“When you are in a small boat, you can see who’s paddling hard and who’s looking around.”
- Ev Williams
Corporate Espionage is often depicted as the stuff of movies, but in reality, organisations worldwide are having information stolen from their networks.
Corporate Espionage can be referred to as industrial Espionage, economic Espionage or corporate spying is the practice of using espionage techniques for commercial or financial purposes.
We usually think of "espionage" in terms of spies working on behalf of one government trying to get information about another. But in fact, many of the same techniques and even many of the same spies work in both realms.
Interestingly, one doesn’t hear much about corporate Espionage in the news.
If a corporation admits that it has been the victim of cloak and dagger activities, it appears vulnerable. This could potentially attract more “freelance” espionage based on the company being an "easy target." It also shakes shareholder confidence.
Corporate Espionage is a much more compelling headline than an earnings report, so the news of a breach would almost certainly receive negative reputation publicity that would cause the company's stock price to drop.
The simple form of corporate Espionage happens every day. People joining new organisations or leaving them tend to either take information to their new employment or start their own competing business or take to a foreign government or organisation.
What is the difference between Industrial and Economic Espionage?
This occurs when a person or party gains access to a company’s information illegally, unethical, or constitutes unlawful business practices.
The term “espionage” is a synonym for the term “spying”. Industrial Espionage includes the unlawful observation of company activity, unlawful listening (such as a wiretap), and unlawful access to company information, which all constitutes spying on the company.
But not all such Espionage is so dramatic. Much of it can take the simple form of an insider transferring trade secrets from one company to another. For example, a disgruntled employee or an employee who has been hired away by a competitor then takes information with them for their advantage.
In the 1980s, IBM won a court case against Hitachi and two of its employees and Mitsubishi for Industrial Espionage. Hitachi was charged with conspiring to steal confidential computer information from IBM and transport it to Japan.
In 1997, a man from Washington, Iowa was charged with wire fraud and theft of trade secrets from Gillette who then disclosed technical drawings to Gillette's competitors in the razor market.
In 2007, McLaren, the leading team in the Formula One championship, was fined $100 million for cheating in using data obtained from Ferrari, its main rival, to improve its car.
Is the unlawful targeting and theft of critical economic intelligence, such as trade secrets and intellectual property.
The term refers to the covert acquisition or outright theft of invaluable proprietary information in several areas, including technology, finance, and government policy.
Economic Espionage differs from industrial Espionage in several ways. It is likely to be state-sponsored, have motives other than profit or gain (such as closing a technology gap), and be much larger in scale and scope.
Chinese spies stole critical design information about America’s top military planes. This was verified according to top-secret documents disclosed by former US intelligence contractor Edward Snowden.
Tesla filed a lawsuit in 2019 against a former engineer at the company, claiming he copied the source code (300,000 files) related to its Autopilot technology before joining a Chinese self-driving car start-up.
To establish a foothold in the aviation industry by building its own “Chinese” commercial passenger plane, they instituted a coordinated, targeted approach in gaining the necessary technology.
Using hackers, cybercriminals, Chinese intelligence as well as recruiting insiders to steal critical designs from different manufactures (Engine – CFM; Flight Control Systems – Parker Aerospace; Flight Recorder – GE; Airframe – AVIC; Fuel System – Parker Aerospace; Landing Gear – Honeywell; Tire – Michelin; APU – Honeywell; Cockpit – Eaton; etc.).
In 2018, 10 Chinese individuals conspired to steal aerospace trade secrets from 13 western companies, most of the U.S. based.
In 2020, a leaked document containing a list of 1.95 million Chinese Communist Party members. In the list of names of CCP members who have infiltrated top corporations and high government levels in the US, UK and Australia.
What do assailants want?
As you have seen by the above examples, they do not want the company’s money. No, there is something far more valuable that is deliberately targeted by such attackers.
They tend to target the company’s most valued asset – Their intellectual property, whether it be their unique designs, methodologies, processes, plans, inventions, trade secrets, patents, databases or other valuable benefits.
What are the different types of methods used to acquire their target asset?
Most organisations that find themselves suffering leaks probably as a result of their negligence and carelessness.
A competing organisation or nation-state that has targeted its victim will use different means to extract that asset.
Many threat actors are circumnavigating target organisations by breaching them via trusted partners, business associates and other third-party networks.
Example: SolarWinds Attack
Thousands of organisations have been affected by a supply chain attack that compromised the update mechanism for SolarWinds Orion network monitoring software in order to deliver a backdoor Trojan.
The attackers were able to compromise the update process of a widely used piece of SolarWinds software there by affecting organisations such as the Pentagon, the Department of State, the Department of Homeland Security, Microsoft, FireEye, Cisco and many others.
As the saying goes “Why bother to hack into a software company when you can just order it to install malware in its products?”
As ever, these organisations are persistent and inventive. If they can’t get in one way, they will keep trying until they find another.
Suggested Mitigation Recommendations
Because of this threat's comprehensive nature, here are ten effective tactics that you can adopt to reduce the risk of corporate Espionage.
The world of corporate Espionage is very real and very different from what one would expect.
It is far from glamorous, lacking both gunfights and fast women, but it concerns companies.
The temptation for gains, advantages and rewards in stealing the asset is strong, so corporate Espionage will continue, whether we hear about it or not.
How Can We Help You Address The User Risk?
Did you know that you have trusted people that are exposing your business to harm right now?
Are you interested in identifying risky behaviour by your employees or other
trusted business partners?
Now, with a User Threat Assessment, we can provide you with insights in a limited 30-day engagement and get one report assessing your organisation and its most significant risks.
What is the process?
100% of Threat Assessments that we conduct have found some form of undetected, unaddressed security threat. Find out what's happening in your organisation or pay you $1,000 to your nominated charity.
Your Next Step