The long and winding road
Insider threat. Third-party risk. Phishing. Privilege escalation. Unencrypted sensitive data. This reads like a “Top 5” list of security concerns, but in fact it’s what allowed Su Bin, the owner of a Chinese aviation technology company, to help two Chinese nationals hack into Boeing’s network and steal more than 65GB of data from the defense contractor.
For his efforts, Su (a.k.a. “Stephen Su” and “Stephen Subin”) was awarded 48 months in U.S. prison and a fine of nearly $10,000. Su was arrested in 2014 in British Columbia, where he lived; extradited to the U.S. in February 2015; and in March pleaded guilty to one charge of conspiring to gain unauthorized access to a protected network, as well as translating stolen materials from English into Chinese. Boeing, for its part, has denied any successful compromise of its networks or information.
I’ve seen that road before
An affidavit filed by the FBI in 2014 details Su’s and (unnamed) affiliates’ plans for and (alleged) successes with accessing private information about the design of Boeing’s C-17 military cargo plane. The affidavit offers a sliver of insight into the group’s actions, referring to and quoting directly from emails between Su and his co-conspirators. While the specific evidence used to convict Su hasn’t been made public, if it’s based on the affidavit, Su is every enterprise’s perfect storm: His business provided aviation and aerospace technology, the deep knowledge of which allowed him to direct his co-conspirators to known vulnerabilities. Su was reported to be “in contact with military and commercial entities involved in aerospace technology in the PRC” (Peoples’ Republic of China). Su appeared to have insider information on the best individuals to target for social engineering. Su also ostensibly had knowledge of Boeing’s systems, allowing him to play middle-man and direct his co-conspirators towards directories, folders, files, and data sought. Even if Su was not directly connected into Boeing’s network through some form of partner or supplier relationship, he had gained sufficient information to guide his co-conspirators to the right places at the right times and help them slip data out from under Boeing’s nose. Su, himself, apparently did not actually steal any data, and because of this he was confident enough in his role to use self-identifying emails and computers/legitimate IP addresses to conduct his reconnaissance.
For those in the security field—and companies falling victim to attacks—it’s nice to see criminals receiving punishment for stealing proprietary IP. Even though internet-connected everything facilitates data access, it also leaves a forensic trail and makes a case more clear when it arises. This case, though, also highlights what security practitioners are up against: According to the affidavit, an August 13, 2012 email between Su’s co-conspirators contained a report titled, “C-17 Project Reconnaissance Summary,” which detailed the objectives, timelines, targets, methods, and achievements by the group against Boeing and other U.S. defense contractors. The team made a concerted effort “to avoid diplomatic and legal complications” by conducting “surveillance work and intelligence collection outside of China,” and evading detection by U.S. law enforcement by routing exfiltrated data “through at least three countries,” at least one of which “did not have friendly relations with the U.S.”
Let me know the way
The affidavit later lists information about how the criminals secured outside investment for their efforts, reiterating the fact that criminals are well-funded, organized, and run operations like legitimate businesses. Even though seeing these facts in print causes frustration or a sense of defeat, it’s also good to see more and more cyberattack cases going to court and resulting in fines and/or jail time for the perpetrators. While the data is still gone once it’s stolen, the penalties for committing the crime in the first place are getting steeper, making it less attractive for (minimally) the casual criminal. Better funded and adequately organized (and state-sponsored) criminals will persist, but if security practitioners can successfully drive up the cost of cybercrime significantly, we may start to see a slight shift in power.