be suspicious for him to be accessing the various project-related files.
Upon completion of the data aggregation, the threat actors encrypted and compressed the intellectual property, and in doing so, made it unidentifiable to Data Loss Prevention (DLP). At that point, exfiltration was trivial and accomplished through an outbound HTTP connection. Unfortunately for the victim, the investigation confirmed it had indeed lost intellectual property. Its suspicion that a foreign competitor leveraged the data in order to begin marketing a remarkably similar piece of equipment was substantiated.
Data Theft Victim
With the chain of events clearly laid out, the victim then turned toward remediation. There was nothing it could do to recover the lost intellectual investment, but this victim was sure it did not want to go through this a second time. In many cases, this victim had done the right thing, but had still been breached. Especially with social threats, investigators find even the most mature organizations can fall victim to data theft. Investigators provided recommendations, ranging from easy wins to more robust and involved solutions, which the victim worked into its current security posture.
One of our first recommendations was for the victim to set up a more comprehensive training and awareness program related to social engineering threats that employees may face. This focused on specific areas of the business and the types of information that were most critical to each job role. Clear steps were put in place to specify when and how data could transfer. Part of this process was identifying information, such as new design plans, that should have additional security controls for proper handling. Engineers got dedicated systems for them to perform their engineering work on, which no longer had email or web access. This would limit the number of avenues potential attackers would have to load malware onto these sensitive machines.
Tough to Defend
Social threats are hard to defend against, even when a good plan is in place, so investigators also recommended the victim adopt more robust monitoring solutions to identify the early signs of a compromise. Many of the core pieces of security existed — anti-virus deployments, intrusion detection sensors and NetFlow capture were all available, but mostly unused. Anti-virus was on all corporate assets, but the software was a mishmash of vendors as IT staff tastes changed over the years. The investigators recommended selecting a single vendor and using a centralized solution so updates could roll out across the company. Intrusion detection alerts and NetFlow capture can end up correlated in security event frameworks, and an idea came forth where the victim should take its existing infrastructure and centralize the results. Paired with the centralized anti-virus, these tools would allow IT and security teams to more quickly identify attackers before significant damage occurred.
Some of the measures an organization can take to reduce the impact of social engineering attacks may include a comprehensive and clear information security policy, user education through training and awareness programs and periodic audits to check policy compliance. Security controls can end up enhanced with strong and mutual authentication combined with a robust identity and access management program.
Click here to download the entire Verizon report.