The IP Theft Puzzle, Part III: Monitor Your CEO!

The IP Theft Puzzle, Part III: Monitor Your CEO!

Hackers who make the headlines usually phish average corporate employees and steal customer PII in bulk. Think of them as the Kmart of the cyber world. They retail credit card numbers (on the black market of course) for a couple of bucks a pop.

Then there are cyber gangs (and governments) that specifically target top executives because they have direct access to their company’s intellectual property.

The DarkHotel crew is one of those elite gangs. They developed malware to attack executives staying at luxury hotels: their specially crafted APTs installed low-level keystroke loggers on victims’ laptops and then shipped the results to a network of command and control (C2) servers.

Why waste time with credit card numbers when you can grab critical insider information to make tens of millions in quick stock market transactions?

Nice work if you can get it!


This type of attack goes under the name of “whale phishing,” but in my mind it straddles insider-outsider categorizations.

Sure it’s an outsider who has initiated the attack, but it’s highly dependent on the behavior and habits of a select group of insiders, who are likely not savvy in the ways of the Intertoobz.

The DarkHotel crew was able to compromise hotel WiFi networks—mostly in Japan, Korea, Taiwan, and China—and monitor guests as they logged in. The executives would be phished with a message to install an update for legitimate software—say Adobe Flash. The patch contained a very sophisticated and stealthy APT that installed itself at the kernel level in the executive’s laptop.

According to Kaspersky Labs, which discovered the attack, the gang went after “top executives from the U.S. and Asia doing business and investing in the APAC region: CEOs, senior vice presidents, sales and marketing directors, and top R&D staff.”

These hackers were simply following social engineering best practices: understand the habits and preferences of victims with a special eye towards finding a leverage point.

Besides fancy hotels, executives also like to utilize car services. So a phish mail sent with subject line “Limousine invoice” would be sure to get the interest of vice presidents and other employees at the top of the corporate hierarchy.

And that’s exactly the approach this gang took in its attack. The attached invoice contained a PDF loaded with the malware. As with the plain old phish mail the rest of us receive, opening the file loads the payload.

Audit the CEO and Other C-Levels

Of course, IT security needs to be monitoring all employees to spot both IP theft activities by insiders as well as by hackers who have breached the perimeter using stolen or guessed credentials.

The key takeaways from whale phishing is that cyber gangs will go to great lengths to steal proprietary content and so IT should really bear down on monitoring the C-Level suite.

Note to IT Security: With the C-level suite, you should be loading up on UBA-type rules and taking all those notifications seriously — not just assuming they’re likely false positives.

If an alert triggers that an executive has moved some key presentation into a less protected area in the file system, get on the phone to him or her ASAP!

How far should the level of monitoring extend?

I would stop short of a dedicated team of IT bodyguards charged with specifically protecting the company’s heavyweights.  On the other hand, it makes great sense to ask one or two members of the security monitoring team to take a special interest in the C-level.

If you don’t take the time and money to understand these executives, there are hackers who will do this work for you … but at a far greater cost.

Wow, my CEO just put the company’s 3rd quarter earning report in a public folder! What else is your CEO doing? Find out with  Varonis DatAlert.

Image credit: Government of Thailand

Get the latest security news in your inbox.