Cybercrime Case Study: Verizon Lessons Learned scenario 1
(SCENARIO 1 - SOCIAL ENGINEERING)
In one particular instance, a customer contacted the RISK Team with an issue involving a primary competitor, a suspected threat actor, located on another continent that had recently made public a new piece of large construction equipment. At first glance, the equipment looked like an exact copy of a model recently developed by our customer, the victim. This was even more suspicious as the competitor, the threat actor, hadn't traditionally produced this type of equipment and therefore had no past track record in this part of the market. The victim's concern was not just that this equipment's design details were obtained illicitly, but that other projects were also in danger of similar compromise.
In data breach investigations, the response doesn't always only involve the analysis of digital evidence. In many of our cases, we find that traditional investigative techniques are just as important as, if not more so, than data obtained from the latest forensic tools.
In this case, interviewing the chief design engineer proved integral in determining how the design had been taken. By interviewing key employees, we were able to focus on the system used by the chief design engineer for the specific model of equipment that had possibly been stolen.
RESPONSE AND INVESTIGATION
Shortly after initial notification, we arrived onsite at the victim’s headquarters and set about interviewing the key stakeholders. We began by working with the design team responsible for the equipment model that was the focus of the cyber investigation. In comparing features listed by the threat actor on their recently released model, the victim’s design team identified several key parts and details that appeared identical to their own model. Many of these design elements were new and unique to the industry. After determining that it was most likely that the equipment model designs had been compromised, our first request was for the names of those employees who worked on the design project for the equipment model involved in the design plan theft.
The first employee we interviewed was the chief design engineer for the project. While interviewing him, it became clear that he was actively looking for employment elsewhere and he might not be employed by the victim much longer. A recruiter had contacted the engineer via LinkedIn, which led to them exchanging emails.
A digital forensic examination of the chief design engineer’s system and associated firewall logs provided evidence of a breach associated with the design plans, which were resident on that system. A PHP (scripting language) backdoor shell was found on the system. There were also clear indications that the threat actors had located and copied the file containing the design plans.
MALWARE SPOTLIGHT: COMMAND AND CONTROL (C2)
C2 refers to the methods or resources used by malware to communicate with its operators. C2 servers may be used to manage thousands of infected systems, and by issuing a single command from this system, they can all be marshalled into action. Advanced threats typically encrypt their C2 channels via the Secure Sockets Layer (SSL) encryption that is used in HTTPS or Secure Shell (SSH) connections. This encryption not only makes it harder for monitoring and detection solutions, but also makes it significantly harder to identify specific commands when C2 traffic is found. In examining the engineer’s email files, we found one from the recruiter occurring just prior to the beaconing activity. We then found an employment position listing document attached to the email embedded with a small piece of malicious software (malware). Analysis of the malware revealed it contained a known malicious Chinese IP address hard-coded within.
The stolen data included design blueprints for a new and innovative piece of large construction equipment. Through attack profiling, it was determined that the likely threat actors were a Chinese hacking group that had long been suspected of being state funded. Intelligence sources indicated that these threat actors had performed similar attacks against a variety of victims and allegedly provided the stolen intellectual property to Chinese companies that were state owned, operated or supported.
The threat actors had done their homework, as they identified the one key employee who would likely have access to the data they wanted—the chief design engineer for the project. The threat actors then established contact with the engineer through a LinkedIn profile under the guise of a recruiter with attractive employment positions and began sending emails containing fictitious employment opportunities. One of those emails contained an attachment that had a malware file embedded in the document. When opened, the malware began beaconing to an external IP address used by the threat actor. The threat actors then installed a backdoor PHP reverse shell on the chief design engineer’s system.
From that beachhead, the threat actors were able to search the data on that system as well as collect sensitive data from network file servers and attached USB hard disk drives. At initial glance, the activity would almost seem normal, as the chief design engineer had legitimate access to all these data repositories. As he was deeply involved with this project, it wouldn't be suspicious for him to be accessing the various project-related files.
Upon completion of the data aggregation, the threat actors encrypted and compressed the intellectual property, and in doing so, made it unidentifiable to Data Loss Prevention (DLP). At that point, exfiltration was trivial and accomplished through an outbound HTTP connection. Unfortunately for the victim, the investigation confirmed that it had indeed lost intellectual property. Its suspicion that a foreign competitor leveraged the data in order to begin marketing a remarkably similar piece of equipment was substantiated.
REMEDIATION AND RECOVERY
With the chain of events clearly laid out, the victim then turned toward remediation. There was nothing it could do to recover the lost intellectual investment, but this victim was sure it did not want to go through this a second time. In many cases, this victim had done the right thing, but had still been breached. Especially with social threats, we find that even the most mature organizations can fall victim to data theft. We provided many recommendations, ranging from easy wins to more robust and involved solutions, which the victim worked into its current security posture.
One of our first recommendations was for the victim to set up a more comprehensive training and awareness program related to social engineering threats that employees may face. This focused on specific areas of the business and the types of information that were most critical to each job role. Clear steps were put in place to specify when and how data could be transferred. Part of this process was identifying information, such as new design plans, that should have additional security controls for proper handling. Engineers were provided with dedicated systems for them to perform their engineering work on, which no longer had email or web access. This would limit the number of avenues that potential threat actors would have to load malware onto these sensitive machines.
Social threats are hard to defend against, even when a good plan is in place, so we also recommended the victim adopt more robust monitoring solutions to identify the early signs of a compromise. Many of the core pieces of security existed— anti-virus deployments, intrusion detection sensors and NetFlow capture were all available, but mostly unused. Anti-virus was installed on all corporate assets, but the software was a mishmash of vendors as IT staff tastes changed over the years. We recommended selecting a single vendor and using a centralized solution so that updates could be rolled out across the company. Intrusion detection alerts and NetFlow capture can be correlated in many security event frameworks, and we suggested the victim take its existing infrastructure and centralize the results. Paired with the centralized anti-virus, these tools would allow IT and security teams to more quickly identify emergent threat actors before significant damage occurred.
Some of the measures an organization can take to reduce the impact of social engineering attacks may include a comprehensive cybersecurity plan, end user cybersecurity safety training programs and periodic audits to check policy compliance. Security controls can be enhanced with strong and mutual authentication combined with a robust identity and access management program.
© 2016 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. WP16641 2/16