Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Security Audit Discovered Coder Who Outsourced His Job to China

In a blog post examining cases from 2012, Verizon Business’ Andrew Valentine presented a tale of a critical infrastructure firm in the U.S. who called them into investigate suspicious VPN connections to China. As it turns out, this was no complex hack, just a lazy developer – or a smart one depending on how you view things.

In a blog post examining cases from 2012, Verizon Business’ Andrew Valentine presented a tale of a critical infrastructure firm in the U.S. who called them into investigate suspicious VPN connections to China. As it turns out, this was no complex hack, just a lazy developer – or a smart one depending on how you view things.

Last year, Verizon Business was called to offer assistance from a US-based company who discovered strange activity when examining their VPN logs. While scanning the daily VPN connections, they discovered an active link to their network from Shenyang, China.

VPN Connection“They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated; The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming; The developer whose credentials were being used was sitting at his desk in the office,” the blog explained.

Naturally, the security team at this firm was shaken, and assumed the worst – namely some type of “unknown malware that was able route traffic from a trusted internal connection to China, and then back.” After all, the employee was sitting at his desk, and while they had implemented a tele-work initiative, he wasn’t at home. When Verizon started looking deeper, they discovered the VPN access form China had been an ongoing thing, six months at least.

They took an image of the employee’s system and discovered invoices to a firm in Shenyang, and evidence that he had used FedEx to ship them his RSA token. According to the forensic work, the employee started his day by surfing Reddit, then after a few hours he would take lunch. In the afternoon, he shopped on eBay, updated Facebook and LinkedIn, before sending his bosses a daily status report before going home.

“All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building,” Valentine wrote.

“We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers’ systems to off-shore firms seems dangerous at best,” said Nick Cavalancia, VP, SpectorSoft.

“What many organizations fail to understand is that with effective, proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident,” Cavalancia said.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.