Insider uses steganography to steal trade secrets for China
Xiaoqing Zheng, an engineer working for GE in Albany, was arrested and charged by the FBI for stealing around 20,000 files and providing them to the Chinese government. Interestingly, Zheng used steganography – hiding data in images – to remove the data off of GE’s network. The accused has been charged, but not convicted.
Zheng was allegedly tasked to steal trade secrets involving GE’s turbine technologies. Having acquired the desired data, Zheng hid the files inside of a picture of a sunset and then e-mailed the image to his own separate e-mail account.
During the course of the investigation leading up to the formal charges, the FBI uncovered a Chinese handbook describing the resources they provide to individuals who feed them trade secrets and technologies. Zheng also established the Tianyi Aviation Technology Company based in China using grant money provided by the Chinese government – perhaps as payment or reward for providing them with this data.
GE first discovered Zheng’s activities in 2014 when he moved 19k files to a thumb drive and then launched a formal investigation in 2017 when Zheng encrypted 400 files on his laptop using a software that was not approved by GE.
Intellectual property theft and technology transfer to China is a major problem and threat to the U.S. economy and security. It is estimated that this type of theft results in between $225bn and $600bn in losses to U.S. companies and the economy every year. It significantly harms companies that have developed technologies through costly R&D programs and years of work, only to have another company in China acquire your technology, create their own version, and potentially offer a cheaper competitor or flood the Chinese market with their product and effectively block the U.S. company who actually developed it.
This type of technology transfer is not only harmful to the economy and U.S. businesses, but it also puts at risk U.S. national security. As advanced technologies are stolen – many of which are controlled and protected as national security related technologies – it enables (in this particular case) China’s military and overall national security apparatus to develop much more quickly and close the gap with the United States. It also enables them to better understand the true nature of U.S. military technologies and thereby allows them to develop effective countermeasures either to defend against those technologies or take offensive measures against them.
Protect yourself against Insider Threats
As exemplified by this story, the insider threat is not wholly a cybersecurity domain. Protecting yourself against insider threats should be led by corporate risk management with engagement from all facets of the business especially HR, Information Security, Information Technology, R&D, and Product Management.
From an information security perspective, the following strategies should be employed to decrease your risk from insider threats:
- Policies and Procedures focusing (at a minimum) on acceptable use and data protection respectively.
- Train your staff constantly on these policies and procedures and information security as a whole. A majority of security incidents occur via trusted, innocent insiders who make a mistake.
- Enforce your policies. For example, if the policy bans use of online file sharing tools (such as Google Drive), enforce it by blocking the sites that could be used and alert when those protections are skirted.
- Employ security monitoring and detection. Whether performed internally or via employing an MSSP, such as Security On-Demand, having a mechanism for detection and alerting on insider-type behaviors is critical to either preventing data loss or limiting the amount of data that is stolen.
- Employ Data Loss Prevention services that can classify, track, and protect your critical data.
- Implement User Behavior Analytics. Most likely done via security monitoring and detection, having UBA will identify when users are acting outside the norm and taking actions that are consistent with insider threats.
More about Steganography
Stealing data through steganography has been observed for over 15 years now, but it is not very common. That’s one of the fascinating aspects of this story and makes one wonder how much more theft is out there going undetected due to steganography?
Detecting steganography is hard. Every image has what are called, “least-significant bits”, or bits that are essentially empty or if altered, will not impact the image in any way. By filling those bits in with data, data is able to be hidden in the image and the casual viewer of the image is none-the-wiser. There are few effective ways to detect steganography directly, but here are a few strategies that may help you:
- Hash Comparison: If the original hash of the image is known, when the insider adds data to it, the hash will change. Identifying the change in hash could help detect it. The challenge is knowing that the hashes are actually of the same image.
- Detecting Data Size: Pictures usually have a fairly small data size depending on the size and quality of the image. Some are just a few hundred Kilobytes and others may be 3 or 4 Megabytes, but rarely will they get much larger than that. If images seem to be larger than they should be, it may indicate additional data is hidden therein.
- Deduction: This does not necessarily identify steganography directly, but you can narrow down your options to include steganography. For example, you observe that large amounts of data are being downloaded from your internal network to a specific device. After a relatively small period of time the data was deleted. You have not seen it go out over FTP or Telnet, you have not seen it dropped to a Dropbox or other unauthorized file sharing tool, you haven’t seen any indications of the data leaving via email, and no excess printer use so perhaps the user employed steganography to hide the data.
- Technology solutions: While there aren’t many programs out there that are expert at detecting steganography there are a few. Take some time to research different products and see if any are the right fit for you.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.