In this episode we will talk about disgruntled employees and insider threats. We will have a look at the recent incident at Apple, when an employee tried to sabotage a tech giant by leaking highly confidential data about autonomous vehicle project to Chinese company. Let's analyze what we can learn from Apple’s experience and how we can reduce the risk of insider threats in our organizations.
Other ways to listen:
On July 10th it was reported by various media outlets that the United States Federal Bureau of Investigation charged former Apple employee Xiaolang Zhang with theft of trade secrets. Zhang confessed to the theft and could face up to 10 years in prison and a $250,000 fine.
Zhang was hired at Apple in December of 2015 to work on Project Titan, developing software and hardware for use in autonomous vehicles. He specifically worked on Apple's Compute Team, designing and testing circuit boards to analyze sensor data.
Apparently he was given a "broad access to secure and confidential internal databases" due to his position, which contained trade secrets and intellectual property for the autonomous driving project that he ultimately ended up stealing.
According to Apple in April 2018, Zhang took family leave following the birth of his child, and during that time, he visited China. Shortly after, he told his supervisor at Apple he was leaving the company and moving to China to work for XMotors. Now, XMotors, is Chinese startup that also focuses on autonomous vehicle technology and is backed by Chinese giant Alibaba. It is headquartered in China and North America offices are located in Pall Alto.
When Zhang wanted to leave Apple he asked for a meeting to supervisor. During the meeting Zhang's supervisor felt that he had "been evasive", nervous during the meeting and thought that something was not right. Supervisor later contacted Apple's New Product Security Team to the meeting. After that the product security team got suspicious and began an investigation, looking into Zhang's historical network activity and analyzing his Apple devices, which were seized when he resigned.
It is worth noting that back in April Apple sent out a lengthy cautionary memo warning employees to stop leaking internal information on future plans and raised the specter of potential legal action and criminal charges, one of the most-aggressive moves by the world’s largest technology company to control information about its activities. Apple said in a lengthy memo posted to its internal blog that it "caught 29 leakers," last year and noted that 12 of those were arrested. "These people not only lose their jobs, they can face extreme difficulty finding employment elsewhere," Apple added.
How did Zhang leak the data?
Apple found that just prior to Zhang's departure, his network activity had "increased exponentially" compared to the prior two years he had worked at Apple. He accessed content that included prototypes and prototype requirements, which the court documents specify as power requirements, low voltage requirements, battery system, and drivetrain suspension mounts. So you can guess that these are very sensitive corporate documents and intellectual property secrets.
The majority of his activity consisted of both bulk searches and targeted downloading copious pages of trade secrets and intellectual property from various confidential database applications. Zhang visited the campus on the evening of Saturday, April 28, entering both Apple's autonomous vehicle software and hardware labs, which coincided with data download times, and he left with a box of hardware. He was taking both online data and hardware (a Linux server and circuit boards) from Apple during his paternity leave. He also admitted to AirDropping sensitive content from his own device to his wife's laptop.
The FBI filing also provides a good idea about some security controls that Apple has in place. for example.: To access sensitive projects like Titan, an employee must be logged into Apple's virtual private network and must be granted "disclosure," a status that can only be granted when an employee is sponsored by another employee who already has access to the project, with an administrator reviewing all requests. Approximately 5,000 Apple employees have access to data on Apple's autonomous driving efforts, with the databases Zhang accessed further restricted to approximately 2,700 "core employees."
Now let's see how Apple reacted to his actions?
So as I mentioned before after hearing Zhangs intentions, his supervisor felt that something did not add up and invited Apple's new product security division to join the meeting with Zhang. At the conclusion of their meeting, Zhang was asked to turn in all Apple-owned devices and he was also advised that he would be walked off the campus. Zhang in return turned over two apple iPhones and one MacBook laptop. After that Apple's security team has immediately disabled Zhang's remote network access, badge privileges, network access and other employee accesses. Zhang was also reminded about Apple's intellectual properly policies and he acknowledged that he understood this and would comply.
This happened on April 30th and the next day Apple’s New Product security team asked internal teams to review Zhang’s historical network user activity and his accesses to the databases. At the same time the physical security activity was also reviewed by Global Security team, who also requested forensic analysis of Zhang's apple owned devices from Apple Information Security.
So it seems that there are at least following security teams involved Apple New Product Security (which oversees the security of new products and makes sure that nothing gets leaked), Apple Global Security (responsible for physical security and global security) and Apple Information Security (probably more tech focused team involved in technical analysis)
Apple Global Security reviewed badge swipes and CCTV footage where he was seen entering the autonomous vehicle project buildings and leaving with computer keyboard some cables and a large box. Interesting bit here is that all of his suspicious activates occurred during a paternity leave and it was particularly alarming because it occurred few days prior to Zhang’s resignation from Apple.
After that Apple’s security team contacted Employee Relations on the same day, May 1st, to discuss bringing Zhang back to Apple and eventually he agreed to be re-interviewed. On the next day Zhang visited Apple where he initially denied coming to workplace during paternity leave and removing Apple property, but after he was confronted by evidences he admitted everything. Later Apple’s Digital Forensic Investigations has discovered that 60 percent of data on his wife’s laptop, to which he airdropped stolen data, was highly sensitive documents amounting to 40 GBs.
Now, I’ll share with you the controls that I noticed from this story and which were stated in official legal filing by FBI. Of course these are not all controls but only those which were concerning this specific case:
- Apple protects databases by layers of access control
- Employees must use Apple’s VPN to have access to Apple’s premises
- VPN clients must be downloaded and installed on workstations or other devices
- VPN is provisioned during the onboarding process for new hires and controlled via internal software
- In order to access sensitive projects, employee must be granted “disclosure” status, which allows an employee to receive information for the Project.
- Internal software used for managing requests for project disclosure.
- Employee should also be sponsored for disclosure on the project by someone who is already disclosed. The sponsorship request should include justification
- Furthermore, not all employees disclosed to the Project are granted database access. This kind of access requires separate request.
- Before starting at Apple, corporate employees must sing an Intellectual Property Agreement, which specifies that they may not use Apple’s intellectual property except as authorized by Apple, this includes transfer and transmission as well.
- Zhang not only signed this document but he also took annual Business Conduct course which discussed appropriate handling of confidential material and other sensitive topics.
- Additionally employees disclosed to the sensitive project must also attend in-person secrecy training which Zhang attended.
Well let’s be straight, if employees want to leak something they will do it no matter what they have signed, how much training they have passed and the length of the policies with which you are trying to cover all those topics that your organization cares.
But let’s analyze the success factors for this case and see what we can learn.
The crucial part that I would name as a main success factor what that Zhang’s supervisor was cautious and attentive. If he or she was not cautious and did not directly ask involvement of Apple Global Security team then there would be a bigger possibility for success of Zhang's corporate espionage. So we can say that People are one of the major success factors. You need people who you can trust, who do care about your organization and believe in the mission. This can only be achieved with strong leadership and defined culture in the company. And as we see from this and many other cases, no policy, contract or other type of paper can make a stronger bond between employee and employer then the culture of the company. That’s why I think that security should be part of the culture and not imposed as a foreign organism in a corporate environment.
Second success factor is awareness – Yes, it did not work for Zhang but it worked for the supervisor, security and HR teams in the company. They knew how they could handle the situation because they probably were very well trained.
As a third success factor we can consider Apple's procedures that involved immediate disabling of access, permissions and privileges. If you do not have this in place I suggest you to start working on it asap, because your employees should know what to do in case of such incidents.
Fourth success factor could be technical capabilities - we do not know exactly what was in place but can assume that there is some kind of an IDS/IPS in place, also probably a database Data Leakage Prevention solution, of course some kind of SIEM and net flow analysis.
Next we should also mention technical skills of the people who were involved in this procedure and investigated most of the evidences in under 24 hours.
Last but not least, the sixth success factor was physical security controls since CCTV footage and Badge accesses provided a proper idea about how Zhang was acting in real world. And they were used as strong evidences.
So if you want to sharpen your incident management skills and make sure that you are in control of insider threats you should consider: Building strong, open and honest culture in your company, make sure that people are properly trained and are aware, have defined procedures, instructions and policies in place, invest in solutions and skills, do not forget that we are still living in a physical world were security is equally important as in the virtual one.
Don't forget to subscribe below, stay up-to-date with latest podcasts and other developments!
Subscribe to CypherOwl
Get the latest posts delivered right to your inbox