Cyber TSCM Case Studies

4G Data Eavesdropping

4G data eavesdropping

Whilst conducting a reactive Cyber TSCM inspection of a Data Centre in Eastern Europe for a Fortune 500 Client, QCC identified and located a 4G data modem. The inspection had been requested when the Client became suspicious that detailed technical product information had been leaked and was known to non-authorised parties. The 4G modem had been installed and hidden in the bottom of a rack containing monitoring and control equipment for the data centres air-conditioning systems and fire suppression systems.

The attacker had chosen this rack because it was not directly controlled by our Client and their IT team did not have reason to access it. The 4G data modem was connected to one of the servers in the adjacent rack belonging to our client. The 4G data modem was able to send and receive data to and from the server and wider network including APT malware.

This type of device would not show up during external penetration tests as it was installed inside the client’s network and its deployment location in a 3rd party rack also made the probability of its physical detection very low. QCC conducted cyber forensics analysis of the modem and server and presented the results to the Client who’s legal team subsequently launched a civil legal action against a direct competitor of the Client. QCC has since assisted with evidence preservation and expert witness statements in support of our Client.

Contact us for further advice or return to cyber TSCM services page.

3G Data Eavesdropping

3G data eavesdropping

QCC were called on by a Telecommunications company in India to conduct a Cyber TSCM (CTSCM) inspection in a call centre located in New Delhi after it was discovered that that their customer database had been accessed by an unauthorised person who then sold the customer account information to fraudsters who in turn used the information to fraudulently obtain high value goods including cars, jewellery, designer clothes and loans. The Client could not understand how the database had been accessed out of hours when the offices were closed and CCTV cameras confirmed no one was in the offices at the time of the incident.

QCC conducted the CTSCM inspection and discovered a USB keystroke logger with Wi-Fi capability attached to one of the computers used for processing customer account details. The inspection continued and concealed in a bundle of cabling attached to another computer used to access the database, QCC found a KVM switch linked to a 3G modem.

Further investigation discovered that the database admin user log-in name and password had been captured by the key-logger which then relayed the credentials to the eavesdropper via the Wi-Fi function of the device. The user name and password were then used a few days later to access the other compromised computer via the KVM switch linked to the 3G modem. The customer account information was then simply copied off at will by the information thief, who following a cyber forensics investigation by QCC was found to be over 1400 Km away in Mumbai at the time of the attack.

Wi-Fi Man in the Middle attack

Wi-Fi Man in the Middle attack (MITM)

QCC conducted a Cyber TSCM inspection for a Swiss Hedge Fund based in Geneva and uncovered a Wi-Fi Man In The Middle interception attack.

Whilst conducting deep analysis of the Wi-Fi emissions in the Client’s building the QCC Cyber TSCM inspection team detected what appeared initially to be a legitimate Wi-Fi access point, broadcasting a very similar Service Set Identifier (SSID or network name) to the Clients own guest Wi-Fi network. However, when the access point was traced it was found to be located outside the Clients demise, in the electrical riser of the empty office one floor above. QCC operative’s where able to access this riser from below: through the inter-floor riser grating.

What was discovered was a Wi-Fi hacking device also know as a Wi-Fi “Man In The Middle Attack” which fools Wi-Fi enabled, laptops, phones, tablets etc into connecting with the device. This Wi-Fi hacking tool poses as a legitimate Wi-Fi connection by pretending to be a network which is similar to the user’s device, for instance the users home or work network or in this case a work guest network.

Once connected the victims device gets an internet connection via the Wi-Fi “Man In The Middle device”. However all the data traffic that passes through the device is available to the eavesdropper to view or record for nefarious purposes including striping and recording of Passwords, PIN numbers, SSL information, confidential personal information and screen shots of the websites and pages the victims device is accessing.

This attack was clearly a cyber-attack designed to harvest confidential information from un-suspecting user devices, within the Client premises. These Wi-Fi (MITM) devices are openly sold on the internet via hacking websites.

QCC preserved the scene and evidence for later forensics analysis in our forensics laboratory. Full analysis was conducted by QCC’s Cyber Forensics team and the Client, their legal team and security / IT team were supported with a Cyber investigation and subsequent legal action and the implementation of security controls to mitigate this risk going forward.

Contact us for further advice or return to cyber TSCM services page.

Bluetooth Keystroke Logger

Bluetooth keystroke logger

QCC performs periodic inspections of selected meeting rooms and offices for a global mining sector Client at their regional HQ in Santiago, Chile. During a follow-up inspection a USB keystroke logger with Bluetooth was discovered connected between the keyboard and computer of a senior staff member’s desktop computer.  This device was capable of recording up to 2 million key presses and can be remotely accessed via Bluetooth. The key-logger records the actual keys pressed in clear text including passwords, user names, pin numbers, emails and any other documents created.

QCC liaised with the Client’s CIO and it was decided to leave the device in place with QCC installing covert CCTV to monitor the area.  QCC then researched the device and were able to gain access to the device and view the information that had been stored on it which proved the original installation date. QCC then replaced the key-logger with a new empty identical USB keystroke logger in place of the live device.

Through a program of intercompany misinformation and the use of the covert monitoring equipment, the person responsible was identified when she removed the dummy device. A full report and statement was provided by QCC to the Client HR department to assist in action against the person identified as conducting the surveillance attack.