CINCINNATI — They possess valuable trade secrets that America’s enemies covet.
And it took the WCPO I-Team only a few minutes to find their photos, contact information and detailed work histories on classified projects. That makes Cincinnati companies more vulnerable to attack by hackers, spies and intellectual property thieves.
At the heart of the threat are social media platforms — including LinkedIn and Indeed.com — on which millions of Americans look for jobs, connect with colleagues and make new business contacts. These networking tools have been turned into weapons in the global quest for knowledge.
“The threat is real,” said Max Aulakh, the CEO of Miamisburg-based Ignyte Assurance Platform.
He is a cybersecurity consultant with a top-secret security clearance who said he is contacted regularly by people who set up fake LinkedIn accounts to hunt for secrets.
“I think we’ll see LinkedIn take a more proactive approach,” Aulakh said. “There are still so many fake profiles. I get hundreds of connections."
LinkedIn already devotes considerable resources to protect users of its website, said Greg Snapper, director of corporate communications for the professional networking site owned by Microsoft Corp.
“We use human review and technical review through automated systems to flag and review content," Snapper said. "We also work collaboratively with law enforcement. There’s a lot of different content in our help center and our safety center where people can learn how to keep themselves safe. And if they come across any fake profiles they can let us know about it. We can take action.”
Indeed.com did not respond to WCPO's inquiries.
How much is out there?
You might be surprised what you find by typing words like “top secret” and “Cincinnati” into social media search bars. Here are some highlights of what we found:
- A GE Aviation security manager with an “Active Top Secret/SCI Clearance” claimed to be in charge of “day-to-day operations for classified programs” including the “largest classified programs in GE with responsibility for over 2,000 cleared employees,” according to a resume WCPO downloaded from Indeed.com. This person handles internal investigations of possible security breaches and knows the “secured areas including intrusion detection systems, Department of Defense locks, access control” and more.
- A Senior Intelligence Operations Manager with the National Air and Space Intelligence Center at Wright-Patterson Air Force Base in Dayton provides the operating budget, number of personnel he supervised, the type of intelligence analysis performed, the number of reports produced, along with with his photo, person email and cell phone number on his LinkedIn profile and resume. In 2017, he was with the Joint Operations Command in Afghanistan, based in two cities he identifies by name, where he provided intelligence for "Special Forces missions." He also achieved "outstanding results leading to the successful elimination of 141 enemy combatants from the battlefield."
- A software engineer at Xetron Corp., a Northrop Grumman subsidiary in West Chester Township, boasted of “strong reverse engineering skills” in his LinkedIn bio, along with five “trade secret awards (classified equivalent of patents) for products or components that I have devised or co-devised and helped implement.”
Even help-wanted ads contain information that can tell a hacker what kind of software a company uses, enabling them to design malware that can exploit security weaknesses in those programs.
“Over disclosure is a major problem,” said Chris Huntington, chief information security officer for Nexigen, a Newport, Kentucky-based cybersecurity consultant. “If you’re trying to keep a secret and your employees are out there explaining what the major projects they did were and what technology platforms they used to do them, you’re basically opening up the door saying, ‘Hey have a look inside my environment and tell me where you think you’d attack.’”
Cincinnati companies are aware of the threat. In fact, GE Aviation implemented new social-media training procedures after a former engineer was approached by a Chinese intelligence officer on LinkedIn. That 2017 approach led to last October’s arrest of the intelligence officer, Yanjun Xu, on charges of attempted corporate espionage.
"We use advanced systems and internal processes to combat threats to our intellectual property," said GE Spokesman Perry Bradley. "We continually examine and improve our policies and procedures to address emerging threats, working closely with law enforcement and other government agencies.”
The Xu case prompted WCPO’s I-Team to explore how difficult it would be for spies to gain access to trade secrets from public online accounts. We easily found detailed work histories shared by Americans with secret or top-secret security clearances. Next, we pieced together a more complete picture of individuals, companies and their secrets using Facebook, company job postings, document dumps by Wikileaks and public government records.
We quickly built profiles on people in Cincinnati and across the country who appear to have the access and experience that could make them potential targets of spies working for nations hostile to the United States, China foremost among them. WCPO isn’t naming the people whose profiles we searched.
In comments to the Council on Foreign Relations in New York on April 26, FBI Director Christopher Wray said all 56 FBI field offices are conducting active investigations into economic espionage that “almost invariably lead back to China” and impact almost every industry sector.
“China has pioneered a societal approach to stealing innovation in any way it can, from a wide array of businesses, universities and organizations,” Wray said. “They’re doing it through Chinese intelligence services, through state-owned enterprises, through ostensibly private companies, through students and researchers and through a variety of actors working on behalf of China.”
Ohio Second District Congressman Brad Wenstrup said the Trump administration is “trying to come to grips with” this modern dilemma. As a member of the House Permanent Select Committee on Intelligence, which oversees the U.S. intelligence community and military, Wenstrup thinks the country has “a ways to go” before it finds the right balance between new technologies that promote global sharing and a national security system that requires secrecy.
