Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Security Audit Discovered Coder Who Outsourced His Job to China

In a blog post examining cases from 2012, Verizon Business’ Andrew Valentine presented a tale of a critical infrastructure firm in the U.S. who called them into investigate suspicious VPN connections to China. As it turns out, this was no complex hack, just a lazy developer – or a smart one depending on how you view things.

In a blog post examining cases from 2012, Verizon Business’ Andrew Valentine presented a tale of a critical infrastructure firm in the U.S. who called them into investigate suspicious VPN connections to China. As it turns out, this was no complex hack, just a lazy developer – or a smart one depending on how you view things.

Last year, Verizon Business was called to offer assistance from a US-based company who discovered strange activity when examining their VPN logs. While scanning the daily VPN connections, they discovered an active link to their network from Shenyang, China.

VPN Connection“They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated; The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming; The developer whose credentials were being used was sitting at his desk in the office,” the blog explained.

Naturally, the security team at this firm was shaken, and assumed the worst – namely some type of “unknown malware that was able route traffic from a trusted internal connection to China, and then back.” After all, the employee was sitting at his desk, and while they had implemented a tele-work initiative, he wasn’t at home. When Verizon started looking deeper, they discovered the VPN access form China had been an ongoing thing, six months at least.

They took an image of the employee’s system and discovered invoices to a firm in Shenyang, and evidence that he had used FedEx to ship them his RSA token. According to the forensic work, the employee started his day by surfing Reddit, then after a few hours he would take lunch. In the afternoon, he shopped on eBay, updated Facebook and LinkedIn, before sending his bosses a daily status report before going home.

“All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building,” Valentine wrote.

“We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers’ systems to off-shore firms seems dangerous at best,” said Nick Cavalancia, VP, SpectorSoft.

“What many organizations fail to understand is that with effective, proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident,” Cavalancia said.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights