No one at the investment firm must have noticed the whirring of drone blades overhead — or heard the two miniature aircraft landing on the rooftop — if they made any noise at all.
But once there, the attack drones began carrying out their secret mission: breaking into the corporate network below.
This is the true story of a drone attack that led to a corporate data breach.
Drone Cyberattack Details
Security researcher Greg Linares, aka @Laughing_Mantis, explains the drone-based cyberattack in a string of recent tweets. Although not directly involved with the investigation, Linares said he interacted with those involved, as part of his work in the finance sector.
Linares says things first escalated when the target, a U.S. East Coast financial firm specializing in private investments, detected some unusual activity on the company’s internal Atlassian Confluence page. Security teams noted that the activity originated on their own network. Confluence is a collaboration tool where internal teams at a company share information as they work together. Sometimes these things might include mission-critical, high-stakes projects and details — and this was exactly the kind of information the attackers were hoping to find.
The company’s security team isolated the Confluence server and started incident response. As they investigated, they discovered something unusual relating to the suspect user’s MAC address, which is a unique hardware identifier. The MAC address revealed that the user in question was logged in from a device located several miles away. However, at the same time, that identical MAC address was being used very close to the company’s office. So close, in fact, the device was actually within Wi-Fi range.
Incident responders then conducted embedded Wi-Fi tracing to see where the copycat signal was coming from. That’s where Linares picks up the story:
Screenshots of tweets by @Laughing_Mantis (used with permission)
The Wi-Fi tracking led the team to the building’s roof, where they found two modified DJI drones. One of them was carrying a modified Wi-Fi Pineapple device which was spoofing the Wi-Fi network that employees would normally connect to.
A Wi-Fi Pineapple is a commercially available device that security admins and white-hat hackers use to conduct penetration testing, to scope for any weak spots in a system. However, it can also be used as a rogue access point to conduct man-in-the-middle (MitM) attacks. In this type of attack, the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly (and only) with each other.
In this case, an employee device connected to the imitation Wi-Fi network powered by the Wi-Fi Pineapple, and attackers were then able to intercept the data — which included their login credentials and Wi-Fi information.
The Matrice, a drone model, was the second drone involved in the attack, and the “tools” it carried included "a Raspberry Pi, several batteries, a GPD series mini laptop, a 4G modem, and another Wi-Fi device.” These things can be used for legitimate purposes like testing network security — and illegitimate purposes — like tapping into a Wi-Fi network, as happened in this case. Attacks like these are highly sophisticated and far from cheap, but motivated threat actors are apparently willing to make the investment for a juicy target.
More Cyberattacks From the Sky?
Are drone-powered cyberattacks becoming more frequent? BlackBerry Most Distinguished Threat Researcher Dmitry Bestuzhev believes they are and says this trend should not surprise us. “Drone attacks are a new standard. They have been active assets in real-life conflicts and are now part of the cyberattack surface.”
The BlackBerry Threat Research team is aware of past instances where drones have flown outside the windows of high-rise buildings that house a target company’s employees, potentially trying to photograph or record sensitive information displayed on computer screens, monitors, or whiteboards. We should probably add this to the list in 8 Strange Ways Employees Can Accidentally Expose Data.
Also, this type of attack points to another trend that’s been building for some time now, where a novel threat from the physical world leads to an attack in the cyber world.
Drone Cyberattack Reveals Physical and Cybersecurity Link
BlackBerry Chief Information Security Officer John McClurg started talking about the convergence of physical security and cybersecurity decades ago when he was a supervisory special agent and branch chief for the FBI. One example he recalls was related to a “phreaker” — which is slang for someone who hacks into telecommunications networks.
“In an effort to gain access to the Central Office of the phone company, the phreaker picked a 30-year-old, rusty, physical lock. Once inside he quickly stole passwords, systems manuals, and equipment. This enabled him to advance a far more sophisticated cyberattack back at his apartment than he would have ever been able to execute but for the physical vulnerability he exploited at the start.”
