13 September 2017

A Botched Black Bag Job Reveals the Long Arm of Chinese Intelligence

By Scott Stewart

Medrobotics CEO Samuel Straface was leaving the office at about 7:30 p.m. on Aug. 28 when he noticed a man sitting in a conference room in the company's secure area, working on what appeared to be three laptop computers (one was later determined to be an iPad). Not recognizing the man as an employee or contractor, Straface, who did not identify himself, asked him what he was doing. The man replied that he had come for a meeting with the company's European sales director. The CEO said the sales director had been out of the country for three weeks. The man then stammered that he was supposed to be meeting with the company's head of intellectual property. Straface countered that he knew the department head didn't have a meeting scheduled for that time. Finally, the man claimed that he was there to meet CEO Samuel Straface. At that point, Straface confronted him.

The man said his name was Dong Liu and that he was a lawyer doing patent work for a Chinese law firm. He showed Straface a LinkedIn profile that listed him as a senior partner and patent attorney at the law firm of Boss & Young. Straface called the police, who arrested Liu for trespassing and referred the case to the FBI. On Aug. 30, the bureau filed a criminal complaint in the U.S. District Court for Massachusetts charging Liu with one count of attempted theft of trade secrets and one count of attempted access to a computer without authorization. After his initial court appearance on Aug. 31, Liu was ordered held pending trial.

Though the investigation is still ongoing, there are several lessons we can glean from it.

The Industrial Espionage Triangle
When Stratfor's Threat Lens team assesses the risk of industrial espionage to a specific company from a particular actor, we look at three main factors: Does the actor have interest in the particular technology? Does the actor have the intent to steal it? Does the actor have the capability to steal it? If the answer to all of these questions is yes, then a company is at critical risk for industrial espionage.

In the case of Medrobotics and China, which possesses a capable and aggressive intelligence service, the answer appears to be affirmative to the first two questions. According to the FBI affidavit, Straface told agents that companies from China had been attempting to develop a relationship with the medical technology company for about 10 years. He said he had met with Chinese individuals on about six occasions to determine what they were interested in, but he said he had no interest in pursuing business with the Chinese. He also noted that he had always met these individuals in Boston and had never invited them to his company's headquarters in Raynham, Massachusetts. This decision shows that Straface was aware of Chinese interest in his company's intellectual property and of the intent to purloin it. It also shows that he consciously attempted to limit the risk by keeping the individuals away from his facilities.

It is interesting that Liu was dispatched from Canada to conduct a black bag job. Having someone from out of the country attempt to breach Medrobotics may have been done to avoid FBI detection, because the FBI may have been conducting surveillance on Chinese intelligence officers and their agents normally operating in the area. Driving over the border from Canada rather than flying into the country may also have been a way to avoid alerting the FBI to Liu's presence. Liu was caught while presumably attempting to hack into the company's Wi-Fi network. The password to the firm's guest network was posted on the wall in the conference room, and it is unclear how well it was isolated from the company's secure network — and whether malware planted on the guest network could have affected the rest of the company's information technology infrastructure.

Still, Liu spent 2.5 hours inside the company's headquarters and had two video cameras. These facts probably indicate that he intended to do more than attempt to breach the company's computer systems. Indeed, one doesn't necessarily have to be inside an office building to hack into a company's wireless network. Rather, it appears that Liu was waiting for the staff to leave so he could roam through offices, labs and cubicles and record anything he could find of potential value.

In addition to carefully examining Medrobotics computer networks to determine whether Liu was able to gain access or plant malware, the company will likely conduct a technical security countermeasures sweep to ensure that Liu did not plant any bugs.

The Threat Is Not Over
Liu's black bag operation not only demonstrates the interest and intent of his employers, but also reflects that they were likely unsuccessful in their remote hacking or phishing attacks. You simply don't make the effort to send a person to do a black bag job in Massachusetts if you can get what you need remotely from China.

Unfortunately for Medrobotics, just because Liu was caught red-handed doesn't mean that the company is now free from the threat of industrial espionage. Liu's masters are still interested in the company's technology, and they have clearly shown their hand by attempting to steal it. The Chinese have a wide variety of espionage weapons at their disposal, and Medrobotics will likely be targeted by other human intelligence and technical operations. The Chinese, with their formidable espionage capability, have the company squarely in their crosshairs.

The surgical products company will have to be very careful. In addition to protecting itself from hacking and phishing attacks, it will also have to carefully scrutinize all new hires and contractors and brief their employees on traditional espionage approaches and security.

Lessons Learned
This case holds some important lessons for other companies. First, even if your company is not operating in China and your executives are not traveling there, that does not mean you are safe from the long arm of Chinese espionage if it is interested in your intellectual property and aims to steal it. Beijing's cyber espionage program clearly has global reach from its bases in China. Second, the Chinese government has a robust network of people working for its intelligence services, academic institutions and think tanks who can try to infiltrate companies by posing as students, researchers, potential clients, suppliers, cleaning contractors and security guards. This highlights the need for good access controls to corporate offices, as well as the need for employees to be aware of people attempting to "wagon train" in the door behind them — most likely how Liu got into the secure area.

Finally, the Chinese government has a sophisticated human intelligence program that is quite capable of recruiting company employees using cash, sex or other approaches. This capability is useful against not only government targets, but also commercial targets that have information or technology the Chinese government deems critical to the country's military and economic goals.

The stronger a company's cybersecurity program is, the more its employees become the weak link in the corporate security chain, and the more employees will likely be targeted. However, employees can also become a crucial part of corporate defenses. But for that to happen, security training must include more than warnings about hacking methods such as phishing and social engineering. Companies need to prepare employees for human intelligence threats and alert them to the possibility of black bag intrusions.

No comments: