Eyes spy

Corporate espionage has become more sophisticated than ever, thanks to technology, new hacker techniques and plain old-fashioned sleuthing.

On May 3, 2012, a man named Su Bin, a Chinese national living in BC, sent an email to a military officer in the People’s Liberation Army that contained a translated version of a flight-test plan for Lockheed Martin’s new top-secret F-35 fighter jet. The note outlined how the testing would be conducted, the instrumentation required and all sorts of other financial, logistical and technical analysis compiled by the defence contractor’s engineers.

According to US court documents, Su, who went by the aliases Stephen Su and Stephen Subin and owned an aviation technology company, had been helping Chinese hackers access classified military information and trade secrets since 2008 — information he later admitted was obtained through sustained incursions into the Californian computer networks of Lockheed Martin and Boeing.

Those attacks, however, had not gone unnoticed. Aerospace companies have extensive security systems, and Lockheed Martin in particular has developed a now widely used defensive strategy to counter hackers. On July 1, 2014, a BC detachment of the RCMP, working with Los Angeles-based agents with the FBI and the US air force, raided Su’s Lower Mainland home, seizing hundreds of highly incriminating documents, including diagrams and the translated test manual for the F-35.

The 51-year-old waived extradition and was sent to the US to face charges on numerous counts, including unauthorized computer access and conspiracy to steal trade secrets and to export military defence information. After Su pleaded guilty last July, a US federal court judge sentenced him to almost four years in prison.

THE NEW JOHN LE CARRÉ SPIES

Increasingly, players such as Su and notorious figures such as Edward Snowden and WikiLeaks founder Julian Assange — who have made public details about US government surveillance activities and a wide range of hacked or stolen government and corporate documents, respectively — are upstaging John le Carré’s Cold War-era spies and double-agents as the principal actors in geopolitical data dramas. But for every relatively high-visibility case involving a rogue agent or defence contractor that’s had prized trade secrets lifted, there are many other instances of corporate espionage and theft of competitive information — everything from customer lists to engineering diagrams, drug testing results and proprietary production processes — that never surface publicly. These crimes, of course, cause havoc in the target firms, particularly when they are carried out by the agents of foreign governments or organized crime syndicates. Some firms find out only when they discover they’re competing against rivals selling virtual replicas of their own products.

The problem is vast in scope: according to estimates from the US government and private security firms, corporate or economic espionage costs the US economy anywhere from US$250 billion to US$400 billion annually. In 2014, the chair of the US House Intelligence Committee went even further, describing the theft of information and intellectual property as “the largest transfer of wealth in the world’s history,” with a cumulative US$2 trillion hit to the US economy.

And Canada’s exposure? Hard to say, as Ottawa hasn’t published any recent data on this kind of crime. The federal government’s security policies also appear to be inconsistently applied: in 2013 Ottawa blocked a $520-million takeover bid of MTS Allstream, Manitoba’s telecom company, by an Egyptian firm with indirect business ties to North Korea, but has nonetheless allowed Chinese telecom giant Huawei, identified as a national security threat in the US, to establish supplier relationships with Bell and SaskTel.

Security expert Michel Juneau-Katsuya, a former chief of Asia-Pacific for the Canadian Security Intelligence Service and now the head of Northgate Group, says in 1995 CSIS calculated the value of such theft to be $10 billion to $12 billion — a figure that was about a third of the then cost of corporate espionage south of the border (US$25 billion, or $34 billion using exchange rates at the time).

He reckons the hit to Canada’s economy now could be as high as $120 billion a year, and describes corporate espionage as “one of the top strategic issues” facing Canada. “That’s a lot of money we’re losing because of a lack of awareness and preparation to defend ourselves.” Others agree: “Corporate espionage is on the rise,” says forensic and cyber intelligence expert Daniel Tobok, CEO of Toronto-based Cytelligence. “Globally, it’s tripled over the past five years.”

