It is a cold January day; a couple of days after New Years Eve. The first snow has fallen and outside kids are throwing snowballs at each other and making snow angels. Their parents will be happy washing those wet clothes again! Mason switches his focus from watching the kids through his window to his computer. He’s scrolling through LinkedIn looking for something very specific. 

January and February are great months for resolutions: New Year – New Job. Found it! The IT Engineer role at AeroSolid, a company specialized in aviation biofuel used for aircrafts. Mason knows, without any doubt, he qualifies for the job and searches for the contact details of their recruiter. Contacting a recruiter directly usually is a lot faster, skipping those annoying online forms. On the company website he finds a listing of the company’s recruiters. First hit in LinkedIn. Gotcha! Luckily for Mason recruiters often post their direct number on social. It is their job to get in touch with possible candidates, obviously.

It is a few minutes before 5pm — Let’s give this a try.

— Hello?

​Hello – This is Mason speaking. I’m looking for Rick from AeroSolid recruitment department?

— That’s me.

Great! Rick, how are you doing today?

— I’m having a bit of a cold, probably because of the weather, but apart from that I’m doing pretty good. Almost 5pm, so I can’t complain. Haha. How can I help you?

​I saw the job opening for IT engineering, it it still open?

— Let me check. One moment…

Ofcourse!

— Yes, it still open. The role is technical and you would be working with a multidisciplinary team on internal projects. Do you have specific questions I can answer?

Sounds great! I’ve read the job description online and would really like to apply. Can I send my resume over to you?

— That would be perfect. You can send it over to hr@aerosolid.corp. The listing is closing tomorrow, so I’ll make sure you make it to the process.

Thank you so much, Rick. Do you need anything else from my part, like a motivation letter?

— Your resume is fine for now.

Perfect! I’m looking forward meeting you in person. Good luck with that cold of yours!

— Hah! Thanks Mason. Thank you for contacting me – we’ll be in touch.

So far, so good – he thinks, while emailing his resume to Rick. Let’s see where this goes.

The next day the phones goes off. It’s Rick telling him his resume is a great match and invites Mason for an interview. See you next week! A small success, but no surprise for mason. The resume was carefully crafted to match the job description. During his reconnaissance he found out that some of his future co-workers posted information online about participating in a technical firewall training. They’re also following antivirus updates and liking vendor-specific pages on LinkedIn. This is information, which is available to everyone, Mason conveniently used in his resume. Ofcourse, Mason knows a thing or two about technology. With a bit of preparation, he’s got this covered.

During the job interview he’s sitting across from Rick and a technical engineer, who challenges his technical knowledge. The engineer begins to fire away lots of questions and use cases, but nothing is too difficult for Mason. He’s rocking his interview and cracks a few jokes before wrapping up the interview. Mason is a very likeable and communicative person, which helps misleading people with information they want to hear.

Congratulations, you’ve got the job! Mason stays cool and accepts the job offer, but inside adrenaline shot through him. He’s in and ready to start next month. Welcome to the club!

The first few weeks are running smooth. He’s getting along with his co-workers and is responsible for monitoring network traffic and configuring firewall and network changes. In his department they are already calling him Mad Mason, because of the complex but very effective network designs he’s proposing. No way they are going for such drastic changes, they say. They are all having a laugh. It’s 12AM which means lunchtime. The highlight of the day for some. Mason is wrapping up and tells his co-workers to go ahead. He’s pushing a small configuration change during the lunch break.

> configure

# set rulebase security rules outbound_allow from internal to internet destination 54.93.138.172 application all service application-default action allow

# set rulebase security rules inbound_allow from internet to internal destination any application https http service any action allow

# commit

# exit

No sweat, only one thing left to do.

He logs in the antivirus portal to create an exclude for SHA256: 46e19e92ed662d506ca56fe2e05dbfadd31673cfaaa92ac00b52d4fee1b33119 and comments it with false positive.

His co-worker walks in on Mason from behind. What are you doing? I’m all done as he locks his screen. Let’s get something to eat.

Later that day Mason asks his manager for a few minutes of his time and confronts him with a letter of resignation. I’m still in my probation period and unfortunately it isn’t going to work out, he explains. Thank you for the opportunity. His manager tries to convince him and starts a discussion on how they can keep him, but eventually he accepts his resignation. Mason doesn’t look back when he leaves the office.

Back home he boots up his computer and drops an encrypted message on pastebin. After that, he grabs his burner phone from the drawer and sends a message to the only existing contact.

IT’S DONE.

Almost immediately a remote server starts mapping AeroSolids network from the inside. The encrypted message on pastebin contained information about the network, organizational structure, admin credentials, persons of interest and the locations of high value information. Looks like Mason had a hidden agenda while he worked there.

During his work routine, Mason carefully mapped the entire organization and network. He created bogus privileged accounts from his co-workers computer and used them to create flawed security policies in the network. He was able to whitelist the SHA256 hash of a Remote Access Trojan (RAT) in the antivirus to make sure they had persistent access to the network. They now have access to all corporate data, and AeroSolid has no idea what’s going on.

Masons plotter continues their search looking for R&D plans about the latest aviation biofuel developments. Found them! The carefully configured firewall policies allows them to download the files to a remote server that they control. JACKPOT.

The hacker is no rocket scientist (quite literally), so this information probably is not of much use to him. They where hired by a competitor to steal the R&D data of AeroSolid to keep ahead of the market. They have the upper hand – for now. The persistency in the network allows the hacker to exfiltrate new data whenever is needed. But don’t forget, we only operate during business hours.

Mason is back home looking through his window. He gets message that $25.000 is sent to his bitcoin address. So, why isn’t Mason worried this will be traced back to him… Mason dials his phone.

​Hello — This is Robbert speaking. I’m looking for Amanda from DEF Systems recruitment department?

This is a work of fiction. Names, characters, businesses, places, events, locales, and incidents are either the products of the author’s imagination or used in a fictitious manner. Any resemblance to actual persons, living or dead, or actual events is purely coincidental.

Sven Mik
Author

What drives me the most is helping companies and individuals to the next step in their cyber security maturity level. This drive, my technical knowledge and my passion for cyber security is why customers often see me as a trusted advisor.