“A lot of things that start out to be good get used in nefarious ways,” Wenstrup said. “The Wright brothers thought, ‘What a great idea to be able to get up and fly over like the birds.’ I don’t think they were thinking, ‘And then we can drop bombs on people, right?’ Unfortunately, there always seems to be evil and greed out there. There’s never been a shortage of evil and greed.”
‘Greatest gift to hackers’
Media reports and court records contain plenty of evidence that social media has been weaponized by hackers and spies.
The California-based cybersecurity firm Proofpoint documented multiple hacking attempts in which targets in the retail, entertainment and pharmacy industries were offered fake jobs on LinkedIn.
“In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment,” said a Proofpoint advisory in February. "In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies. These websites, however, host the malicious payloads.”
A former employee of Central Intelligence Agency was convicted last summer of conspiring to sell state secrets to China. Court records indicate Kevin Mallory was behind on his mortgage when he was approached on LinkedIn by a Chinese headhunter in early 2017. The Leesburg, Virginia man now faces up to life in prison at a sentencing hearing scheduled for May 17.
Federal prosecutors argued Mallory “presented himself on social media in a way that would make it clear to foreign intelligence services” that he had been a member of the U.S. intelligence community. During an interview with a CIA investigator, Mallory admitted he wasn’t surprised Chinese intelligence officers targeted him after reading his LinkedIn profile.
“I was an intelligence officer,” Mallory told the CIA investigator. “Anybody who has a refined eye sees those kinds of things.”
There are plenty of refined eyes out there looking for information they can exploit, said Jason Straight, chief privacy officer for UnitedLex Corp., a New York-based cybersecurity firm that conducts “penetration testing” for clients. They pose as hackers to see if they can get employees to share sensitive information, and they use every personal detail they can find on LinkedIn, Facebook and other social media platforms to convince employees their requests are legitimate.
“I’ve never seen any organization that doesn’t have a significant number of people that are sharing more than they should be on LinkedIn,” Straight said. “Social media is the greatest gift to hackers since the invention of the Internet.”
Do’s and Don’ts
WCPO asked Straight to review LinkedIn posts at Xetron, whose Crescentville Road office employs engineers that work on government contracts. Xetron’s name was mentioned more than 400 times in documents describing work the company performed for the CIA, according to The Intercept, an online publication. These once-secret records were published on Wikileaks in 2017. It’s not clear how the documents were obtained, and Northrop Grumman hasn’t responded to WCPO’s inquiries.
Two years after the leak, Straight was surprised to see LinkedIn profiles in which local Xetron employees disclosed their security clearances and projects they’ve worked on, along with personal details about their education, hobbies and social connections.
“It’s not illegal to do that," Straight said. "But, boy, I would never put that on my LinkedIn page because now, you’ve given me everything I need to social engineer you.”
Social engineering means finding a way into a target’s trusted network, said Ty Braunwart, who also conducts penetration testing as part of his duties as a digital forensic engineer for Nexigen.
We asked Braunwart to demonstrate how it works by sending him 10 names of Cincinnati-area residents who hold security clearances, according to their LinkedIn profiles. Within a matter of minutes, Braunwart was able to find wedding photos, family videos, research papers, addresses and personal contact information on many of the names provided.
“So, this is a very interesting way in,” Braunwart said of one potential target, a GE Aviation engineer. “He has a profile on the Boy Scouts of America (website). So, we might pretend to be a troop leader trying to look for more information for my kid to get a certain badge … And then I send a thing that says, ‘Would you please review this document?’ And the document could have (software) attached to it that’s malicious. He might open it up on his company computer. If we gain access to that who knows what we’ll have access to.”
Of course, establishing a connection with a target is not the same thing as procuring secrets from that target, particularly one with a a security-clearance or training on how to avoid such entanglements. But the more targets a hacker finds, the more likely it is that security will be compromised, experts say. So, companies should beef up their social-media policies to guard against employees who share too much information.
“The best idea is to give people very general titles,” said Chris Huntington of Nexigen. “Have a social media policy that says exactly what they are and are not allowed to share, and have people do spot checks. Most companies will put a social media policy out there but not actually enforce it. It takes manpower. It takes effort.”
Braunwart said he looks for grammatical errors or spelling quirks that aren't typical in the U.S, such as "colour" or "recognise," to evaluate whether an email is legitimate.
A U.S. Army policy on social media sharing said users should consider not revealing their security clearance on profile pages and be cautious about accepting connections from people they don't know.
Straight said he accepts connections that relate to his industry but aren’t confined to people that work for his clients. That makes it more difficult for hackers to determine who his clients are.
“People blindly accept connection requests,” he said. “If someone doesn’t have a nexus to your profession and it’s not someone you know personally or know someone who can vouch for them, I don’t really see the point of being connected with them.”