Nor is it just giant corporations that are exposed. Indeed, small and medium-sized businesses are especially vulnerable, experts say. “In the last five years,” notes a recent global security study by Symantec, “we have observed a steady increase in attacks targeting businesses with fewer than 250 employees, with 43% of all attacks targeted at small businesses in 2015.” These firms don’t devote adequate resources to protecting their own intellectual property from theft and may be seen by hackers or foreign governments as ways to access the large corporate players with which they do business. SMEs, says lawyer Dominic Jaar, who leads KPMG Canada’s national forensic technology team, “become one of the weakest links in the network.”

FROM TEA HEISTS TO HAIR CARE CONSPIRACIES

The long narrative of competitive capitalism is punctuated by countless tales of brazen corporate espionage, as well as more accepted practices, such as “competitive intelligence” operations run by firms that meticulously reverse-engineer rivals’ products with an eye to selling variations under their own brands.

In the mid-1800s, a Scot named Robert Fortune was dispatched to China by the East India Co., where he donned a disguise and set to work stealing the techniques for growing and manufacturing tea, explains Sarah Rose in For All the Tea in China: How England Stole the World’s Favorite Drink and Changed History.

Almost 170 years later, in 2014, two people swiped the chemical formula for a secret whitening agent invented by DuPont and used, among other things, in the filling of Oreo cookies. Unlike the East India Co.’s tea heist, this was an inside job, as one of the co-conspirators had worked as an engineer for DuPont for 35 years. The formula found its way to a shell company that had signed contracts with Chinese state-owned entities, generating almost US$30 million in illegal profits. The firm’s principal, Walter Lian-Heen Liew, was convicted of conspiracy to commit economic espionage and sentenced to 15 years in prison.

Other cases involve entrenched players locked in a bitter fight for market dominance. In the early 2000s, a top Procter & Gamble director discovered that outside contractors hired by the consumer product giant had set up a special operations team in a Cincinnati safe house. The team’s mission: to surreptitiously collect information, including unshredded documents left in Unilever dumpsters, about the firm’s hair-care products. As a Dartmouth business school case study of the ensuing lawsuit noted, “P&G had their competitive intelligence operatives misrepresent themselves to Unilever employees, claiming that they were market analysts, journalists, and students — although P&G denied this accusation.”

In Canada, the most notorious example involved a sustained cyber espionage attack on Nortel that extended over a period of at least 10 years, and only surfaced publicly when the lead internal investigator revealed that the company had been hacked. Brian Shields, the whistleblower, recalls that senior Nortel management either ignored or downplayed the incursions, which began in 2000 and saw hackers infiltrating the company’s networks through seemingly secure accounts belonging to C-suite executives, directors and other employees and later staff in Nortel’s Chinese division. Shields went public, he says, after he learned that Nortel hadn’t revealed the security breach to a company planning to buy some of Nortel’s assets after the telecom firm entered bankruptcy proceedings. “This should have been a board of director’s item,” says Shields, who is now a cybercrime analyst with the US Postal Inspection Service. “We never got them out of the network.” (Juneau-Katsuya says CSIS viewed Nortel’s refusal to act as evidence of a high-level mole, but concedes that the agency could never prove the allegation.)

YOU NEVER KNOW

Those who work in network security know that almost all firms today have multiple vulnerabilities: open Internet access for company computers, employees who use their own mobile devices for off-site work, and sloppy workplace cybersecurity practices, such as employees ignoring warnings about reusing unsecure flash drives or failing to update software, and clicking on links or opening attachments in so-called “spear-phishing” emails from hackers posing as colleagues, friends or employees. “You never know what that email is capable of doing,” says Freddie Martinez, a former employee of NATO’s technology group who is now manager of infrastructure technology for Alberta-based tire retailer Fountain Tire and a member of the CIO Association of Canada.

