The head of the Yorkshire and Humber Regional Cyber Crime unit, Shelton Newsham, has told the press that they are seeing a spike in cyber-criminal attacks that are based on physical access methods. According to the police spokesman who detailed the threat during a recent SINET security event, cyber-crooks are planting “sleepers” in the cleaning companies who are bidding to provide their services to a company. These people are actually working for hackers, or hackers themselves, who pretend to be your average cleaners. Once hired, they wait for the right chance to go under the desk and plug something onto the computer, or even remove a disk from it.
The methods of infiltration aren’t exhausted in cleaning agencies though. The hackers are also looking to exploit painting companies, or decorating agencies, and anyone who has access to a building during out-of-hours. When planting a sleeper is difficult, the crooks are using the “good old” laced USB stick trick. This involves infecting a pen drive with malware, sticking an alluring note on it like “classified” or “boss payment”, and dropping it somewhere for the cleaning service staff to find it. As most of the cleaners don’t have any security training, and since they work when no one else is in the office, they are likely to plug the USB in a computer there just to check its contents.
Security experts suggest that companies should deploy more stringent building access rules, secure all systems with strong passwords and 2FA/2SV steps, set up their networks in layers, and even co-fund the training of the staff of their contractors. Also, the employees of a company should be more suspicious about who is wandering the firm’s premises and whether they are only doing what pertains to their duties. Cultivating this security culture in your firm is the best method to stay protected from the dangers of physical attacks.
S. Newsham has also added that the main problem in the field remains the communication of the authorities with the corporations, as well as the negligence of the latter. As he said, cyber-criminals are meeting on a daily basis to discuss their performance and set their objectives. Security teams on the other side may meet once a month, so it’s impossible for them to keep up with the defense requirements. When things go bad, corporations choose not to reach out to the Police fearing they will report them to the ICO (Information Commissioner's Office) which would bring even greater troubles upon them. As Newsham says, this is not the case, and hiding incidents from the Police is the wrong path to take.