One customer contacted the RISK team with an issue involving a primary competitor. This threat actor was located on another continent and had recently made public a piece of large construction equipment. The equipment looked exactly like a model that our victim had recently created. This was made more suspicious by the fact that the threat actor, the competitor, had never previously produced this type equipment and therefore had no track record in this market. The victim was concerned that the equipment’s design details had been obtained illegally and that similar compromises could also be possible with other projects.
Investigative approach
Data breach investigations don’t always require the analysis of digital evidence. We find that traditional investigative methods are just as important, if not more, than data obtained using the most recent forensic tools in many cases.
Interviewing the chief designer engineer was crucial in this case. It helped us to determine how the design was taken. Interviewing key employees allowed us to focus on the system that the chief engineer used for the equipment model that was stolen.
Response and investigation
We arrived at the victim’s headquarters shortly after initial notification and began interviewing key stakeholders. We started by meeting with the team responsible for the equipment model, which was the subject of the cyber investigation. The victim’s design team discovered several key details and parts that were identical to their model by comparing the features of the threat actor’s recently released model. Many of these design elements were unique to the industry. After concluding that the equipment model designs were most likely compromised, we first asked for the names and contact information of the employees involved in the design project.
We interviewed the chief engineer for the project as the first employee. Interviewing him revealed that he was actively seeking employment elsewhere and might not be employed by his victim for much longer. The engineer was contacted by a recruiter via LinkedIn. This led to them exchanging email addresses.
Digital forensic analysis of the chief engineer’s system and the associated firewall logs revealed evidence of a breach related to the design plans. The system contained a PHP (scripting language), backdoor shell. There were clear indications that the threat actor had copied the file containing design plans.
Malware spotlight: Command and Control (C2)
C2 refers the communication methods used by malware to communicate its operators. C2 servers can be used to manage thousands upon thousands of infected system. By issuing one command from this system, all can be brought into action. Advanced threats often encrypt their C2 channels using Secure Sockets Layer encryption (SSL), which is used in HTTPS and Secure Shell (SSH). This encryption makes it difficult to monitor and detect threats, as well as making it much harder to identify specific commands when C2 traffic has been detected. We found one email from the recruiter that occurred just before the beaconing activity when we examined the engineer’s emails. The email contained a job listing document, embedded with malware (malware). The malware contained a known malicious Chinese IP address.
The data stolen included blueprints for a novel piece of large-scale construction equipment. Attack profiling revealed that the most likely threat actors were a Chinese hacking organization that was long suspected to be state-funded. According to intelligence sources, these threat actors were known to have carried out similar attacks on a variety victims and allegedly distributed stolen intellectual property in China to companies that were state-owned, operated or supported.
They had done their research and identified the chief design engineer for the project, who was likely to have access to the data. The threat actors established contact with the engineer via a LinkedIn profile pretending to be a recruiter offering attractive employment positions. They then began sending emails with fictitious employment opportunities. One of the emails contained an attachment with a malware file embedded. The malware began beaconing to an outside IP address when it was opened. The threat actors then installed a PHP backdoor reverse shell on chief design engineer’s computer.
The threat actors were able search the system’s data and collect sensitive information from attached USB hard drives and network file servers. The activity seemed almost normal at first glance. The chief engineer had access to all data repositories. It wouldn’t seem suspicious that he would be able to access the various files related to this project because he was so involved in it.
After the data aggregation was completed, the threat actors encrypted the intellectual property and made it unidentifiable for Data Loss Prevention (DLP). Exfiltration was then trivial, and was accomplished via an outbound HTTP connection. Unfortunately, the victim was not able to prove that it had actually lost intellectual property. The victim’s suspicion that a foreign competitor had used the data to market a remarkably similar piece was confirmed.
Recovery and remediation