Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Don’t Fall Victim to IP Theft and Corporate Espionage

If the infamous bank robber, Willie Sutton, were alive today and honed his cyber skills, he might turn his attention to corporate espionage. Why? Because, as he once said about banks, “that’s where the money is.”

If the infamous bank robber, Willie Sutton, were alive today and honed his cyber skills, he might turn his attention to corporate espionage. Why? Because, as he once said about banks, “that’s where the money is.”

Unlike “traditional cyberespionage” which typically takes place between nation-state actors and is used for political gain or to compromise national security, corporate espionage targets proprietary information from private entities for commercial advantage, although in some cases nation-states will target private entities in industries such as energy given their national importance. Over the past two years, several threat actors have launched corporate espionage campaigns against companies in pharmaceuticals, chemicals and related industries with the aim of profiting from proprietary information such as intellectual property, R&D material on new products and technologies as well as financial information. The actors behind these campaigns are each known by different names, but include “APT10”, “Crouching Yeti”, “FIN4”, “Operation Ghoul”, “Patchwork”, “Poseidon”, “Tick” and “Turla.”

How do these threat groups go about these campaigns? Much like Willie Sutton, a master of disguise who would infiltrate banks and stores impersonating a messenger, postal worker, maintenance man or even a police officer, espionage threat actors use spearphishing, watering holes, and malicious software downloads to disguise the initial infection. Once inside the network, they typically use custom backdoor malware to achieve lateral movement, data exfiltration and persistence. To better understand what’s required to mitigate risk, let’s take a closer look at just a handful of these threat groups and the primary tactics, techniques and procedures (TTPs) they feature in their campaigns.

The most technically sophisticated use detailed social engineering techniques, zero-day exploits and weaknesses in the supply chain. For example, Tick uses a variety of methods to gain access to victim networks, such as spearphishing, watering hole attacks and software exploitations including a zero-day vulnerability to access company networks. The group has used custom malware, as well as legitimate penetration testing tools to move laterally within a network, escalate privileges, harvest credentials and exfiltrate data. Recently, Tick has adopted a steganography technique, embedding malicious code in an image file downloaded from a compromised website, thus bypassing firewalls and avoiding detection by anti-virus solutions.

Another technically sophisticated group that continues to evolve is APT10. The group first accesses target networks by compromising a service provider within the supply chain through spearphishing techniques, and then moves laterally to gain access to their primary target. More recent campaigns involve custom tools the group has developed that contain “decoy documents” to deliver a variety of payloads that can execute a range of activities including enabling communication with command and control (C2) servers, finding files, exfiltrating data and taking screen shots.

Groups with lesser technical capability tend to rely on commercial malware variants, but should not be discounted. Operation Ghoul is one such example – targeting more than 130 organizations in 18 months, the group is intent on its mission. Operation Ghoul uses spearphishing emails, mostly sent to executives and other senior employees at target organizations. The messages have contained compressed executables with data-harvesting malware, reportedly based on commercial spyware. The malware logs keystrokes and collects passwords, screenshots, account data from browsers and clipboard data and communicates using a single C2 server.

Microsoft Office vulnerabilities (known or unidentified) are often exploited by espionage threat actors as part of their campaigns. Patchwork and Turla are prime examples. Patchwork commonly uses phishing emails and malicious sites to deliver Microsoft Office or PowerPoint files that exploit several known vulnerabilities, including:

CVE-2012-1856
CVE-2014-4114
CVE-2017-0199
CVE-2017-8570
CVE-2015-1641
CVE-2012-0158

Advertisement. Scroll to continue reading.

These vulnerabilities allow an attacker to remotely exploit arbitrary code on several Microsoft Windows operating systems, as well as some Microsoft applications, which are used by organizations across industries. Turla also uses vulnerabilities that were not publicly reported at their time of use (zero-day exploits) including CVE-2017-0261, CVE-2017-0262 and CVE-2017-0263. These vulnerabilities in several Microsoft Office versions allow for remote code execution.

Given the TTPs just discussed, the following tips can help organizations mitigate risk of IP theft and corporate espionage and strengthen their security posture:

Spearphishing and watering hole attacks: Provide phishing and general online security training to every employee. Best practices include limiting online activity to reputable sites, avoiding opening unsolicited attachments and performing extra checks before interacting w
ith suspicious email messages.

Malicious software downloads: Individuals should only download applications from legitimate sites. Be sure to review security and access permissions granted to these programs.

Credential harvesting and account takeover: Mandate strong password security across the organization, ensuring passwords are of appropriate length and not reused across accounts. Monitor for exposed credentials on sites like haveibeenpwned.com and use multi-factor authentication for accounts where possible.

Supply chain attacks: Suppliers are often given undue and wholesale access and capabilities to company networks. Organizations should apply technological controls and access restrictions to suppliers, such as separation of duties and least privilege, as well as network isolation and segmentation of the supply chain.

Exploitation of vulnerabilities: Regularly apply patches as they are released and monitor for known security vulnerabilities being exploited in the wild.

Defense in depth: Consider a broad security strategy guided by four main principles: use of host-based firewalls and IP-whitelisting measures, segmenting networks and restricting workstation-to-workstation communication, applying patches and disabling unneeded legacy features, and restricting access to important data to only those who are required to have it.

For Willie Sutton, banks were high-value targets and tellers had no choice but to hand over the money. Today, high-value targets for corporate espionage include any organization with proprietary information that can be sold for financial gain. Fortunately, by following these steps organizations don’t have to “hand over the money,” but can proactively mitigate risk of IP theft and corporate espionage.

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.