Sex and Spear Phishing

Sex and Spear Phishing

On the heels of NFL divisional playoff weekend, a football analogy may be in order. We football fans love the 50-yard pass. It’s exciting. It showcases the extraordinary athleticism of both the receivers and the cornerbacks tasked with defending the nearly indefensible. It’s sexy.

But the consensus among football coaches is that games are won and lost on the defensive and offensive lines, where, let’s just say, flashy and sexy are not the first adjectives that come to mind.

Tying this discussion back to our information security world, this football dichotomy was mirrored in the 60 Minutes episode that followed the last playoff game of the weekend. In its lead segment (see transcript at http://www.cbsnews.com/news/60-minutes-great-brain-robbery-china-cyber-espionage/), The Great Brain Robbery, correspondent Leslie Stahl profiled the company American Superconductor, a developer of sophisticated control software and systems for wind turbines. The company was a victim of Chinese government espionage efforts that target thousands of US companies annually (according to John Carlin, the assistant attorney general for National Security, who appeared in the segment). What struck me most about the piece was how the Chinese used both the sexy and the mundane to steal American Superconductor’s proprietary technology, and effectively destroy the company.

First, using old-fashioned cloak and dagger spying techniques, they compromised an engineer in Austria:

“…Dejan Karabasevic, an employee of American Superconductor based in Austria. He was one of the few people in the company with access to its proprietary software. He also spent a lot of time in China working with Sinovel {the Chinese company that manufactured the wind turbines and used American Superconductor software}.”

How did the Chinese turn Karabasevic? The old fashioned way: money and women. A 50-yard pass. The stuff of Cold War spy novels. Sexy.

One may think the story would end there, but the Chinese were apparently not finished with American Superconductor, so they turned to the mundane blocking and tackling that characterizes modern-day cyber-attacks: spear phishing and credential theft:

“Dmitri Alperovitch: We were brought in because the attacks now continued in cyberspace.

McGahn {CEO of American Superconductor} hired Dmitri Alperovitch and George Kurtz, cofounders of a computer security firm called CrowdStrike, to investigate. They zeroed in on a suspicious email purportedly sent by a board member to 13 people in the company.

Dmitri Alperovitch: It had an attachment. A few people clicked on an attachment and that let the Chinese in. It was sort of like opening the front door.

Lesley Stahl: What do you mean they were in?

Dmitri Alperovitch: Once they clicked on that email and they opened up the attachment, malicious codes started executing on their machine and it beaconed out to the Chinese and basically let them right in to the company. From that point they can hop to any machine and take any file that they wanted from that network.”

That last sentence is a bit misleading. In theory, the bad buys can “hop to any machine and take any file…”, but it requires effort by the bad guys, and often facilitated by the carelessness of the organization under attack. The disingenuous nature of that statement, however, doesn’t diminish the important point here: there’s not a whole lot between James Bond and authentication-based attacks. It’s the common thread that links the vast majority of cyber-attacks, whether they’re covered by 60 Minutes in prime time, or never made public. They’re the on-going, critical – yet non-sexy – proverbial battle in the trenches of cyber security.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.