How great would the damage be to Apple’s current revenues and image if a competing company had manufactured a smartphone almost identical to the first iPhone and unveiled it before Apple did? By stealing the engineering drawings (blueprints) of a product one could have gained the knowledge needed to manufacture a similar product.

A recently discovered industrial espionage malware is designed to do just that--steal your company’s intellectual property by focusing specifically on computer-aided design (CAD) files.  These files store details like product dimensions, materials and product design and are used by engineers in many industries such as automotive, shipbuilding, aerospace and consumer electronics to name a few. Locating AutoCAD files and sending them via e-mail to designated accounts, the attacker stole over 100,000 CAD files from a company in Peru giving an idea of the extent of the attack. Every new design was sent automatically to the operator of this malware inflicting long term damages to the victim company. Written in an AutoCAD scripting language called AutoLISP, the malware comes to show that a compromised insider threat is a threat posed not only by military espionage malware like Duqu, Stuxnet or Flame but also by simple industrial espionage malware lacking any cryptography or software exploit expertise.

The infection method seemed to work as follows:

1. The attacker somehow replaced a clean AutoCAD template file on a web server with an infected file that everyone who participated in the project used. The target company and its partners which are involved in the project were all at risk.
2. Once the infected file was opened it would modify the startup file of AutoLISP by adding a Visual Basic script which is executed by an interpreter already integrated in Windows.
3. From that point on, each time AutoCAD is launched the malicious code will execute and data will be compromised. This means that drawings belonging to future projects are also compromised.
4. With the possible intentions to beat competition or to facilitate with selling the future copied product, the malware also sends its operators stolen business information by locating Outlook .pst files containing contacts, calendar and emails.

What are the lessons?  Once again, antivirus and network firewalls didn't work.  How can you protect yourself from this type of attack?  Secure the servers that store the information.  Keeping malware out is a losing game.

For more on file security, you can read our blog post here.