If the infamous bank robber, Willie Sutton, were alive today and honed his cyber skills, he might turn his attention to corporate espionage. Why? Because, as he once said about banks, “that’s where the money is.”
Unlike “traditional cyberespionage” which typically takes place between nation-state actors and is used for political gain or to compromise national security, corporate espionage targets proprietary information from private entities for commercial advantage, although in some cases nation-states will target private entities in industries such as energy given their national importance. Over the past two years, several threat actors have launched corporate espionage campaigns against companies in pharmaceuticals, chemicals and related industries with the aim of profiting from proprietary information such as intellectual property, R&D material on new products and technologies as well as financial information. The actors behind these campaigns are each known by different names, but include “APT10”, “Crouching Yeti”, “FIN4”, “Operation Ghoul”, “Patchwork”, “Poseidon”, “Tick” and “Turla.”
How do these threat groups go about these campaigns? Much like Willie Sutton, a master of disguise who would infiltrate banks and stores impersonating a messenger, postal worker, maintenance man or even a police officer, espionage threat actors use spearphishing, watering holes, and malicious software downloads to disguise the initial infection. Once inside the network, they typically use custom backdoor malware to achieve lateral movement, data exfiltration and persistence. To better understand what’s required to mitigate risk, let’s take a closer look at just a handful of these threat groups and the primary tactics, techniques and procedures (TTPs) they feature in their campaigns.
The most technically sophisticated use detailed social engineering techniques, zero-day exploits and weaknesses in the supply chain. For example, Tick uses a variety of methods to gain access to victim networks, such as spearphishing, watering hole attacks and software exploitations including a zero-day vulnerability to access company networks. The group has used custom malware, as well as legitimate penetration testing tools to move laterally within a network, escalate privileges, harvest credentials and exfiltrate data. Recently, Tick has adopted a steganography technique, embedding malicious code in an image file downloaded from a compromised website, thus bypassing firewalls and avoiding detection by anti-virus solutions.
Another technically sophisticated group that continues to evolve is APT10. The group first accesses target networks by compromising a service provider within the supply chain through spearphishing techniques, and then moves laterally to gain access to their primary target. More recent campaigns involve custom tools the group has developed that contain “decoy documents” to deliver a variety of payloads that can execute a range of activities including enabling communication with command and control (C2) servers, finding files, exfiltrating data and taking screen shots.
Groups with lesser technical capability tend to rely on commercial malware variants, but should not be discounted. Operation Ghoul is one such example – targeting more than 130 organizations in 18 months, the group is intent on its mission. Operation Ghoul uses spearphishing emails, mostly sent to executives and other senior employees at target organizations. The messages have contained compressed executables with data-harvesting malware, reportedly based on commercial spyware. The malware logs keystrokes and collects passwords, screenshots, account data from browsers and clipboard data and communicates using a single C2 server.
Microsoft Office vulnerabilities (known or unidentified) are often exploited by espionage threat actors as part of their campaigns. Patchwork and Turla are prime examples. Patchwork commonly uses phishing emails and malicious sites to deliver Microsoft Office or PowerPoint files that exploit several known vulnerabilities, including:
These vulnerabilities allow an attacker to remotely exploit arbitrary code on several Microsoft Windows operating systems, as well as some Microsoft applications, which are used by organizations across industries. Turla also uses vulnerabilities that were not publicly reported at their time of use (zero-day exploits) including CVE-2017-0261, CVE-2017-0262 and CVE-2017-0263. These vulnerabilities in several Microsoft Office versions allow for remote code execution.
Given the TTPs just discussed, the following tips can help organizations mitigate risk of IP theft and corporate espionage and strengthen their security posture:
Spearphishing and watering hole attacks: Provide phishing and general online security training to every employee. Best practices include limiting online activity to reputable sites, avoiding opening unsolicited attachments and performing extra checks before interacting w
ith suspicious email messages.
Malicious software downloads: Individuals should only download applications from legitimate sites. Be sure to review security and access permissions granted to these programs.
Credential harvesting and account takeover: Mandate strong password security across the organization, ensuring passwords are of appropriate length and not reused across accounts. Monitor for exposed credentials on sites like haveibeenpwned.com and use multi-factor authentication for accounts where possible.
Supply chain attacks: Suppliers are often given undue and wholesale access and capabilities to company networks. Organizations should apply technological controls and access restrictions to suppliers, such as separation of duties and least privilege, as well as network isolation and segmentation of the supply chain.
Exploitation of vulnerabilities: Regularly apply patches as they are released and monitor for known security vulnerabilities being exploited in the wild.
Defense in depth: Consider a broad security strategy guided by four main principles: use of host-based firewalls and IP-whitelisting measures, segmenting networks and restricting workstation-to-workstation communication, applying patches and disabling unneeded legacy features, and restricting access to important data to only those who are required to have it.
For Willie Sutton, banks were high-value targets and tellers had no choice but to hand over the money. Today, high-value targets for corporate espionage include any organization with proprietary information that can be sold for financial gain. Fortunately, by following these steps organizations don’t have to “hand over the money,” but can proactively mitigate risk of IP theft and corporate espionage.