Diamonds are a hacker's best friend

Strategie
Diamonds are precious. But in most cases, a company’s “diamonds”, namely its business secrets, patents, customer data, source code and similarly important information, are of much higher value than the crystals occurring in nature.

A lot is invested in mining all these diamonds. Once they have been obtained, they must be adequately protected. Spectacular cases demonstrate the extensive preparations, tools and the large amount of creativity that criminals invest time and again to gain access to these valuable goods. What are the precautions that have failed in these cases? And what do we learn from them in order to sustainably protect our own (company) diamonds now and in the future?

The stakes are high. And most of the victims are caught off guard. Follow us into the world of expensive crystals and even more expensive company assets and gain new insights for your security strategies.

Diamond heists – a thing of the past? Far from it!

2015, London

A 35 kg drill was used to break entrance holes into the 50 cm concrete wall of the Hatton Garden Safe Deposit Company. The estimated value of the stolen jewellery was EUR 18.5 million.

2013, Cannes

A man dressed in dark clothes entered the Carlton Hotel on a Sunday at noon. He wore a baseball cap, his face was covered by a scarf. He rushed to the diamond exhibition taking place at the hotel, drew his pistol, put the jewels worth more than EUR 100 million into several carry-alls and disappeared.

2007, Antwerp

A man assumes a false identity and wins the trust of the employees of a bank by visiting them for more than one year and bringing them chocolate. Nobody noticed that he studied each security-relevant detail during his visits and finally stole 24 kg or 120,000 carat of diamonds worth EUR 21 million.

2003, Antwerp

Diamonds worth an estimated EUR 100 to 400 million – the largest amount of jewels ever – were stolen from safe deposit boxes deemed impenetrable at the Antwerp Diamond Center. The heist was preceded by 27 months of preparation. Eighty percent of the global diamond trade is conducted in the area around the Diamond Center, where the streets are studded with surveillance cameras. Extendible road blocks prevent the passage of getaway cars. The next police station was 12 metres away from the entrance to the Diamond Center.

Inside the building, numerous video cameras were installed. The vault itself was locked by an extremely solid safe door involving 100 million possible combinations of numbers and a special key. On the outside of the vault door, there was a magnetic device triggering an alarm if the door was opened outside opening hours. Blowing up this door, which had a weight of three tonnes, would have required an amount of explosives likely to blow the entire building to pieces. Inside the vault itself, there were three different sensors that responded to body warmth, light and movement. Finally, every safe deposit box had flushmounted doors and was secured with a code lock.

The security gaps

  1. The preparatory stage:
    The main perpetrator rented an office in the building. When the agreement was concluded, no information was collected about the lessee. He had unrestricted access to the building and to his safe deposit box at any time.
  2. The time of offence:
    During the night and especially on the weekend concerned, there were even fewer people in the building than usually.
  3. Gaps in the external security layer:
    The perpetrators were able to enter the building due to a lack of video surveillance at the back door and the easily obtained radio frequency of the entrance to the underground car park.
  4. Negligence:
    According to the investigators, it is quite likely that the operating staff regularly failed to change the numbers of the combination after locking the vault door.
  5. Routine:
    The main key of the vault door had to be screwed onto the shaft, thrust deeply into the door and then unscrewed from the shaft again. It was, however, common use to keep the shaft together with the key in some kind of broom closet.
  6. A few days before the heist, the gang managed to tamper with the two-part magnetic device reporting the opening of a door to the alarm centre monitored 24/7 without anyone noticing.
  7. The movement sensor, an infra-red source, was coated with a nearly invisible film of hairspray on the day before the robbery.
  8. The light sensor in the vault was blinded with several layers of adhesive tape during the heist.
  9. The infra-red sensor for body warmth was shielded by a tampered styrofoam panel and telescopic pole from the hardware store.
  10. The safe deposit boxes were opened by sheer force instead of key-and-letter combinations.

Company diamonds at risk!

Why are companies valuable? Because they have created values and protect them on an ongoing basis. Their company diamonds are of the most varied kinds: patents, product innovations, source code, business secrets and business plans, comprehensive production processes, databases with a wide range of (customer) data, assets and many more.

It takes many years, decades or even centuries to create all this. Nevertheless, it can be stolen or destroyed overnight, without perpetrators requiring physical access.

2017, worldwide

WannaCry and NotPetya – cyber attackers striking at off-peak times: WannaCry hit Europe on a Friday afternoon, while NotPetya was launched on the day before the Ukraine’s national holiday. Basically, NotPetya spread overnight: starting from an update of the Ukrainian fiscal software MeDoc that is used by everyone who has to pay taxes in the Ukraine. The malware propagated in a uniquely sophisticated manner. Hence it was possible for several European and US multinationals to be affected in a very short time, reporting losses in the three-digit million range and production downtimes.

But these losses could have been prevented. The attackers used vulnerabilities in outdated programs. A faux-pas from which many IT departments all over the world have learned a lesson.

2015/16, Austria

The 23 December 2015 was a black day in the history of the aviation supplier FACC. It was the day on which an employee of the financial accounting department transferred the first EUR 13 million to cybercriminals. Using a fake e-mail address of the CEO, they pretended this was a highly confidential transaction for a corporate acquisition. The correspondence comprised some 40 mails to build up trust. When the transfers were noticed on 19 January, a total of EUR 50 million was gone.

In such a case, IT security engineering is powerless. It is the individual person who decides what to do, and in this case seems to have fallen for the “fake president fraud” that was very carefully prepared and completed with perfection. The tracks have been covered, and the money is likely to be lost forever.

2015, in 30 countries

Banks hold cash in custody. Therefore you would expect a high-security infrastructure – not just in physical, but also in digital terms. So it was all the more surprising when cash dispensers suddenly started to dole out lots of banknotes and there was always someone around to collect them. Millions were transferred from one account to another. For two years, the systems of 100 banks all over the world were controlled by attackers. In total, they stole up to one billion dollars.

“Carbanak” was the name of the group that hacked into the user accounts of banks, using Trojan viruses, according to media reports, gaining access to the banks’ surveillance cameras and the employees’ master accounts, thus being able to reprogram cash dispensers.

These incidents demonstrate what is possible today through detailed preparation and high-precision implementation, without the need for individuals to show up in person in any of the attacked banks. And the target was again the supposedly high-security core business of major companies.

2013, USA

Yahoo has 3 billion users. All user accounts were hacked. The attackers gained access to names, e-mail addresses and telephone numbers. Additionally, the confirmation messages used to restore forgotten passwords were also stolen.

Basically, this most cleverly designed attack targeting the core business of the Internet company seems to be absolutely impossible, and yet it became reality thanks to the perpetrators’ ingeniousness. And it is not only the sheer volume of the stolen data that is hardly believable, but also the discovery of the attack. The raid targeting one billion user accounts was confirmed by the company only in 2016. And it took another year for them to finally admit that not one, but three billion accounts were affected.

Die auffälligen Parallelen der zwei Welten

  1. Strategy
    The attackers’ creativity knows no boundaries. There are manifold options to gain entrance.
  2. Resources
    Perpetrators take lots of time, even years, to prepare for the perfect plan.
  3. Details
    Perpetrators look for the tiniest gaps in supposedly high-security structures and exploit them.
  4. Experience
    The biggest attacks are carried out by highly professional groups.
  5. Timing
    The correct timing of the attacks is decisive for their success.
  6. Target
    The focus is on the weakest link, which is quite often the human factor.
  7. Nothing is left to chance.
  8. What’s gone is gone.