The arrest of a GE engineer on charges that he stole trade secrets from the company’s power division in Schenectady has raised broader questions about cybersecurity and intellectual property.
In an affidavit, federal prosecutors outlined how they believe Xiaoqing Zheng stole more than 19,000 files from GE’s computer system. The Niskayuna man’s methods ranged from downloading the files to a thumb drive to a tactic known as steganography, in which data is hidden within an image.
According to FBI Special Agent M.D. McDonald, the use of steganography in corporate espionage was understood to be a danger “in theory,” but both the FBI and GE cyber security staff involved had “never actually seen a subject employ them.”
Prosecutors said they discovered Zheng using the method through “real time video of Zheng’s computer activities on July 5, 2018,” adding that “the entire process took him less than 10 minutes.”
In the affidavit, Zheng is alleged to have used a photo of a sunset to hide company data, sending the encrypted information to his personal Hotmail address.
Adam Dean, a security specialist at GreyCastle Security in Troy, showed how altering just one pixel of a digital image can allow someone to hide data.
Video: in Troy, @GreyCastleSec’s Security Specialist Adam Dean shows how easy it is to bury data in an otherwise innocuous file.
— Jake Lahut (@JakeLahut) August 3, 2018
“To me, it’s almost funny because you never see it happen,” Dean said of the use of steganography. “It has more of a movie quality.”
According to SUNY Albany Professor David Turetsky, steganography’s effectiveness lies in its stealth.
“You don’t see it in the larger digital picture or pixels,” Turetsky said. “It’s sort of buried within. People don’t even know it’s there, and it can be used in either direction.”
But for security analysts like Dean, steganography leaves a footprint with the simple presence of software required to decode the data. Audio or video files can also be used to hide information, he said.
“If you know what you’re doing, you’d know that there are better options than steganography just because of the footprints that it leaves,” Dean said.
In the GE case, the court documents suggest Zheng left other footprints as well.
A spokesman for General Electric declined to comment for this story.
More broadly, the arrest has raised questions about where the most pressing cybersecurity threats for businesses lie today.
“Almost all of the effort used to go to the perimeter — to keep people out of systems,” Turetsky said. “Now, there also needs to be intrusion monitoring and segmentation of networks.”
Dean used the White House as a metaphor to explain the challenge.
“You see a lot of people jumping over the fence of The White House,” Dean said. “But they don’t usually make it any farther. So, in the IT and security world, it really comes down to: ‘If something negative were to happen, how quickly can you detect it and stop it from happening?”
For Turetsky, who is an instructor in the first college program in the country to combine instruction in disaster preparedness, homeland security and cybersecurity, the modern landscape requires organizations to adapt from looking only for outside threats. Now, employees increasingly pose security risks, even if there is no malicious intent.
“Cybersecurity is something every business needs to think about,” Turetsky said. “Every employee is essentially an insider, so we need to teach people what the best practices are … employees are not only the lifeblood of a company, but they are also an insider threat. This can happen unintentionally, such as with malware or phishing.”
Phishing, which was reportedly used by Russian hackers to infiltrate the Democratic National Committee during the most recent presidential election campaign, tricks email users into clicking on links or attachments that allow hackers to gain access to users’ computer system.
“You only get into trouble when you start clicking on things,” Dean said.
Dean and Turetsky agreed that companies’ focus should be on teaching employees how to spot phishing exploits. What is far less common, they both said, is the use of steganography to steal intellectual property.
“Just the very presence of that (steganography) encryption software raises suspicions,” Dean said.
He added that his company and other security firms rarely encounter nation states themselves penetrating computer systems to steal intellectual property. Instead, the security specialist said, governments wait for insiders to take bids for intellectual property removed from their employer’s network. This makes the process more lucrative for the thieves and less burdensome, logistically, for the foreign governments looking to steal secrets.
While firms like GreyCastle can help organizations secure their data, no one has infinite resources, and there will always be a risk of losing data, Dean said.
“It’s not a silver bullet,” Dean said of the latest and most advanced security measures. “Company data is still going out every day.”