Missing link: How a company lost control in a cyberattack

Contents

"Servus," he greets at the entrance. This day will be a good one for Immanuel Bär. He knows the company premises from satellite images, the building only from the outside. This is his first time here during the day. Determined and without anyone stopping him, he walks past reception and pushes open the door to a conference room. "Good morning, we need to check something here," he says to a member of staff. Yes, no problem, is the reply. Seconds later, Bär is connected to a company network and has the first data on his screen.

"Missing Link"

What's missing: In the fast-paced world of technology, we often don't have time to sort through all the news and background information. At the weekend, we want to take this time to follow the side paths away from the current affairs, try out other perspectives and make nuances audible.

• All our the "Missing Links"

The employee continues typing on his keyboard and lets the stranger work with a laptop and LAN cable on his arm. Meanwhile, he helpfully answers the odd question. What he doesn't realize is that Immanuel Bär is neither a colleague nor is he supposed to be checking something in the IT infrastructure. The polite, confident man with the patterned shirt is an intruder. His desire: full control of the company's IT. His approach: risky. Brazen. During ongoing operations. His action: a complete success.

The entrance

Immanuel Bär works for Prosec, a cybersecurity company from Germany. What he shows on this day in the company of a customer from Austria is a reenactment for the press. A few weeks earlier, the real action turned into a near-nightmare for IT manager Gustav Schneider, who actually has a different name. The only consolation: Bär and his colleagues were there as white-hat hackers at Schneider's invitation to discover any security gaps. "I gave them a get-out-of-jail-free card," says Schneider. "They were told to take everything they could – Nobody knew about it except me, not even the management." The extent of the loot shocked Schneider. "I was already expecting that they might get into one of our networks. But I didn't think it was possible that they would double-cross us like this," he explains sadly.

And even at the second attempt, Immanuel Bär – now accompanied by the press – does not arouse any suspicion. He saves the names of more than 276 devices, access to time recording and some manufacturer information on his computer, tidies up and thanks the employee in the conference room. The fact that two people with a camera accompany the stranger does not seem to irritate the employee. Bär sets off to obtain further information. His goal: domain admin rights. By the end of the day, the team will have been in and out of the company several times, stolen several company cars and locked IT out of its own system, and in the evening, with total control over the company system, will have closed the laptop.

The tea kitchen

Bär walks further into the administrative wing, greets oncoming people, takes a look in the open mailboxes next to open office doors. He finds a printer in the kitchenette. He says to his colleagues on site: "Don't let me disturb you, I just need to check something." Bär finds old print jobs and can read the contacts via "send to myself by email". He pulls crumpled up machine data from the garbage can next to the printer. "Crumpled and torn things are always the most interesting," he says, pockets the documents and moves on.

"Eight years ago, we invested 35,000 euros in anti-virus protection and that was the security," says Gustav Schneider. That is now nowhere near enough. "Last year it was 380,000 euros, this year 500,000 euros." At the beginning, the company focused particularly intensively on awareness, sending employees phishing emails, educating them and practising. "Last year, we then strengthened the outer ring in terms of hardware and software, my team was 'fed up'," reports Schneider. "Many of them thought that nothing could happen to us now." To test this, Schneider commissioned the security company to carry out a penetration test. The company is well equipped, he thinks, not much can happen. A short time later, it turns out that Schneider was wrong. And hugely so.

The trust

Bär and his team discovered the company's biggest weakness in advance, which he now shamelessly exploited: Virtually, the company is well equipped against attackers – but the factory premises on site don't even have a fence. In the area, people meet openly and there is mutual trust, says Schneider, explaining the unsecured company premises. IT is not prepared for an attack from the inside. "We planned for one or two days, checked the company premises and looked at where we could come from," explains Bär. An extension, for example, is particularly vulnerable. "The locking system is then often invalid."

The team gathers further information from social media posts. They systematically search for photos and videos in which a printer type can be recognized, a name badge appears or a visitor badge can be seen. "Is there an employee event, a smokers' corner, a supplier entrance, where is a door often open?", Bär lists. "A company often falls through a wooden wedge in the door." The team also went through the garbage in a clandestine moment. "Show me your garbage and I'll show you your identity." Bär and his team found what they were looking for in a video about an event during the coronavirus pandemic. They have a clipboard with the printer manufacturer's logo, fake visitor badges, high-visibility vests and LAN and printer cables with them on D-Day.