When you think about the word “espionage,” what comes to mind? Perhaps it’s Jason Bourne neutralizing a Russian-speaking adversary with bare knuckles and a chair? Maybe Ethan Hunt in Mission Impossible with camera glasses, glue gloves, instant rubber mask machine and exploding chewing gum. While the CIA, former KGB, MI6 and other nation’s secret services deploy agents to effectively “gather” intelligence from their adversaries, those of us in the security industry likely realize that many modern day spies aren’t necessarily racing around like James Bond, but rather sitting at the desk next to you. Right? Well, just in case you still have the Hollywood image of espionage, here’s a few real-world examples:
Snowden Inspired – Harold Martin III
Harold Thomas Martin III 51, former Navy Lieutenant and a consultant was one of the 17% of contractors working at the NSA who had access to top secret information. At his home in Glen Burnie, Maryland he was viewed as a friendly neighbor; therefore, no one suspected he was storing 50 terabytes of classified information on “dozens” of computers until the morning of his arrest on August 27, 2016. He was charged with theft of government property and the unauthorized removal or retention of classified documents.
While there is little official government documentation, there is speculation and hearsay Snowden may have inspired his deeds. For example, rumors abound that both hackers may have used Tails, which is a privacy-on-a-thumb-drive Linux-based operating system designed to “leave no trace” and provide “state of the art encryption tools”. It is possible that Martin and Snowden could have downloaded sensitive information without a trace and walked right off premise. Also, the Shadow Brokers or TSB for short, is a nefarious hacker group linked to both Snowden and Martin by credible news organizations. The timeline of events suggest they are somehow related:
August 13, 2016 – TSB tweets a pastebin page with stolen NSA Tools and Malware
August 16, 2016 – Ed Snowden tweets a detailed explanation of the dump
August 27, 2016 – Harold Thomas Martin III is arrested; alleged of stealing NSA documentation, an undocumented source claims that he had access to the NSA Tools and Malware that were leaked
As of October 31, 2016, Martin is facing espionage charges while he waits in jail.
His Calling Card is UG for “UglyGorilla”
Consider “Ugly Gorilla” or Wang Dong, who is a Chinese hacker wanted by the FBI for identity theft, damaging computers through the transmission of code and commands; economic espionage; and theft of trade secrets. “UG” or Ugly Gorilla is his calling card; yes the flamboyant hacker actually refers to himself by name. He leaves the letters “UG” in the log files of systems that he hacks as a calling card. This however is no joke as he is suspected of breaking into US government systems, nuclear power facilities and even a major beverage maker. Dong is purported part of an army of Chinese hackers, specifically PLA Unit 61398 (Peoples Liberation Army) whose sole mission is to eavesdrop and steal information. These criminals feel safe in the borders of China, but it may also be that they are prisoners of the state; they simply can’t leave. UG’s handy work includes:
MANITSME Malware – In this backdoor style Malware, UG left his mark and demonstrated his poor grammar, “v1.0 No Doubt to Hack You, Writed by UglyGorilla, 06/29/2007”
Russian Dolls
Donald Heathfield and Tracey Foley had a perfect life living in Cambridge, Mass with their two sons. In fact, they treated their son, Tim, to a celebratory birthday brunch on June 27, 2010; the same day of their FBI arrest and indictment on charges of espionage. It turns out that their real names are Andrei Bezrukov and Elena Vavilova and that the couple had been part of a Russian spy program for most of their lives. Donald (or Andrei) used his status as a consultant to meet with government officials and business leaders to gather intelligence – and then used stenography, which is the practice of hiding secret messages in the code of photos, to communicate with Russian headquarters. If you’re not familiar with stenography, criminals will first use a tool like this one from Many Tools, then meet in online role-playing games where they exchange encrypted pictures with secret messages. The couple had an unassuming life and their own children never knew that they were spies until that fateful meal.
Privileged Identity is the Key
The key to all of the stories above is that the perpetrators used their assumed privileged identity to unlock the door to information. In the case of Harold Martin, he was granted access as part of his job and had federal security clearance, just like Ed Snowden. Ugly Gorilla is suspected of using phishing to lure admins into installing his custom backdoor malware. And finally, officials and executives trusted Donald Heatshield’s Ivy League address and non-descript consultant agency when in reality, it just was a cover-up for theft of information and espionage. These criminals know that using false privileged identity to obtain information is an effective ruse. Here are measures you can put in place to prevent espionage from occurring within your organization:
- Educate staff members and partners on the real threats of state-sponsored espionage and data theft. Use the examples above to educate employees. Or grab some popcorn, the FBI sponsored a great movie based on a real case called, The Company Man: Protecting America’s Secrets.
- Develop policies that create a sense of awareness followed by action. For example, support an open door policy of, “if you see something, say something.” Create a culture where it is ‘OK’ to report suspicious behavior.
- Review the controls you have in place and ensure they support the principle of least privilege of ensuring users have access to only the systems and files they need.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.