7 April 2019

In the Era of Hacking, Bugs Remain a Crucial Espionage Weapon

By Scott Stewart

While cyberattacks offer a powerful means for corporate surveillance, it is important to remember that it is just one option in the espionage toolbox. Some information, such as in-person conversations, cannot be obtained through hacks and thus require the use of other tools, such as human intelligence collection insiders or covert audio and video recorders and transmitters (bugs). Today, bugs are cheaper, smaller and easier to obtain than ever — and the number being deployed and discovered is vastly underreported, masking the true scope of the threat. Therefore, in order to adequately combat corporate espionage, organizations must also implement security measures to protect against bugging. 

The threat of cyberattacks has garnered a lot of publicity in recent years — and rightfully so, as such hacks provide hostile actors with a powerful and convenient intelligence tool. Cyberattacks can be conducted from the relative safety of an offshore platform without having to place valuable assets in jeopardy of being discovered and arrested, and provide actors with some degree of plausible deniability as well. 


However, if a capable actor — such as an intelligence service, advanced criminal group or a well-funded corporate competitive operation — really wants to get its hands on a specific piece of information, there is a host of other espionage tools at its disposal that it can (and many still do) deploy in addition to cyberattacks. 

The Big Picture

Corporate espionage remains a persistent and widespread threat, since competition continues to fuel spying efforts by government actors from Russia and China as well as the usual greed-motivated corporate rivals. One of the longstanding tenets of Stratfor's analysis of espionage, however, is to avoid the trap of thinking of the threat only in terms of cyberattacks. 

Non-Hacking Technical Threats

As we've seen repeatedly (and recently), it is important not to ignore the threat posed by non-hacking technical threats, which can come from external actors operating from outside of a targeted facility. This is what officers of the Russian Main Intelligence Directorate (known by its Russian acronym, GRU) were doing when they attempted to hack into the wireless data network of the Organization for the Prohibition of Chemical Weapons (OPCW) using equipment they placed in a parked car near the OPCW headquarters. Information obtained from the laptop later recovered from the car also indicated that the GRU had used the same equipment in a similar attack against the World Anti-Doping Agency (WADA), in retaliation for the WADA's banning of Russian athletes from the Olympic Games and other international competitions including the 2016 Summer Olympics and the 2018 Winter Olympics.

Other types of external technical threats can include equipment, such as parabolic microphones and laser listening systems, as well as international mobile subscriber identity-catchers (IMSI-catchers). IMSI-catchers can be used to track cellphones and grab the IMSI information of a device in an area and, in some cases, even intercept calls. The most commonly known IMSI-catcher is perhaps the StingRay system, which is widely used by law enforcement agencies. 
Internal Threats

Another espionage tool I've frequently discussed is human intelligence collection, or recruiting a source inside the targeted organization who has access to the desired information. Nowadays, almost everyone carries multiple potential spy devices with us. Cellphones, computer systems and tablets can all be infected with malware that permits hostile parties to control microphones and cameras remotely — turning them into clandestine audio or video collection platforms. Smart speakers and other internet-enabled devices are also vulnerable to being hacked and used as spy devices. 

An engineer at Apple's autonomous vehicle division, for example, was caught sharing sensitive proprietary information with the company's Chinese competitors earlier this year. He had used his smartphone to take photos of sensitive proprietary information displayed on his computer monitor that could not be downloaded or transferred outside of the system by other means.

Cellphones, computer systems and tablets can all be infected with malware that permits hostile parties to control microphones and cameras remotely.

We have also seen other cases where witting agents have been asked to carry items into a targeted facility. In 2017, China's intelligence apparatus, the Ministry of State Security (MSS), recruited an employee of a French aerospace company who was working out of the Suzhou office. The MSS gave him a USB drive containing the Sakula malware (the same virus used to attack the U.S. government's Office of Personnel Management in 2015), and was instructed to plug the drive into a company laptop to install the malware on the company's network. But the MSS could also just as easily have given the employee some sort of clandestine audio or video recorder as well — or even a device to transmit live audio or video. 

Nowadays, bugs are still frequently used in cases where an actor can't get what they need remotely via a cyberattack. Some types of valuable information are not available in a digital format — namely, verbal content. What is said at board meeting discussions or business negotiations can be of interest to not only competitors and state actors, but also to criminals. A criminal organization that receives insider information about a company’s upcoming earnings statement or a potential merger can make a great deal of money on the stock market by either buying or short selling. 

Because of this, venues for important meetings are often bugged, and it is critical that technical security countermeasures (TSCM) sweeps be conducted ahead of time. Conducting periodic sweeps of the homes and offices of key executives, as well as any corporate facilities where sensitive research and development takes place, is also strongly advised.

Bugs can be purchased and installed into a number of common office items — including electrical outlets, power strips and chargers, as well as lamps, clocks and smoke detectors. For an added cost, spy shops and bug manufacturers can even build an audio or video device into a custom item, such as a specific piece of art or furniture. In addition to TSCM sweeps to ensure no devices have been placed, it is therefore also important to monitor anything brought into areas where sensitive discussions are conducted, such as furniture or decor. It is also important to limit the number of people with access to such areas and to heavily vet those who are to be given access, including construction, renovation or cleaning crews. 

Danger in Disguise 

Advances in technology have resulted in very small bugs and covert recorders that are exceptionally cheap and easy to obtain. Many bugs that are available online or at spy shops today are as good or better than those used in government intelligence operations 20 years ago. The mass-produced and accessible nature of these bugs means that they are used by a wide variety of actors, making it difficult to trace them back to a specific perpetrator upon being discovered. In some instances, the bugs are regarded as disposable and are installed with no intention of ever being recovered, making it all the more challenging to gather sufficient evidence to charge a suspect. In others, a host country government or foreign government likewise can be involved, meaning a prosecution is very unlikely. 

The lack of court cases and media reporting pertaining to bugging camouflages the magnitude of the problem — especially when compared to high-profile hacking cases.

Because of these factors, there are many more bugs being discovered today than there are people being charged for placing them. Corporations tend to quietly cover up such cases where there is no chance of obtaining a conviction, and TSCM providers operate under strict confidentiality agreements that prevent them from discussing their findings in public. 

The lack of court cases and media reporting pertaining to bugging thus camouflages the magnitude of the problem — especially when compared to high-profile hacking cases. As a result, far more resources are now being devoted to combat hacking than to combat bugging. This, of course, is not to say that programs to protect against cyberattacks should be ignored. But I do recommend that TSCM efforts be seen as an equally critical component of a robust information security program.

No comments: