Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Swiss Spooks Warn Of Counter-Terrorism Intelligence Breach

Swiss government suspects insider may have stolen counter-terrorism information that had been shared with Switzerland by foreign governments, including Britain and the United States.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Authorities in Switzerland have warned U.S. intelligence officials that a senior IT technician working for a Swiss intelligence service may have compromised U.S. and British counter-terrorism operations.

In September, Swiss attorney general Michael Lauber and a senior prosecutor, Carolo Bulletti, held a press conference to disclose the alleged data theft, and said that they had a suspect in custody. "The intention was to sell the data to other countries," said Bulletti, but authorities didn't know whether that had happened.

Earlier this week, Reuters reported that unnamed European intelligence sources with knowledge of the investigation said that Swiss authorities still haven't ascertained whether the suspect sold the data. That led Swiss authorities to warn all intelligence agencies that share counter-terrorism information with Switzerland -- including the CIA and Britain's Secret Intelligence Service, or MI6 -- that the information may have been sold to foreign intelligence agencies or commercial buyers.

[ The downfall of CIA director David Patraeus has lawmakers focusing on email and online privacy protection. Read more at The Petraeus Affair: Surveillance State Stopper? ]

The suspect worked for the NDB, Switzerland's federal intelligence service, which is part of its defense ministry, for eight years. He reportedly had administrator-level rights to most of the spy agency's networks, including ones storing highly secret information, and became disgruntled after feeling that higher-level managers were ignoring his recommendations.

Reportedly, the quantity of breached data involves terabytes of secret information and was stolen when the suspect copied it onto a portable hard drive and walked out of government premises with the drive stored in a backpack. Swiss authorities arrested the suspect -- who under Swiss laws can't be named -- in May, and said they recovered numerous portable devices containing the surreptitiously copied intelligence data. Authorities were tipped off by Swiss bank UBS, which had traced an attempt to open a new, numbered bank account to the IT technician. The suspect has been released on bail while the related investigation continues.

According to the European intelligence sources, the employee began displaying some of the classic warning signs that precede insider attacks, such as manifesting a disgruntled attitude and regularly failing to show up for work. The signs, however, were apparently ignored.

The Swiss case is far from the first time that a disgruntled IT-savvy employee with access to sensitive information has been accused of stealing it. In 2009, for example, MI6 caught Daniel Houghton, one of its computer programmers, trying to sell cutting-edge email interception technology, as well as staff lists containing cell phone numbers and home addresses for MI6 and Britain's MI5 domestic intelligence service. Houghton had downloaded at least 7,000 files onto a secure digital memory card and offered it for sale to the Dutch intelligence service, or AIVD. Dutch officials tipped off MI6, who busted Houghton in a sting operation.

Arguably, that data breach could have been prevented if proper controls been in place to monitor for unusual network behavior, such as copying 7,000 files to a removable memory card. The same, of course, could be said for the NDB in Switzerland, or for that matter, the Department of Defense, which saw 251,000 sensitive diplomatic cables get leaked to WikiLeaks. The alleged perpetrator, Private First Class Bradley Manning, an intelligence analyst, allegedly copied the data onto rewritable CDs, which he stored in a Lady Gaga CD case. According to psychologists, Manning's superiors ignored obvious insider-attack warning signs indicated in his emotional and mental state.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 4:00:17 PM
re: Swiss Spooks Warn Of Counter-Terrorism Intelligence Breach
That was a great article to read. Did HR take an responsibility for not noting the signs of a disgruntled employee, because if they had this operation could have never been jeopardized , at least not by that IT technician. The people mentioned in the article for past attacks all had access to sensitive data, and judging form how they caught this was obviously not there area of focus.

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16271
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
CVE-2020-16272
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
CVE-2020-8574
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
CVE-2020-8575
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
CVE-2020-12739
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...