Back in my earliest days as a naval officer, when I was a midshipman, I received a series of briefings on ways that foreign intelligence agents might try to compromise me. Later in conversations with counter-intelligence officers of a three-letter agency, I learned more details on ways that government officials might be compromised—and also ways that business executives and journalists might be coerced into cooperating with foreign intelligence.
In many cases, the process went like this: The foreign intelligence agency would collect information on the person it wanted to compromise, put that together with other information, and then try to use that as a way to gain the confidence of the target or use the information for blackmail. The challenge has always been to collect enough reliable information to make such a scenario work.
But if the attack on the Starwood reservations database was indeed done at the hands of the Chinese Ministry of State Security, as the White House claims, and as other experts agree appears to be what happened, then it may be that they’ve hit the mother lode. Now all the Chinese need to do is to start analyzing all of those records to look for occurrences that might point to a weakness.
Stolen Data Can Show Travel, Hotel, Medical Records
For example, if their data analysis showed that I’ve traveled to Europe on a regular basis over a number of years, and that another person seems to have traveled to the same locations at the same times, then the intelligence agents could start paying closer attention to what I was doing, along with what the other person was doing.
They would know this because the Starwood breach yielded passport numbers as well as things like a history of hotel stays. They might also know that I’ve had access to classified information from the Office of Personnel Management database, and they could look at my medical records from the Anthem breach to see my marital status. Now they might have something to work with.
What happens next depends on what the foreign intelligence service is seeking. If they think that I’m a senior executive with a technology company, they might want a way to gain access to my company’s intellectual property. They might try to strike up a friendship or a more personal relationship, or they might simply try to bribe me. On the other hand, if I were a government employee, they might try to find embarrassing information as a way to blackmail me.
Because the same group of Chinese hackers, it appears, was behind the Starwood breach that also carried out the OPM breach and the Anthem breach, that means they have access to a vast amount of information that can be used to seed a massive data analysis project. By using all of that information, the Chinese Security Ministry has what it needs to compile profiles of a large number of senior people—some of whom might be targets for compromise.
Evidence That Starwood Breach Was Nation-Sponsored
Two things about the Starwood breach tend to support the fact that it was nation-state sponsored. First, the fact that they took passport numbers will provide a look into the travel habits of those people. Perhaps they feel that it might be easier to compromise someone while they’re traveling. Second, this information isn’t showing up for sale on underground markets; if it had been a simple data grab, the hackers would want to monetize their gains.
What this means to you is to expect an increase in phishing attacks that seem to benefit from surprisingly detailed information. Perhaps it’s a reference to somebody who says they were in Barcelona or San Jose at the same time you were there for a conference. It could be somebody who seems to have other detailed information about your health history or even your job. The goal is to gain your confidence so that you’ll click on one of those infamous links in an email.
But such advances could also appear as new contacts at conferences or even at the hotel bar while you’re traveling. Perhaps the same interesting person starts appearing from time to time while you’re having your pre-dinner martini in yet another city. A friendly conversation, even if nothing else transpires, can turn into a compromising photograph.
You’ll notice that I’m not giving you a long list of anti-malware procedures or ideas on how to train your staff to spot CEO fraud. The reason is that in today’s attack environment, the preferred approach is social engineering. What you really need to train your staff for is a seemingly personal approach, followed by an effort to compromise.
Bad Actor Needs to Gain the Target's Confidence
Only after the agency gains your confidence and knows that you’ll open their email will they take the next step. By that point you might not be able to take a step back.
It’s worth noting that just because you’re not a company with classified government information and you’re not a company with intellectual property that the bad guys might want to steal doesn’t mean you’re not a target. These intelligence agencies love to start with the little guys who have the one thing they want most—access to the next target down the line. They want your relationships with other companies or other people.
It’s all a long chain that starts with purloined data gathered in a breach from years ago, and chances are you’re not even the end of the chain—just a link between you and the next part. But with forewarning, you can be the link that fails to help them.