Paul Prudhomme at IntSights looks at IP theft and how organisations can defend against threat actors seeking corporate secrets
Every company has something that will put it in the sights of cyber criminals, with even the smallest and most unassuming businesses holding personal and financial information that can be exploited in targeted attacks or fraud. But while any company may fall victim to an opportunist criminal, those that hold valuable intellectual property are also at increased risk of targeted attacks aimed specifically at their trade secrets. With the world becoming ever more digital, firms in the tech sector are some of the most prominent targets for IP theft.
Why do threat actors target IP?
While most cyber attacks focus on data that can be quickly sold for a profit or used to facilitate further attacks, IP theft is a longer-term investment. IP can be sold on the dark web for a considerable profit if the right buyer is found, but most criminals focus on stealing assets with a broader appeal, such as credit card information. As such, IP is a less common target for typical cyber criminals.
However, stolen IP has a number of potential uses. Perhaps the most direct option is to use software source code and hardware schematics as the basis for new products, particularly in fields like consumer electronics. IP could be used to produce counterfeits or provide an R&D shortcut for new products, enabling firms to produce products faster and at lower costs. This may involve both consumer and industrial products. For example, the Chinese APT41 is known to have stolen source code for foreign video games, likely for criminal financial gain, while another Chinese group known as Chimera has targeted a Taiwanese semi-conductor manufacturer to steal key production IP.
Source code can also be exploited to facilitate devastating supply chain attacks. As was demonstrated by the high-profile SolarWinds attack, threat actors can compromise software to hide vulnerabilities and malicious code that will then be unknowingly passed on to the developer’s customers. This opens the door to a huge number of potential victims for further attacks.
How are IP attacks carried out?
As in other criminal attacks, the threat actors will need to gain initial access to the network and will likely use common methods such as social engineering or credential stuffing.
However, whereas an opportunistic criminal can take a smash and grab approach and steal whatever information they can reach, IP theft is often more targeted. Furthermore, most criminals will simply move on if a company is too tough to compromise – money is money no matter where you steal it from – whereas IP attacks often require more dedication.
As IP, such as source code, tends to be some of the most well-protected assets a company has, the threat actor will need to spend some time escalating their privileges and moving laterally once they breach the network.
The level of time and resources required means that IP theft is more typical of state-sponsored threat groups that can afford to take their time without a direct and immediate profit from the attack. That said, there are still IP attacks carried out by ordinary criminal groups.
Who is behind IP thefts?
The theft of IP is common among the various state-sponsored threat groups around the world, but the Chinese cyber espionage groups are in a class by themselves in this regard. Acquiring foreign IP is a critical part of China’s growth strategy, with stolen trade secrets helping to boost the performance of China’s industries, and therefore its overall economy. State-sponsored Iranian and North Korean groups also steal foreign IP, but in order to circumvent sanctions against their countries via import substitution, producing local copies of foreign products that they cannot obtain legitimately.
Taiwan is a particularly common target of Chinese IP attacks, as the region is often seen as an economic rival. As mentioned, we have seen a number of APT groups targeting Taiwan’s market-leading semi-conductor industry with the aim of stealing IP to gain a competitive advantage. Attacks targeting the region will also often include disruptive tactics as a form of sabotage. In April 2021, the operators of the REvil ransomware claimed to have breached Taiwan-based Quanta Computer, a supplier for Apple. The attacks and disclosure were timed to create maximum disruption for the launch of the latest MacBook.
How can IP be protected?
IP data should be among the most well-secured of a company’s assets – particularly when it comes to source code which can be exploited to hit customers in a supply chain attack as well as simply being stolen and copied. Firms in high-risk sectors such as defence, energy, pharmaceuticals and other areas with an emphasis on R&D must have robust defences in place. In addition, managed service providers (MSPs) with clients in these areas should be wary of being targeted as a way of reaching them.
As most attacks begin with compromised user accounts, implementing additional authentication and identity management will go a long way to stopping stolen credentials being used. Zero Trust strategies that require risk-based authentication will pick up signs such as unknown devices and locations and require more stringent authentication. Multifactor authentication will also make it extremely challenging for threat actors to compromise an account.
Strict access policies will also limit the ability of an intruder to reach critical data. All accounts should only have access to files required for their job roles, forcing attackers to carry out much more legwork to reach their target.
Network segmentation can be an effective way of preventing threat actors from accessing critical data as it makes it much more difficult for them to achieve lateral movement and increases the chances of intruders being detected before they can reach their goals. Protecting source code and other critical IP with strong encryption will also prevent attackers from using that encrypted data if they do breach the network.
For MSPs, the priority should be introducing more protection for the tools used to administer their customers’ networks. If a threat actor breaches an MSP and accesses these toolsets, they will be able to rapidly compromise multiple customer networks. Again, least privilege works well here, and users and endpoints should only have access tools when they strictly need to.
Threat actors targeting IP are likely to be more patient and well-resourced than the average opportunist and may be willing to invest several weeks or even months into the attack. Defending against this level of threat presents one of the greatest security challenges. However, by focusing on making it as difficult as possible for attackers to access the network infrastructure, as well as preventing them from successfully exfiltrating data, firms will present a hardened target that will see off most attacks.
Paul Prudhomme is Head of Threat Intelligence Advisory at IntSights
Main image courtesy of iStockPhoto.com