Despite many years of cyberattacks linked to physical security vulnerabilities, most physical security and cybersecurity efforts remain highly siloed, creating blind spots. McClurg urges organizations to consider how converging these aspects of security can reduce risk.
“A physical security access program’s supporting infrastructure now sits on the network. Having the monitors that reflect the status of that system sitting next to ones being monitored by your cybersecurity operations person — during the wee hours of the SOC’s operation— affords opportunities to cross-train and leverage headcount that might otherwise have to be duplicated.
“And faster correlation of possible relevance between physical reports and what’s being seen in the cyber environment can be affected with greater speed.”
The Cybersecurity and Infrastructure Security Agency (CISA) visually illustrates the connection between physical security — especially Internet of Things (IoT) devices — and cybersecurity, in the diagram below.
Chart — CISA.gov
Steps Toward Security Convergence
Bringing disjointed security efforts into a state of convergence won’t happen overnight; in fact, it will likely take many nights (and days) to accomplish. But a CISA guide on convergence says the payout for corporations is worth the investment.
“As rapidly evolving technology increasingly links physical and cyber assets—spanning sectors from energy and transportation to agriculture and healthcare—the benefits of converged security functions outweigh the challenges of organizational change efforts and enable a flexible, sustainable strategy anchored by shared security practices and goals.”
This brings up a logical question: How do you get started on a journey that brings physical security and cybersecurity together? McClurg says a key step involves the leadership and reporting structure. “Bring the historic headcount and budgets associated with these siloed operations under one operational head. If you are bringing on a chief security officer, it’s proven advantageous in past instances to make sure the new CSO is a peer of the existing CIO, and that they both report into the same leader.”
Also, as you plan your journey, check out the CISA guide, Cybersecurity and Physical Security Convergence.
Preventing Drone Cyberattacks
Beyond the big-picture trends, let’s talk specifically about how to reduce the chances of a successful drone-based cyberattack — or something similar — being carried out against your organization.
Greg Linares offers the following advice:
“When it comes to ‘hybrid security events’ (scenarios that incorporate both cybersecurity and physical security together to compromise an environment or individual), the most important aspect is to know what can be targeted. Teams should ensure they survey their physical locations and be aware of what signals can be reached and where they can be accessed,” he says.
“Attackers can target Wi-Fi, Bluetooth, ZigBee, 3G/4G/5G cell networks, NFC, and other radio signals using very accessible equipment. Teams should also be aware of what areas are physically accessible by attackers: Rooftops, HVAC units, shared spaces, windows, ledges, alleys, vents, parking lots, and fire escapes all provide opportunities for attackers to plant devices.”
And Bestuzhev adds some additional defense techniques. "Companies must pay attention to this threat by employing anti-drone technologies and jamming those activities. If that’s not possible, then the threat model must include hardening by preventing unauthorized access to the corporate network.”
He offers the following guidelines. How many of them you implement will likely relate to your organization’s risk appetite, and perhaps budget.
- Use wired connections instead of Wi-Fi
- If Wi-Fi is a must, use advanced authentications based on a digital certificate and user's credentials instead of a simple Wi-Fi password.
- Disable Wi-Fi based on schedules — turn it off during non-business hours.
- Remember, MAC addresses are transmitted in plain text, and they are not secured. Anyone sniffing your Wi-Fi traffic will capture it and see it in clear text.
- No sticky notes with passwords!
- No unlocked screens left unattended at the office. And use privacy screens.
- Think about a 24/7 security operations center (SOC) enabled with highly skilled operators checking on alerts and not relying on signals by feeds only.
- Regularly audit your enabled users and their certificates, along with passwords.
- Log everything — successful and unsuccessful connections — and keep the logs as long as possible.
- Focus on reconnaissance and lateral movement detections, usually used by threat actors once access is obtained.
Hopefully, this guidance will help you improve your security posture, as threat actors increasingly utilize drones and other physical tools to attack our cyber assets.