Hackers and cyber spies use such incursions to quietly gain knowledge about, and then access to, network architecture with an eye to stealing customer lists, files containing key intellectual property and other strategic information. Such viruses may be “keystroke loggers” that allow remote hackers to gain access to passwords. These can be used to set up “backdoors” that allow cyber spies to use corporate accounts to download critical files. “Some of the victims aren’t even aware they’ve been hacked,” observes Kevin Lo, a managing director at Froese Forensics, based in Toronto.

It’s a highly strategic undertaking. Security experts point out that those involved in industrial espionage — whether they be freelancers, rival companies or foreign governments — will begin by collecting a large amount of corporate information across a range of sectors. One technique, known as the “watering hole,” involves infecting locally popular websites — a local TV station, for example — with malware that can spread to the computers of visitors and begin to transmit hard-to-detect digital signals (a.k.a. “beacons”) back to the hacker team. That technique provides entry points to a large number of firms within a given region. Another tactic is to steal the customer lists of professional services firms, private health insurers or other suppliers as a means of gaining access to larger corporate clients. The attack on the Panamanian law firm Mossack Fonseca, which reportedly yielded files on more than 200,000 shell companies set up for private clients taking advantage of that country’s tax havens, might not have been carried out with cyber espionage in mind, but the tactic is similar. The most determined and well-financed attacks on specific firms, often executed by foreign government operatives, may also come through other indirect channels. For example, hackers will identify a firm’s senior executives using LinkedIn or disclosure documents, and then use open-source social network sites to identify their children and other family members. The goal is to infect the relatives’ smartphones or computers with “weaponized” software files or applications that can be transmitted to the executive’s email; after all, who hasn’t used a company account to exchange messages with a family member? “Nation- states do that,” says Tobok. “They’ll break you and continue to break you until they have access to everything.” (For example, the Canadian government’s electronic spy agency monitors metadata on millions of individuals under broadened security rules approved by ministerial directives from the minister of defence during both the Paul Martin and the Stephen Harper governments. Ottawa has also allegedly spied on Brazil, where many large Canadian firms have significant interests.)

The stolen — or “ex-filtrated,” in the parlance of the security industry — information may end up with competitors, foreign governments or organized crime groups. Organized crime groups are on the rise and are focusing on blackmail, says Robert Masse, Deloitte Canada’s national cybersecurity leader for resilience. The perpetrators send a so-called “proof of life” message to the target — a copy of one of the stolen documents — plus a demand for cash and a means of delivering the funds, often in the form of bitcoin.

The police, he says, tend not to be notified in such cases because companies don’t want to advertise their exposure and the perpetrators are highly unlikely to be operating in the jurisdiction where the crime is reported. Masse also points out that in such cases, the ransom payment ends up being a business decision. If a pharmaceutical company loses cancer research data worth $100 million and an organized crime group is asking for $50,000, he observes, “I think I’d pay the $50,000.” Increasingly, Masse adds, cyber thieves are targeting more valuable files. “They’re being more patient and looking for bigger payoffs,” he says.

The far more pernicious problem, however, occurs when competing companies or front organizations are after information that can be leveraged to undercut or eliminate a rival. What’s more, firms may only discover evidence of this sort of espionage indirectly. “They say, ‘Something’s going on here,’” observes Tobok. “‘We’ve lost our contacts, we lost people.’” Kevin Lo says he’s had clients who only encounter the results of the spying activity at an international trade show, where rival firms with knock-off products have set up booths and are writing deals. “Then it dawned on them that it did happen,” he says. “I’ve heard this story many times.”

SOCIAL ENGINEERING

Yet for all the technically dazzling stories about cyberattacks, some corporate espionage experts stress that people, not technology, remain the most vulnerable parts of a company’s defences. Indeed, old-fashioned incursions — dubbed “social engineering” — continue to account for key breaches, large and small.

