Generally when conducting threat assessments, a tried and tested method is to assess the threat from four categories of threat actor:
The capabilities of each threat actor category are combined with an assessment of their likely intent to target an organisation’s assets. Naturally, both the intent and capabilities of the different categories vary considerably.
However, one category of threat actor has been somewhat neglected in the discussion surrounding threat assessments: the role of the corporation. The idea tends to crop up when discussing nation state threat actors protecting national businesses through espionage and disruption using cyber means. However, explicit mention of corporations as a credible threat actor is somewhat more rare.
This article refers to the corporation itself as being a threat to domestic and foreign competitors, using cyber means to embarrass, disrupt or steal from their targets. Some hire external hackers to do their dirty work, while others have utilised internal capabilities. The process of investigating corporations using cyber tactics against their competitors has revealed several notable examples, in addition to highlighting the need to include this category of threat actor when conducting threat assessments for organisations and industry verticals.
In 2014, the Chinese owner of an aviation technology firm was charged with hacking US competitors and attempting to sell the information to the Chinese government. These firms included major defence contractors such as Boeing and Lockheed Martin. The company in question was called Lode-Tech, and had operations in Canada.
According to reports, the owner of the company, along with two accomplices, snagged 65 gigabytes of data relating to military and civilian aircraft from its targets. Examples of the information stolen included that of the Boeing C-17 advanced strategic transport aircraft utilised by the US Airforce, and Lockheed Martin’s F-22 and F-35.
This example blends corporate and nation state espionage. It is possible that the attackers utilised their position in the aviation tech industry to craft convincing social engineering emails to breach the network. It also shows that it is not just nation state sponsored hacking regiments of the People’s Liberation Army or Russia’s secret services for example, who conduct these sorts of espionage attacks.
It was reported in 2016 that a laundry firm in New Hampshire, US, breached the computer systems of a competitor in 2009 and 2010. Several employees from the firm pleaded guilty to breaching a database containing invoices belonging to the competitor. The hackers hoped to use these invoices to approach the customers of the competitor and coax them to their firm instead. The attackers were charged with 157 instances of unauthorised access, and stole roughly 1,100 invoices.
The attackers were likely using the information from the invoices to undercut the offers from the competitor, and use in their sales pitches. This incident highlights that small and medium enterprises also face the risk of attack from their competitors.
In 2011, the co-founder of an online payment processing company had to flee Russia following the arrest of a man who admitted that he was hired to conduct a DDoS attack against a competing payment processing firm. Pavel Vrublevsky was the co-founder of ChronoPay, which was competing with other companies in the sector for a contract to service Aeroflot, Russia’s largest airline.
The man who was arrested was hired by Vrublevsky to use his botnet to conduct a DDoS attack against a competitor, Assist, who was servicing Aeroflot prior to the contract renewal. Consequently, Assist could not process payments for Aeroflot temporarily. Ultimately, the contract was awarded to neither ChronoPay nor Assist, it was awarded to Alfa-Bank, the largest private bank in Russia. Aeroflot cited the downtime in Assist’s services as part of the reason they decided against awarding them the contract.
Although the co-founder of ChronoPay had a reputation of questionable business strategies, this example nevertheless highlights the tactics that could be employed against competitors that rely on constant uptime to service their customers. If these attacks could be timed so that they coincide with a competitive bidding process, attacks like this could be very damaging for a company.
The capability and intent of corporations engaging in malicious cyber activities differs as much as it does for organised criminal gangs or state sponsored attackers. They may be seeking to steal proprietary data to benefit their own product or service; they may be seeking to damage the reputation of a competitor to gain the upper hand; they may be seeking to blackmail employees to turn them into malicious insiders.
In terms of capability, they may be limited to using rudimentary DDoS tools to take down a competitor’s website for a short time, or they may have employees that can utilise malware, and maintain persistence on a target network, slowly extracting proprietary data.
It is therefore imperative that organisations take into consideration the threat from corporations in their assessments, as these threat actors may go to great lengths to establish a competitive edge over you, or even attempt to destroy your reputation.