Industrial cyber espionage and theft of business secrets
Table of Contents
Industrial cyber espionage and the theft of strategic information can lead to huge economic losses and damage to companies’ competitiveness
At the end of December 2023, Akira, one of the most active ransomware groups in recent years, announced that it had managed to steal 100 gigabytes of data from the Australian division of the multinational Nissan. According to the ransomware group itself, the attack gave it access to the personal data of the company’s customers and employees and critical business information such as confidentiality agreements, projects, and partners.
This case shows that ransomware attacks are not only aimed at the theft and malicious use of personal data but can also aim to gain access to strategic company information. For what purpose? Industrial cyber espionage, extorting companies, selling business secrets to the highest bidder or publicising projects under development to undermine companies’ market position.
As with many other aspects of cybersecurity, these espionage practices are the logical evolution of those already occurring in the pre-digital world. Spying on competitors or extorting money from companies is nothing new; legal systems have been protecting business secrets for decades. The novelty lies in the how: attacking companies’ technological infrastructures.
In this article, we will outline the critical aspects of industrial cyber espionage and the worrying consequences that this criminal practice has for companies. Without going any further, in Germany, one of the countries at the technological forefront in many industries, it is estimated that the cost of cyber espionage, the theft of technological equipment and the theft of industrial property exceeded 200,000 million euros in 2023.
1. Who is behind industrial cyber espionage and intellectual property theft?
Some industrial cyber espionage attacks are technically complex and resource-intensive; hence, these criminal practices are carried out by advanced persistent threat (APT) groups with sufficient knowledge, resources and time to stay on companies’ systems for long periods.
The FBI and the US Counterintelligence Agency (NCSC) have recently warned about cyber espionage actions carried out by APT groups funded by states such as Russia, China or Iran against critical US and European sectors such as aerospace, military, energy, pharmaceuticals, aviation or, the most fashionable area today, Artificial Intelligence.
These vital sectors for the present, but also the future of humanity, are at the technological forefront. As a result, the companies that make up these sectors have intellectual and industrial property of enormous value. Hence, they are priority targets for criminal groups and rival states.
Does this mean that industrial cyber espionage is only within the reach of APT groups? No. The consolidation of Malware-as-a-Service models has opened the door to the democratisation of cyber espionage, making it possible for a criminal without extensive knowledge and resources to spy on a company and steal confidential information from it, mainly thanks to Ransomware-as-a-Service programs designed by some of the most dangerous criminal groups in today’s threat landscape.
1.1. What are the targets of industrial cyber espionage?
The various motivations of criminals who engage in cyber espionage and steal business secrets and industrial property result in different objectives for this kind of attack:
- To obtain substantial financial gain, extort money from victims or sell their trade secrets and intellectual property to competing companies.
- Gaining competitive advantages for the companies of the states sponsoring the attacks.
- Undermine the operation of the affected companies and disrupt their business strategy in the medium to long term.
- Damage their reputation in the eyes of their partners, investors and customers by revealing their secrets and showing their weakness in the face of attacks.
2. What techniques and tactics are used in industrial cyber espionage?
How do criminals achieve these goals? By continuously innovating to design and implement tactics, techniques and procedures (TTPs) that go undetected by companies’ security equipment and mechanisms.
What attacks and techniques are most common regarding a company’s cyber espionage?
- Social engineering campaigns, phishing, spear-phishing, and CEO fraud remain essential tools in the development of any attack, as is the case in this modality, either as an entry vector or as a necessary step for its achievement.
- Spyware. As the name suggests, spyware is malware explicitly developed to carry out cyber-espionage tasks. One of the most common types of spyware criminals use is the info-stealer.
- Ransomware. Ransomware attacks against companies and public administrations are on the rise. Almost every week, security incidents are publicised in which malicious actors use ransomware to steal data from companies and extort money from them.
- Supply chain attacks. It is not enough for a company to be protected against attacks; its suppliers and partners must also be protected. For example, Airbus, one of the world’s largest aerospace companies, suffered the theft of confidential information on 3,000 suppliers due to an attack executed through a hacked Turkish Airways account.
- Exploitation of zero-day vulnerabilities. The supply chain is also critical when it comes to exploiting emerging vulnerabilities. Why? Criminals can successfully attack a company’s systems by exploiting zero-day vulnerabilities in third-party software and hardware.
3. When the spy is inside the organisation
In addition to the above techniques and types of cyber-attacks, we must take into account one of the basic strategies of classic espionage: the action of an organisational employee in service of these purposes. This can involve infiltrating a spy into the target company or institution.
Last year, General Electric Power, a US multinational operating in critical sectors such as energy and aerospace, was the victim of industrial property theft by one of its employees. How did this criminal act occur?
The employee hid data files containing confidential information about the company’s technology in the code of another data file and then sent the file to his email.
This case adds to other insider attacks that Western companies have suffered in recent years. The director of the FBI has warned that various criminal groups, often sponsored by states such as Russia or China, seek to steal business secrets and intellectual and industrial property from companies to boost the growth of companies in these countries and get them to dominate critical sectors.
4. It is not only critical sectors that are exposed
Given what we have discussed so far, it is clear that companies operating in sensitive areas such as energy or healthcare are priority victims of industrial cyber espionage attacks. Still, the theft of confidential company information can occur in any economic sector.
