Last month it was reported that British intelligence agency MI5 had, in a series of high-level meetings, painted a worrying picture for leading British corporations in which their IT workers may become targets for foreign powers seeking sensitive data.
The idea of an IT department infiltrated with double agents may sound a little fanciful but the threat of a rival nation trying to influence them is far more realistic than many may think according to Uri Rivner, vice-president for cyber strategy at Israeli security company BioCatch.
“Obviously there are cases like this,” says Rivner, who compares the situation to having “someone on the inside” of a bank before committing a robbery. Of the companies or organisations that will be targeted, he says that “whatever a nation is good at, that’s interesting to other nations”.
In the case of the UK, he says this may be the financial sector, while in Scandinavia two industries in particular, telecommunications and mining, “have been targeted”.
So where does that leave Ireland? "I would guess multinational companies working in Ireland would be a target," he says.
Rik Ferguson, Trend Micro's global vice-president for security research, says staff in call centres could be another target to be "turned". Whether identified by rogue nation states or corporate rivals, "staff with access to data in any location are potential targets for insider attacks or being recruited into any type of cyber- attacks," he says.
Peter Tran, RSA's worldwide senior director for advanced cyber defence, says that "defence and aerospace contractors" who have manufacturing and component facilities in Ireland could become targets for such threats as well. Ireland, he adds, is also "a hotbed for intellectual property development, so that's a target".
Eamon Noonan, technical director with Dublin-based cyber security company Digicore, is in no doubt that the MI5 warning should ring true for Irish businesses, adding that it's "a little sad" companies here don't seem to take such threats seriously.
“It would naive to think it doesn’t happen. It happens quite a lot. The difficulty is that it’s a hard thing to prove,” he says.
“I know of several cases where issues have been raised in relation to this point . . . I’m not saying there’s been cover-ups but they may not make much out of it as it may ruffle certain feathers.”
Noonan added that while Ireland is unlikely to be involved at the higher echelons of corporate or nation-state cyber espionage “we are involved” from the “midstream upwards”.
Throughout the security industry, many think along the same lines as Noonan, believing it’s naive to think employees with access to valuable data have not been targeted by interested parties, though details related to such incidents are often sketchy at best.
USB key and money Brian Honan, a member of the advisory group on internet security at Europol's Cybercrime Centre says it is logical to imagine a situation where a member of a company's IT staff or a contractor could be "approached and passed a USB key" as well as some money to supply internal data on a targeted company.
Social media could offer a route for attackers to target potential “allies”, says Ferguson. One tweet by a person working for a particular company on “how their credit card is maxed out” can give malicious actors “an opportunity to approach them more openly and offer financial assistance in return for their material assistance”, says Ferguson.
Sitting down for lunch last week with a number of colleagues in the security industry, Seán O’Keefe, senior director of support and global escalation at the Irish offices of FireEye was “amazed” that many of his peers felt Irish-based companies were “too small a fish in a big pond” to be attacked.
“There’s an implied logic around hacking,” he says, with many feeling that only big corporations or, indeed, larger nations could be the target of data-grabbing attacks.
“It depends what [those carrying out an attack] are looking to do,” he says, adding often “it’s easier to target the smaller fish” as then “information is gathered to go to the next level up” to an organisation’s larger partners or higher levels of government.
Barry Rhodes, chief executive of INEX, a not-for-profit organisation made up of internet service providers and content providers such as Amazon, BT, Microsoft, Yahoo and Google, isn't quite so sure that the multinationals here have been the target for such underhanded dealings. Rhodes says he has never heard of such a thing happening in any of the companies under the INEX banner.
However, for his part, RSA’s Tran said he could “absolutely” understand if staff in the Cork office of the company’s sister business – the cloud computing and big-data giant EMC – were targeted by those seeking sensitive data.
With the shadow of NSA whistleblower Edward Snowden still cast over the world of data privacy, Tran adds that Irish multinationals should be "concerned about" the "targeting of the contractors that are going to be working in these companies".
Contractors are, by and large, given “all kinds of permissions” and access to systems by the company employing them, he says. “From a threat perspective and [in terms of] the geopolitical nation-state type of threat, they become the weakest links because they come and go so quickly,” he says.
Malware Like other security experts who spoke with The Irish Times, however, Tran emphasises that it's far more likely – and a lot easier from the cybercriminal or malicious nation state point of view – that contractors, IT staff and other employees will be targeted via some form of malware to make them unwitting double agents.
BioCatch’s Rivner agrees, adding that relatively simple “reconnaissance in LinkedIn or Facebook” can garner enough details to electronically target the right person within a company rather than going through the “difficulty” of trying to bribe or blackmail them into handing over data.
One security expert who preferred to remain unnamed revealed they “found a very interesting example” of this “from one of the multinationals in Ireland regarding a user who was infected with a Trojan” virus having been targeted by a cybercriminal gang.
The employee in question – an American senior engineer working in the company’s Irish base – had “everything” they viewed, typed and saved sent back to the “Trojan mothership” and into the waiting hands of a cybercriminal gang.
While a sample email from this attack seen by The Irish Times merely covered the visiting engineer's frustration with their "manual transmission Ford Focus" and local petrol prices, "far more valuable" information was leaked out before the situation was noticed.
“In this type of incident every project, every bit of product related data went back [to the cybercriminals],” added the expert, “then then next attack will be worse because they have more information”.