When the Breach Wears a Suit and Tie
A foiled “black bag” job at the Boston firm Medrobotics underscores the varied nature of threats to sensitive data.
We spend a lot of time on this blog talking about sophisticated threats to corporate data: Trojan horse programs, account hijacking, or subtle vulnerabilities in public-facing or internal applications.
What about the unsophisticated threats like a stranger armed with USB sticks, a tablet and a laptop who walks into your office and commences trying to hack into your network…from your own conference room? Samuel Straface, CEO of Boston-area medical robotics firm Medrobotics, found himself in this situation on August 28.
As Straface was leaving his firm’s Raynham office, he noticed a man sitting in a conference room in the company's secure area and working on a number of open laptop and tablet computers. He didn’t recognize the man as an employee or a contractor and asked him what he was doing.
The man’s answers were fishy. He first told the CEO that he was there to meet with the company’s European sales director, who had been out of the country for weeks. He then named the company's head of intellectual property. Finally, not recognizing who he was speaking with, the man said he was there to meet Straface himself.
Police were called and the man, Dong Liu, said that he was a lawyer doing “patent work” for Boss & Young, a Chinese law firm headquartered in Shanghai. Liu was arrested and, on August 30, charged with the attempted theft of trade secrets and attempted access to a computer without authorization. He is being held pending trial. The story was first reported by The Boston Globe.
That “patent work” Liu was doing from the Medrobotics conference room was apparently an attempt to steal the company’s intellectual property by initially hacking into the company’s wireless network.
The incident was what intelligence and law enforcement folk call a “black bag” operation – apparently a reference to the accoutrements that spies and thieves bring with them when they break into restricted areas in order to collect intelligence. This could mean hacking and siphoning data off onto removable devices, or it could mean simply walking off with hardware like laptop and desktop computers, smart phones and more. Liu was apparently caught with devices for storing large amounts of data.
Many of these crimes might be seen and treated by law enforcement as simple property crimes - “breaking and entering” by ordinary thieves looking for a quick return on fenced hardware. For companies that hold intellectual property and trade secrets that are of interest to foreign competitors and their governments, it’s safe to assume that laptops or other devices walking out overnight isn’t the work of an ordinary thief, but of a more sophisticated operation to gain access to sensitive data by physically invading the workplace.
In fact, Straface has indicated that Liu's efforts weren’t the first attempts by the Chinese government to make inroads at his company. An analysis by the firm Stratfor notes that several Chinese firms had made repeated efforts to meet with Straface and “partner” with Medrobotics, but the CEO had insisted on taking such meetings far away from the company’s headquarters.
Apparently fed up with their lack of progress, whoever was after Medrobotics’ trade secrets tried the next best thing: walking in the front door.
The incident highlights the risks to companies that have valuable and sought after intellectual property, Stratfor notes. “Even if your company is not operating in China and your executives are not traveling there, that does not mean you are safe from the long arm of Chinese espionage if it is interested in your intellectual property and aims to steal it.”
Access to your physical building, executive offices, conference rooms, and even homes can all be avenues by which adversaries obtain valuable intellectual property. “The Chinese government has a robust network of people working for its intelligence services, academic institutions and think tanks who can try to infiltrate companies by posing as students, researchers, potential clients, suppliers, cleaning contractors and security guards,” Stratfor notes.
To counter the threat, companies need to pay more attention and devote more resources to policing their office environment: making sure doors, loading docks and other entry points are secure, cultivating a culture of “if you see something, say something,” and watching out for strangers who try to “wagon train” in behind legitimate employees and play on common human courtesy to gain access to secure and protected spaces.
Paul Roberts is the Publisher & Editor in Chief of The Security Ledger.