For example, although the creative industries (film, music, video games, etc.) are not critical for society and the economy, they generate wealth and employment and are essential at the cultural level. For this reason, cyber-espionage groups are also targeting these companies. Just look at Insomniac Games, a video game developer owned by Sony’s multinational entertainment company.
Ransomware-as-a-Service group Ryshida attacked Insomniac Games’ systems and hijacked 1.67 TB of data. In exchange for not publishing it, the criminal group demanded a ransom payment of $2 million. In the end, it shared on the Dark Web more than 1.3 million files showing critical aspects of the studio’s upcoming video games, such as character designs and release dates, but also strategic business information, such as Sony and Marvel’s agreement to release video games starring Marvel superheroes between now and 2035.
What were the criminals looking for with this attack? Money. Either through the ransom payment or selling some of the studio’s business secrets to its competitors.
Beyond this, the criminal group released hundreds of thousands of documents, damaging Insomniac Games’ reputation and undermining its roadmap for the next decade.
5. Accessing company information via Bluetooth devices
More than 6 billion devices in the world today use the Bluetooth communications standard.
In the business world, it is common for company professionals and managers to use wireless headsets connected to their smartphones or wireless keyboards and mice to work more comfortably on their laptops.
Alongside the expansion of IoT devices in everyday business and home life, we should also consider an essential trend in the industrial sphere: the development of IIoT (Industrial Internet of Things) devices to optimise all kinds of processes and increase the productivity and profitability of companies.
The importance of these devices sadly makes them targets of industrial cyber espionage.
For example, suppose a malicious actor can exploit a vulnerability in a mouse and take control of this device. In that case, it can access the information of a laptop with which the mouse is paired via Bluetooth. And thus obtain confidential information about a company.
To prevent attacks against Bluetooth devices and industrial cyber espionage, Tarlogic’s Innovation team has developed BSAM, the world’s first methodology for performing a security audit of Bluetooth devices. In this way, devices can be analysed to detect vulnerabilities and mitigate them before they can be successfully exploited as part of an industrial cyber espionage strategy.
6. Another twist: When AI knows corporate secrets
As we pointed out at the beginning of this article, Artificial Intelligence is one of today’s hottest fields, especially with the proliferation of generative AIs such as ChatGPT or Midjourney.
Using these systems challenges companies’ protection of their secrets and intellectual property. Why? When working with AI, professionals can enter prompts that include confidential business data. So criminals could try to breach the security of an AI to access a variety of business secrets, from business information to application code.
Samsung, one of the world’s largest technology companies, banned the use of ChatGPT in mid-2023 when it realized that internal source code had been leaked because an engineer had used this AI system. Following this event, other multinationals such as Apple, JP Morgan, and Goldman Sachs also restricted the use of third-party generative AI.
This case highlights a new attack avenue that criminals can use to carry out industrial cyber espionage and illegitimately access sensitive and confidential company information.
7. NIS2 Directive: Combating cyber espionage against vital sectors
Improving the resilience of companies and institutions operating in critical sectors. This is the central objective of the NIS2 directive, a European Union standard that member states must transpose by the end of 2024.
Why was this regulation passed? The theft of citizens’ data, cyber espionage, business continuity disruption and other threats can severely damage European companies operating in the energy, banking, space or water management sectors.
To strengthen companies’ security strategy, the directive states that security risks should be managed:
- Analyse the risks of technological infrastructures.
- Manage incidents comprehensively, from prevention to recovery.
- Ensure business continuity.
- Securing the supply chain.
- Secure networks and information systems.
- Evaluate the effectiveness of the measures implemented to manage risks.
- Safeguard human resources security and implement mechanisms to control access to assets.
In addition, the regulation requires company managers to be trained in cybersecurity to be able to assess the risks they face, such as cyber espionage and theft of industrial property; to be up to date with best security practices in their industry; and to be aware of the consequences of a successful security incident.
Once the rule is transposed, fines for breaching it can be up to 10 million euros, and the CEO of the offending company can be disqualified, among other consequences.
8. Preventing industrial cyber espionage
A successful cyber-attack involving the theft of intellectual property or access to strategic information can lead to losses:
- Economic.
- Competitive.
- Reputational.
- Commercial.
Therefore, companies must implement an advanced and proactive cybersecurity strategy to limit their cyber exposure and effectively prepare against advanced persistent threats and the malicious techniques most commonly used by criminals, such as ransomware or phishing attacks.
8.1. Three services that can make a difference
Which services are essential when designing and implementing a comprehensive cybersecurity strategy?
- Threat Intelligence. Targeted threat intelligence enables companies to protect critical areas, such as industrial property. To do this, a company’s attack surface is evaluated, the threats it faces and the targets of malicious actors are studied, indicators are identified that, in one way or another, are susceptible to warnings, the most likely attack scenarios are designed, and the risks associated with them are analysed.
- Threat Hunting. Threat Hunters investigate new forms of attack to detect the most cutting-edge TTPs used by criminal groups and anticipate their actions using a proactive approach and the assumption of compromise hypotheses.
- Red Team. The information gathered by Threat Intelligence and Threat Hunting professionals enables the design of realistic Red Team scenarios to check whether a company could be a victim of cyber espionage, correct the deficiencies detected and train offensive security teams.
In short, industrial cyber espionage is a criminal practice that threatens companies’ intellectual and industrial property and business secrets, from supplier contracts to strategic plans. Relying on offensive cyber intelligence and cybersecurity services is essential to prevent cyber criminals from undermining a company’s operations and market position.
Revealing a company’s secrets can lead to its downfall.