The Financial Crime Forum - Blog

Industrial Espionage and Sabotage – Attack vectors and defence. 25 May, 2023

It might seem strange that we would consider Industrial Espionage and Sabotage – Attack vectors and defence as financial crimes. Surely these are civil matters and, even, terrorism-related conduct?

Well, yes, they are. But they are also issues that directly affect companies and, of course, governments. And in many countries, they are reportable events.

The public face of industrial espionage is, basically, the illegal acquisition of data. Media hysteria concentrates on the theft (using the term loosely) of personal information that can be used to forge identities and credit card information and that is, of course, a massive problem but it is not the only problem.

The theft (again, in its loose sense) of commercial information be it designs, financial data or, even, lists of customers with or without their purchasing habits and/or of suppliers often has direct commercial effect on the viability of products, divisions or, even, companies or groups. Less direct but of no less importance is the effect on share prices which has an effect on pension funds.

While the theft of commercial information is serious, it does not attract penalties or fines nor the naming and shaming that has become a feature of the theft of data relating to individuals. When that happens, there is often, also, a negative effect on share prices.

What is worst of all is that while many data thefts are from external sources, at least as many are by those who have lawful access to computer systems and who access those systems for unlawful or illegal purposes.

This latter group is often where the prime suspects are found for sabotage. It is true that much sabotage is as a result of access from outside the company but it is the internal threat that is widely viewed as teh most troubling.

An attack vector that has proved successful is to infect a user's computer at home with malware that lodges itself, secretly, on removable media, most likely a USB. How does the USB get into the house? Deliveries of fake updates to the world's most popular operating system in very convincing packaging is one way that came to the fore during the CoVid-19 pandemic when people were working from home. Then once the home machine is infected....

and an office USB is inserted into the home computer then another computer, e.g. at the user's office, the malware transfers itself to the office system. The user often bypasses the security system or pre-approves the device, because it never leaves his possession. This attack vector is one that was largely overlooked in the early days of the CoVid-19 pandemic as staff were told to work from home with little or no notice. By the time IT departments began to address this threat, it was already too late.

We should not view sabotage as new. Attacks on public and private infrastructure are thousands of years old. Sometimes it's economic, sometimes it's political and sometimes it's just old-fashioned thuggery.

In 1994, the USA's OSS (you thought that Marvel's Agent Carter worked for a fictional government agency, didn't you?) published a book aimed at helping its agents in occupied Europe work against Germany. Here's an extract:

(b) Among the potential citizen-saboteurs who are to engage in physical destruction, two extreme types may be distinguished. On the one hand, there is the man who is not technically trained and employed. This man needs specific suggestions as to what he can and should destroy as well as details regarding the tools by means of which destruction is accomplished.

(c) At the other extreme is the man who is a technician, such as a lathe operator or an automobile mechanic. Presumably this man would be able to devise methods of simple sabotage which would be appropriate to his own facilities. However, this man needs to be stimulated to re-orient his thinking in the direction of destruction. Specific examples, which need not be from his own field, should accomplish this.

In the 1970s, squads of radicalised workers in, mainly, the coal industry sabotaged mission critical equipment in coal mines and in services which were deemed to be supportive of the opposition to the striking miners. They used hammers and other tools.

In November 2022 a contractor at the Eskcom power station at Camden in South Africa sabotaged the plant by removing a plug from an oil drainage hole which caused the machine to malfunction and sensors to repeatedly trip safety procedures. He admitted that he did it because he was concerned for his job and wanted to increase the demand for maintenance services and thought that his employer would be awarded a bigger contract. It was not the only sabotage at an Eskcom plant: not long before it was discovered that rocks, not coal, were being fed along conveyors to the furnace: amongst the damage was torn belts.

But while physical sabotage is an ever-present concern, it is sabotage by intrusion into electronic systems that is causing a wave of worry.

Critical control systems are everywhere from cars through buses and lorries to pipelines, electricity distribution networks, air traffic and ports control, hospitals, financial institutions and international, strategic, payment systems. And that's before we start to talk about aircraft and military applications.

From ransomware to shut-down of critical infrastructure, the risks go beyond the data itself.

The humble USB is now a tool of mass destruction.

But it is only a threat when it's in the hands of a person willing to use it or, as noted above, who is unaware that the threat is in his possession.

The Financial Crime Forum: Online Industrial Espionage and Sabotage - Attack Vectors and Defence is for everyone who uses a computer in their employment or business. Everyone has the potential to be a risk or a target or both. It will be held on 18th April 2023 in the AsiaPac+West Asia region.

The threats to data of all kinds are significant.

The ways attacks can be mounted are varied.

Defence must be multi-faceted.

Update 20230224 - An official from Microsoft speaking at a conference in Canada this week said that 98% of data breaches were because of the most basic failures in IT security - applying patches.