Corporate espionage – the internet’s new growth industry

Espionage as a Service (EaaS) is the latest threat to big business worldwide. While corporate espionage has been part of the business landscape for hundreds of years, EaaS is largely a product of the Internet.

Until now, unscrupulous companies have hired spies and, more recently computer hackers, to steal business rivals’ secrets such as product designs, sales strategies and planned takeover deals.

However, the scale of international corporate espionage is about to mushroom as cyber criminals start to discover that the right information can be more lucrative than stealing cash and that the data can easily be sold anonymously on the internet.

IP theft costs US $300 billion a year

Intellectual property theft in the US alone is estimated to cost companies a staggering $300 billion (£200 billion) a year.

Until now, much of this data theft has been attributed to 'state actors' working directly in the pay of foreign governments such as China, Iran and North Korea. But, while 'state actors' do form an important part of the picture (China has an army of thousands of cyber soldiers devoted to all kinds of Internet espionage), their role may soon be overshadowed by the private sector.

Groups selling EaaS range from low-level hackers gaining entry to corporate websites thru Plugins wherever they can to Organised Criminal Gangs (OCGs) targeting major Banks and multinationals.

At the low-end, websites such as hackerslist.com allow non-hackers to hire those with the necessary skills to carry out minor hacks. Although the site's terms of use clearly forbid using the forum for illegal activities, many hackers are being drawn into corporate espionage because of the financial rewards it can bring. At this level, a targeted hack costs anything from $1000 (£670) to $10,000 (£6,700) upwards, the sky is the limit.

Even the European Giants are getting in on this racket, with one recently appointing Chinese 'Hackers for Hire' to find out the pricing of another European competitor in a particularly high value, multi-million dollar tender.

But OCGs are now conducting far more complex and high-level hacks aimed at the big players in industries such as defence, financial services and IT; legal firms are also targeted as they advise the big players in areas such as M&A and patent law.

A report by aerospace giant Airbus, "Eye of the Tiger", details the exploits of a relatively small but innovative OGC targeting defence and telecommunications companies. Nicknamed "Pitty Tiger", the OCG has been identified by Airbus as "a for-hire hacker group - small, stealthy, with a limited budget and resources who favour a small number of high-value targets".

One of Pitty Tiger's targets is understood to have been a major European defence company and, according to Airbus's researchers, the OCG was active between 2011 and July 2014. Pitty Tiger's hacks appear to have been emanating from Taiwan and Hong Kong but there is no indication of any state involvement.

Boeing also targeted by EaaS hackers

Giant aircraft manufacturer Boeing has also been targeted by EaaS hackers. Last year, a Grand Jury indicted Su Bin, a Chinese businessman with residency in Canada, on five felony charges including conspiracy to steal trade secrets and to illegally export defence articles related to the Boeing C-17, F-22 and F-35 aircrafts.

The Federal Bureau of Investigation (FBI) alleged that Su Bin directed hackers to illegally access Boeing's computers in California to obtain information about the aircraft company's military projects. Su Bin ran a company called the Beijing Lode Technology Company and is understood to have worked with two co-conspirators based in China; the operation is believed to have run from 2010 to 2014.

Ironically, the Beijing Lode Technology Company's logo proclaimed the firm would "track the world's aviation technology", which, of course, it did. But behind the respectable window dressing of business consultancy, the OCG was hard at work stealing defence industry secrets. Licensed 'machine rooms', dedicated computer facilities, in Macao and Hong Kong re-routed hacking operations via terminals in the US, South Korea and Singapore.

Once the information had been successfully hacked, Su Bin is believed to have marketed it to the highest bidders. These were not necessarily located in mainland China as an email from Su Bin indicated that he was so unhappy in the price being offered by a Chinese company he intended to look for other buyers.

What makes it far easier for hackers like Su Bin to sell confidential data such as this is the emergence of the Dark Web; a network of websites hiding behind encryption technology to create an online criminal bazar. Easily accessible but totally anonymous, these websites facilitate the sale of confidential data to the highest bidder.

Some security analysts believe that the Dark Web will come to dominate EaaS in the coming years as cyber criminals realise that it can more lucrative to steal information rather than cash. And although the OCGs selling EaaS initially focused on traditional areas of corporate espionage such as weapons designs, there is growing evidence that they are now targeting companies outside defence and IT and getting paid in Bitcoin currency.

M&A negotiations offer way for EaaS hackers

For example, law firms which regularly advise on mergers and acquisitions are now seen as prime targets.

The benefits of hacking into companies involved in M&A are twofold. In the case of private negotiations, knowledge of the deal would enable OCGs to insider trade on the information before the deal goes, enabling them to make a killing on the stock exchange. Negotiations such as these can also provide hackers with an entry point into the data systems of the parties involved.

According to a global survey by Freshfields Bruckhaus Deringer, 78 per cent of respondents believe cybersecurity is not analysed in great depth or specifically quantified as part of the merger and acquisition due diligence process.

All companies should now be aware that their most confidential data may already be up for grabs on the dark Web. All those holding confidential data should, therefore, begin to conduct their own counter-espionage operations, securing their IT systems as well as investigating which of their most sensitive secrets have already been put up for sale.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.