In a blog post examining cases from 2012, Verizon Business’ Andrew Valentine presented a tale of a critical infrastructure firm in the U.S. who called them into investigate suspicious VPN connections to China. As it turns out, this was no complex hack, just a lazy developer – or a smart one depending on how you view things.
Last year, Verizon Business was called to offer assistance from a US-based company who discovered strange activity when examining their VPN logs. While scanning the daily VPN connections, they discovered an active link to their network from Shenyang, China.
“They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated; The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming; The developer whose credentials were being used was sitting at his desk in the office,” the blog explained.
Naturally, the security team at this firm was shaken, and assumed the worst – namely some type of “unknown malware that was able route traffic from a trusted internal connection to China, and then back.” After all, the employee was sitting at his desk, and while they had implemented a tele-work initiative, he wasn’t at home. When Verizon started looking deeper, they discovered the VPN access form China had been an ongoing thing, six months at least.
They took an image of the employee’s system and discovered invoices to a firm in Shenyang, and evidence that he had used FedEx to ship them his RSA token. According to the forensic work, the employee started his day by surfing Reddit, then after a few hours he would take lunch. In the afternoon, he shopped on eBay, updated Facebook and LinkedIn, before sending his bosses a daily status report before going home.
“All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building,” Valentine wrote.
"We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers' systems to off-shore firms seems dangerous at best," said Nick Cavalancia, VP, SpectorSoft.
"What many organizations fail to understand is that with effective, proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident," Cavalancia said.