The winds come from the northwest on the high plateau of the Gobi Desert at speeds up to 90 miles per hour, day in and day out. For millennia, the vast tracts of the desert remained featureless– till now.
In recent years, the desert has been sprouting strange structures—massive windmills, more at home in a Dutch polder, biting into the winds to power China’s vast industrial expansion. Sinovel, the largest turbine manufacturer in China, makes many of them.
In June of 2011, three men trekked across the Gobi and squeezed into a tiny maintenance bay 230 feet off the ground in a malfunctioning Sinovel turbine. Two of them were engineers for AMSC, American Superconductor Corporation, the company that made the control software for the turbine. Unable to find the root of the problem, the technicians made a copy of the faulty program and sent it off to company headquarters for analysis.
Three months earlier, Sinovel had cancelled its new orders with AMSC without explanation. More than two-thirds of AMSC’s revenues went with them, and the company’s value plummeted… As technicians looked over the code from the Gobi Desert, they slowly came to realize why: Sinovel’s turbines were now running a stolen, unencrypted version of the AMSC software. The software had never been released—it could only have come from inside AMSC’s own servers.
The story seeped out in court actions in the years that followed– stories about the high-ranking AMSC employee who had been paid more than $1 million for his part in helping Sinovel steel the AMSC software source code and hack it to work without paying for it.
The company had been a victim of corporate espionage.
The Inside Man Remains the Greatest Threat in Corporate Espionage
AMSC is far from alone. According to Information Week, Verizon’s 2014 Data Breaches Investigation found that the number of cyberespionage breaches had tripled since the previous year. With more and more trade secrets and intellectual property kept in electronic form, corporate spies are going after it directly and quietly via the Internet.
In recent years, hackers have taken:
- Plans for seamless steel pipes, used in oil drilling
- Detailed plans for nuclear reactors under construction
- Marketing strategy and technical information from solar panel manufacturers
- Semiconductor designs and operating software
Corporations around the world are struggling to beef up their internal systems security to keep their business from evaporating the way AMSC’s did. And they are building teams of master’s educated cybersecurity analysts, auditors, engineers and administrators to do it.
In many cases, corporate espionage remains a crime of opportunity, undertaken by disgruntled insiders who happen to have natural access to information of value– and a motive to take it to the competition.
Corporate Spies and Their Wonderful Toys
But even in these old-fashioned cases of working relationships gone sour, technology has dramatically altered the techniques and capabilities of dishonest employees, making their thefts that much harder to stop.
Where once upon a time stealing the plans for 4,000 different designs from the Ford Motor Company would have involved carrying a ton of paper around, today they can all be comfortably copied onto an external hard drive and carried out the door without a glance.
The same miniaturized technology is also being used in reverse to create inadvertent inside jobs. In Holland, corporate spies scattered infected thumb drives in the employee parking lot of chemical firm DSM in hopes an employee would pick one up and plug it into a workstation, inadvertently compromising their own system. Instead, fortunately, employees turned the sticks over to DSM information security staff, who discovered the ruse— a success story for both employee education and cybersecurity investigation.
How the Internet Creates New Opportunities for Corporate Spying
Although cybersecurity experts still regard insider threats as the most significant, the advent of the Internet has opened up avenues of corporate espionage that were previously inaccessible. Almost every important piece of information in a modern company is stored on a computer somewhere. Instead of bribing an employee to retrieve it, hackers can now simply go to it directly, taking advantage of the many holes in the typical business network to get in.
It’s also easier for corporate spies to cover their tracks online than in person-to-person transactions. Operating from overseas and through layers of servers and cutouts, it can be impossible for law enforcement or cybersecurity teams to track down where attacks originate.
Cyberspies are also more aggressive than previous agents of corporate espionage. Instead of lying low after AMSC leveled its accusations against Sinovel, 60 Minutes found evidence that Sinovel’s hackers turned around and immediately engaged in a spearphishing attack against the AMSC board, installing spyware on their computers so that the Chinese company could monitor the internal AMSC case strategy before it went to court over the first hacking incident.
Spearphishing was also the technique of choice in a series of attacks in 2009 that compromised intellectual property information at five different multinational oil companies. The operation, which became known as Night Dragon, didn’t restrict itself to only one method, however. Hackers also gained access using:
- Unpatched Windows exploits
- Insecure remote administration tools
- Social engineering
- Directory compromises
Escalating the Fight Against Corporate Espionage
The battle between spies and cybersecurity staff is a series of constant escalations. Traditional defenses have proven inadequate in many cases. In the AMSC case, for example, the heavy encryption layers designed to thwart unauthorized software copies were circumvented by going directly to the source code.
Layered physical and electronic security schemes are devised to protect information that absolutely must be available online; sophisticated authentication management tools like two-factor tokens and biometric readers restrict access to authorized individuals.
Some cybersecurity experts are recommending the unprecedented step of storing important intellectual property on off-line machines to prevent cybertheft. But at AMSC, the source code was kept on a server that was disconnected from the Internet. The user who turned it over to Sinovel was trusted and had legitimate access to it.
All this points to a thorny future for cybersecurity professionals charged with preventing corporate espionage. Earning a master’s degree in cybersecurity may be the best way to gain the skills and experience to secure valuable intellectual property in America’s corporations.