In May of 2015, two employees were accused of stealing trade secrets from two U.S tech companies named Avago and Skyworks. The attackers collaborated for years on how to obtain the data needed to stand up their own company in China to compete in the billion dollars a year business.
Avago is a leading designer of analog, digital and mixed signal and optoelectronics components and subsystems in the semiconductor space. Their products are used in many cells phones globally.
Skyworks Solutions was an innovator of high performance analog semiconductors.
The insiders received their Masters and PhD in 2006 from the University of Southern California where they were classmates, before going to work each at their respective companies for the next 3 years.
Avago had spent some 50 million (USD) on R&D over a 20 year time period, investing in up to 14 technology solutions. Skyworks had up to 9 technology solutions, of which some had been sold to Avago in previous years.
A recently filed indictment gave some further clarity on the attack.
The insiders applied a low and slow method of data exfiltration, slowly extracting data over the course of several years. This approach is frequently seen in espionage style cases. It relies on control avoidance through a methodical and planned approach, often testing and checking control points for alerts and triggers before attempting exfiltration.
A low and slow approach can help ensure that finding malicious actions is difficult when it is spread out over the course of months or years of normal behavior. It can also make evidence and indicators in logs retained like finding a needle in a haystack.
Lets take a look at the controls in place and measure the maturity of the insider program based on what can and cannot be accomplished.
Security controls in place:
<tdvalign=”middle”>
Avago |
Skyworks |
NDA requirements |
Physical restrictions (Badge access) |
Annual training in confidentiality |
Login banners |
Physical restrictions (badge access) |
Username / Password requirements |
Security cameras |
Folder level permissions |
Username / Password requirements |
Restricted VPN access |
Shared drive access restrictions |
IP training / NDA requirements |
Login banners |
Exit interviews |
Confidential labels
Project code names
Restrictions on data presented externally
The Good:
- Education and awareness training was in place annually
- Standard deterrent procedures such as login banners and NDA’s had been put in place to gain a legal standing and to warn users from considering a malicious act
- Physical security controls seem adequate for the size organizations
- Access control at a file and folder level seem to have been consider with a “least restrictive” security mindset and separation of duty for approvals
The Bad:
- Lack of tools or poor application of tools. DLP is a foundational insider threat prevention and detection mechanism that when in place and configured correctly could have potentially identified hostile or malicious email communications with external entities
- No signs of correlation of data into a centralized means for analysis, each control point was being uniquely being monitored but not collectively analyzed
- Lack of audit reviews for file and folder access patterns
- No peer review of access rights and behavioral baselines
Exfiltration Method
The exfiltration methods were simple emails that were sent to external parties with confidential attachments. Very little was done to encrypt or disguise the email content with communications even openly talking about avoiding corporate emails as they could be tracked. The only exception being that some of the emails were written in Chinese, making identification of the content and data difficult.
Attack Profile
Planning
After just a year of employment, the graduates began pitching the manufacturing of devices to Chinese universities, including a 25% saving of total cost from its U.S competitors.
They then discussed that IP maybe difficult to obtain initially, but that a draft of designs would be enough needed to begin the copying process.
Enough data was needed to attract venture capitalists to further invest in the Chinese facility.
One of the insiders presented the idea at a symposium in China to several Academias.
Execution
Emails were frequently sent to Chinese co-conspirators with attachments ranging from design diagrams, spreadsheets and word documents.
Several in person visits were conducted at both U.S and China locations to allow for the continued planning of the new facilities and for information exchange.
Avago vendors were then contacted to help in the setup of the facilities.
The attackers displayed boldness in their actions by attempting to patent parts of the stolen data in both the United States and China under an assumed company name they created in the Cayman Islands.
What was stolen?
Trade secrets included the following:
- Recipes and product designs
- Tool and equipment specifications
- Facility setup
- Project plans
- Testing reports
- Performance data
- Security mechanisms (keycards, badges and username / password policies)
Impact of Behavior Analytics
The data exfiltrated included a range of different types, from pricing to designs and vendor information, not all of which would be typical for an engineer to be accessing in their role.
- Securonix analysis could have determined that the patterns exhibited by the engineers were abnormal from files and folders that peers had accessed.
- Data movement including volumes, frequency and patterns of intended recipients could have been identified and factored into risk scoring.
- Any differences in outbound network traffic from the attackers normal activities could have shown when large volumes of data may have been sent externally.
- Privileged account misuse could have been identified that could have aided in audit avoidance.
This case is very typical of an insider threat program that hasn’t reached the maturity needed to collaborate various tools into a centralized repository. When DLP, proxy and USB prevention operate in silos, many times being administered by different groups, the ability to detect insider activities becomes very difficult.