With the proliferation of trade shows, professional networking associations and booze-fuelled meetups hosted by young tech entrepreneurs, security managers point out that corporate spies can extract important details by insinuating themselves into such settings and engaging key people. Inside a corporate office with seemingly secure perimeters, meanwhile, it’s hardly uncommon for employees and managers to leave documents around or computer windows open when they go home, thus creating potential breach risks that can be exploited if a corporate espionage ring infiltrates a company’s overnight cleaning contractor or otherwise gains after-hours access. Indeed, Jonathan Calof, a professor at the Telfer School of Management at the University of Ottawa and an expert in competitive intelligence, points out that he’s dealt with companies whose security officials discovered hidden digital microphones in key locations in their offices.

Carelessness extends in other directions as well. Employees conduct meetings, in person or by phone, in public settings, such as coffee shops, where their conversations can be over-heard. As Martinez says, “People underestimate what physical security is.”

A client recently asked Juneau-Katsuya’s firm to do a security workup. After a cursory review, he discovered a report by a co-op student who had performed so well that she was promoted to a new product development team. At the end of her placement, the student had to write a summary, which her professor posted on the course website. It contained sensitive information about the company’s clients. No one, says Juneau-Katsuya, had bothered to check the document before it was made public.

Lo points out that he’s seen cases where on some large, interdepartmental corporate projects, senior managers might not even have a complete list of all the employees involved, a dynamic that opens the door for strategic or sensitive files to go astray. “The human being is still the weak link in all of this.”

FROM DEFENCE TO RESILIENCE

Not long ago, Telus and the Rotman School of Management at the University of Toronto conducted a survey of about 600 companies asking about the security vulnerabilities linked to both the company-issued and personal mobile devices their employees use for work-related tasks. The increasing use of mobile devices has forced companies to try to extend their security perimeters to include phones, tablets and personal laptops, often using the various mobile device management software packages now available. But as security experts point out, mobile and bring-your-own-device policies also rely on employees taking key steps, such as updating software regularly and not using open hot spots.

When the survey came back, recalls Juneau-Katsuya, it revealed that the largest number of security breaches could be traced to senior executives, particularly those who travelled frequently and routinely broke corporate security protocols by logging on through dodgy Wi-Fi networks. “They were the ones creating the vulnerabilities. The people who will eventually target you understand that.”

While everyone hates the relentless dance of the password, such findings underscore the difficulty that security officials, even those working in obviously vulnerable sectors, face in promoting an awareness of the risks of corporate espionage and data theft. Experts such as Masse say executives need to shift their focus from defence to resilience, which means developing responses to attacks and testing them (see “Ousting a Cyber Spy” below). “Everyone has a plan until they’ve been punched in the face,” Masse says. “It’s important to do these simulations to ensure the company will do the right thing. When people panic, they make mistakes that can cost a lot.”

Others, such as Jaar, say that security systems can’t rely on individuals to ensure all the doors and windows are firmly locked. “I’ve lost confidence in individual employees to understand the scope and importance of rules that have to be respected over and over again,” says Jaar. “We need to build compliance by design.” He points to artificial intelligence/machine-learning systems that automatically classify documents according to their sensitivity. “AI is in action on a daily basis.”

But SMEs, especially those that invest heavily in R&D, such as upstart tech or pharmaceutical firms that have developed potentially valuable algorithms or formulas, face all sorts of risks associated with corporate espionage, but may lack the resources or experience to take adequate precautions. Jaar and others point out that such firms should seek the advice of cybersecurity experts and rely on reputable cloud-based data-storage services audited by third parties instead of storing trade secrets on their own servers.

In the end, the risks associated with a successful corporate espionage attack can be extreme, regardless of the company’s size and the depth of its pockets. Shields explains how determined hackers systematically gained access to Nortel’s main administrative accounts and, with it, every password. “If you’re a large company, I don’t think you can ever recover.” And he speaks from experience.

COMPETITIVE INTELLIGENCE

While corporate espionage is technically illegal — the US law dates back to 1996 and Canada’s as-yet-unused anti-corporate-spying provision seems to be based on the American statute — most companies need to keep abreast of key competitors, and some do it by hiring so-called “competitive intelligence” consultants. Jonathan Calof, a professor at the Telfer School of Management at the University of Ottawa and a fellow of the Strategic and Competitive Intelligence Professionals (SCIP) who has written extensively on this topic, says these researchers gather a wide range of publicly accessible information to provide clients with clues about the competitive environment, including their rivals’ activities.

The data gathering and evaluation includes all the obvious sources and many that are less so, such as help-wanted ads, which, he says, can reveal a lot about where a company is at in its product development life cycle (e.g., is the firm looking for technologists or salespeople?).

Competitive intelligence consultants can also gather plenty of useful information at trade shows or during the Q&A portion of industry seminars.

But the members of SCIP are sensitive about ethics, so Calof points out that the industry’s code of conduct requires members to go about their work “legally and ethically,” which means disclosing what they’re doing and who they’re working for; being truthful; and avoiding information that arrives in dubious ways, such as an internal memo inadvertently left by the coffee urns at a professional conference.

For chatty CEOs who like to go to such events and give talks about what their firms are doing, Calof offers up the 21st-century equivalent of the old wartime saw about how the walls have ears. As he says, “I ’d be hard pressed to say that there’s anything wrong in using information that’s just out in the open.”

OUSTING A CYBERSPY

When Robert Masse, Deloitte Canada’s national cyber-security leader for resilience, is dealing with frantic clients whose senior managers have just discovered they’ve been losing key documents to an unseen thief, many respond with what seems like an intuitively obvious move: unplugging the company’s computers from the internet and then rebooting their systems. “We have to convince them that’s the worst idea,” he says.

Sophisticated cyber thieves work patiently, infiltrating and exploring the target company’s computers slowly and inconspicuously so as not to arouse the suspicion of system administrators. Malware viruses sometimes embedded in the company’s network are programmed to send tiny signals back to the hacker; when these are interrupted suddenly, Masse says, the company has tipped its hand. Tactically, he adds, it’s better that the intruder doesn’t know that the company knows. “If we keep everything as is, we can watch them enter and exit the network and identify all the various ways they can get in.”

Remediation consultants draw on military techniques such as Lockheed Martin’s defence against the “intrusion kill chain” — a sequence of tactical moves hackers use to launch an attack. The defence sequence includes fixing the location of cyber weapons such as malware; tracking and observing their progress; targeting them and, finally, engaging, which, in military parlance, means destroying them. Masse points out that when a firm becomes aware of a cyber spy’s presence in its computer system, his team will quietly begin building a parallel network, of which the hacker is unaware or can’t access, with the goal of switching over on a single day as a means of “kicking out the bad guys.” as Masse warns, “You can only do that once.” — JL

HOW TO DETECT/PREVENT CORPORATE ESPIONAGE

Hacking happens. As cybersecurity experts point out, if the US National Security Agency’s networks are vulnerable, there are no safe spaces. But apart from investing in firewalls, there are still some basic measures companies can take to detect corporate espionage.

1. Have key office locations swept for bugs from time to time.

2. Establish explicit parameters for employee and manager conduct at trade shows, meetups and other professional networking events. Specifically, firms should be clear with their delegates that company spies use such events to gather information, particularly through seemingly casual conversations.

3. Read employees the riot act about the use of unauthorized flash drives.

4. Question strange coincidences. If a competitor is winning tenders with quotes that consistently undercut your bid by the same amount, you might be dealing with a rival with insider knowledge.

5. Conduct exercises with employees and senior managers, asking them to spot the differences between genuine emails and phishing emails disguised to look like the real thing.

6. Have tests done by qualified firms, and train personnel on how to recognize signs of corporate espionage and how to properly classify and protect information. — JL