Last year we reported on a cyberattack that represents a milestone in cyber-warfare. Stuxnet hailed the dawn of a new era, not only due to the repercussions felt in the countries involved, but also thanks to the sophistication of the attack, which managed to damage critical infrastructure such as the Natanz nuclear power plant in Iran. Nevertheless, the advanced malware technology would have been worthless and the attack unsuccessful had it not been for human intervention within the organization. According to Yahoo News, the USA and Israel, with the aid of the Dutch intelligence agency AIVD, recruited an individual who was employed as an engineer at the Natanz plant. The mole then simply planted the malware on systems using a pendrive. Simply put, they used an insider.
Gigafactory in the line of fire_
Yet such incidents are not as rare as they may seem. One notable example occurred recently in August in the Gigafactory in Nevada of Tesla, the leading electric vehicle producer founded by Elon Musk. The US Justice Department reported that a 27-year-old Russian citizen, Egor Igorevich Kriuchkov, tried to entice a plant employee with a $1 million dollar bribe.
The aim was to introduce malware onto Tesla’s systems in order to steal sensitive information, including industrial secrets. This would enable cyberattackers to demand a ransom from the company and, as such, this could be considered a ransomware campaign. Meanwhile, a Denial of Service (DDoS) attack would serve as a distraction for cybersecurity managers.
According to the DOJ and the FBI, Kruichkov traveled to Sparks, Nevada, where Tesla’s factory is located and rented a hotel room. There he met the Tesla employee and attempted to bribe him, with cash and bitcoins, in exchange for releasing malware on the company’s systems. He was unaware, however, that after the initial contact, the employee had alerted the authorities. By the time of the meeting the employee had already been enlisted as an FBI informant and through a hidden microphone recorded the entire conversation with Kriuchkov, which included statements that clearly indicated the attempted bribery.
Global security approach_
This, however, was not the only example of an insider cyberattack attempt this year. In February, UK police warned that groups of professional cyberattackers were infiltrating cleaning services as ‘sleeping agents’, lying in wait to infiltrate systems or introduce malware whenever they receive orders from a controlling organization. In any event, given the numerous sources of threats that may come from within, organizations should consider three key factors:
- A global focus on physical and digital security. As we highlighted previously in our post on Zero Trust with threats in the supply chain, security in the widest sense also includes the physical environment. This becomes more important still when considering the threat of insiders or contractors (cleaning, maintenance personnel, etc.) that are in a position to compromise an organization’s systems. For this reason, organizations with sensitive data or access to control systems for critical infrastructures should establish protocols that include roles and permissions with different levels of security access to physical areas (for example, controlled with personal access cards or biometrics) and a detailed record of all the people who have access to them.
- Control of all removable devices and drives. Although not the only way to enter a network (a cyberattacker could, for instance, send a malicious file by email and run it on an organization’s systems), removable devices such as pendrives continue to be a commonly used attack vector for insiders. Organizations must be able to restrict and closely monitor the devices that can access systems and those that cannot. The Comply To Connect (CTC) model used by the Pentagon requires pre-verification of all devices before connecting to the system and is clearly a good example to follow.
- Be proactive in anticipating external and internal adversaries. In the face of cyberattackers that leverage so many resources and use such sophisticated physical infiltration techniques, organizations must have the ability to anticipate adversaries using real-time analytics and visibility. Cytomic Orion helps organizations switch from a reactive to a proactive security posture and thereby reduce incident investigation and remediation times. Moreover, the threat hunting service included by default in all Cytomic endpoint solutions detects attackers using Living-off-the-Land techniques in all phases. This includes anomalous behavior that may be caused by members of the organization themselves or from others with temporary access to systems. As such, organizations can ensure they are protected against more advanced cyberattacks, such as fileless malware, regardless of whether the attack source is external or internal.