Targeted social engineering attack sees blueprints stolen and used

This blog forms part of a weekly review of scenarios from Verizon’s Data breach digest

A manufacturing company became incredibly suspicious of a primary competitor last year after it released a large piece of construction equipment that had many similarities to one of its own. The company was concerned that blueprints for the equipment had been stolen, or sold, and their concerns grew when they realised that their other projects may also be at risk.


A specialist investigation team were called in to find out what had occurred, and to stop it from occurring again.

After interviewing key stakeholders and employees involved in the design project, it appeared that their chief design engineer had been searching for a new job prior to this piece of equipment being manufactured.

Where do people often look for employment? LinkedIn. And where do most targeted social engineering attacks start? Social media.

It turns out that a ‘recruiter’ from LinkedIn had been exchanging emails with the chief design engineer and, at some point in the exchange, sent over an ‘employee position listing’ document that contained malware tied to a known malicious Chinese IP address. When opened, the malware began beaconing to an external IP address used by the threat actor. The threat actors then installed a backdoor on the chief design engineer’s system, which enabled the attackers to search the data on that system as well as collect sensitive data from network file servers and attached USB hard disk drives.

Blueprints stolen

As originally suspected, blueprints for the large piece of construction equipment were stolen and it’s suggested they were given to Chinese companies that were state owned, operated or supported – a state-protected attack, perhaps?

Attack profiling

It’s clear that this attack specifically targeted this manufacturing company. The attackers found who they believed to be the best target via social media (the chief design engineer) and built trust with them via a fake recruitment profile. By attacking the engineer and compromising their PC, activity in certain areas of the network would not have appeared suspicious, as it would have been common for the engineer to access those areas.

Security awareness

There’s no doubt that well-delivered phishing awareness training would’ve stopped this attack from occurring. If the engineer was aware of the threats posed by fake recruiters on social media, then they may have thought twice before downloading a document on to a PC that had access to their company’s valuable intellectual property.

Share now…

Share on Twitter Share on Facebook Share on LinkedIn