The Hidden War: Navigating the Threats of Corporate Espionage

[Music] good morning everyone um thank you so much for coming to my talk my name is Kito um in my day job I get to hunt and sometimes take down some scammers and some other adversaries in my personal time I like to read about and research on various topics such as oh including Espionage which is what I wanted to talk to you guys about today um so I built this presentation in canva and since we have ai and everything now I asked it to generate a graphic for me of a person spying on an organization quote unquote and this is what we came up with I think it's pretty accurate she looks like an Insider threat you would never see

coming so a little bit about me um I am a consultant at Rich of cyber security I've been there for almost 2 years now um I work within the Cyber in Ence practice I enjoy exploring topics such as psychology law and human behavior and I'm an investigator and a researcher at heart which sometimes means I tend to Snoop on people and things but it's fine um it's part of my job I get paid for it it's legal I think um I wanted to start with defining what Espionage is and basically it's a very fancy way to to say spying and when you're spying you are essentially aiming to obtain confidential information without the permission of the holder of

that information and this information could then be used to gain a strategic a political a military or other advantage over the person that you're spying on or the entity that you're spying on Espionage can come in a variety of forms some examples include human human intelligence that involves using human agents to gather information from other agents um s in signals intelligence that involves um intercepting signals or Communications over emails phone calls or radio communications and so forth um ENT open source intelligence that involves gathering information from publicly available sources such as website social media um and so forth cyber Espionage this involves Gathering or actively hacking into a computer system or a network to gather

information in that way as well as surveillance which means actively monitoring an individual or a group of people to gather information from that from them in that way so one might argue that whether as a large corporation or a small business it is important to have information about about other businesses or other companies in your industry because this knowledge is crucial to help you um make inform form decisions and maintain a competitive age within your industry and that's 100% correct and that is where private intelligence comes in or competitive intelligence it is sometimes referred to as market research and it involves legally Gathering um it involves legally gathering information within the confines of the law um which means using

publicly available information or information that you um obtained through lawful means there are also various legal and ethical standards that can help you uphold the law in this case to make sure that you don't cross any boundaries um these include the consumer protections act as well as the South African marketing and research Association which lays out various regulations that you can follow when doing um Market Research in terms of Espionage there are also various legal Frameworks that exist in South Africa we have several laws and legislations that govern the legality of Espionage activities these include the protection of Information Act of 1982 the protection of personal information act poppy act that we hear about every

single day these days um as well as the Cyber Crimes Act um these govern the legalities of what kind of information is legal to have and what kind of information is not legal to have and how you can use that information internationally we have laws such as the economic Espionage Act of the USA we have the trade secret der derivatives in the EU as well as the Computer Fraud and Abuse Act in the USA as well um but who cares it's just the law it's just the formality so a bit of statistics um according to PWC a study that they did 94% of all cyber attacks were for the purposes of trade secret theft and this

was in some very specific Industries so Industries such as manufacturing ICT finance and insurance and health and medical technology um and more specifically if they were focused on research and development activities it was identified that these were um the sectors that were mostly targeted with cyber crime and specifically for the purposes of stealing Trade Secrets sorry is this um this is internationally um around 85% of all Espionage cases are also committed by employes so Insider threats or insiders rather are in the best position to commit ESPN LGE activities because they have access to most if not all the information of your company and at various levels the risks associated with each individual increases for example

someone in a sea level position would have access to much more sensitive information than someone who maybe just joined um the company or is an intern so wanted to look at some benefits and risks of cyber Espionage they on H ly would not be any Espionage activities if there weren't any benefits associated with them um so firstly you gain a com uh an advantage um you get to have a competitive advantage over your competitors over your rivals in the industry and it gives you a better chance of identifying potential threats early and mitigating various risks and it gives you an opportunity to improve on your product in ways that maybe your own R&D teams maybe would not have been

able to identify on the financial side of things you get to save on a lot of costs because R&D is very expensive and if you can get someone else to do it for you then that's great you just have to build on whatever research they had and with that you get to increase your Market here um in terms of the risks um if you get caught um stealing or um involved in Espionage activities you get um you tend to if you get caught um stealing or involved in Espionage activities um that can cause a damage to your brand and in turn it causes a loss of trust between yourself and your customers your clients as well as your peers in the industry

and on the legal side of things they will definitely be criminal charges placed against you and lawsuits that are filed against you so I wanted to start with the question of how exactly do you spy so I'm going to go through some various examples and I wanted to start with some lower Stakes activities that what could one could undertake if you wanted to get into the business of Espionage um you could consider these just on the verge of legal but like you could still do them so firstly um you POS as a recruiter on LinkedIn so it's very easy to make a LinkedIn profile um it's very easy to say that you work at a specific

company um ask for very specific people with specific skill sets um and specific degrees or whatever and when you interview them you ask them specific questions um how is it in your role at the company that you work for um what do you do what do you think you could improve and things like that you ask very leading questions and in an interview with people who want to get the job they will be very willing to answer the questions that you ask secondly hypothetically you could buy shares for a publicly listed company and you start attending their shareholder meetings um in shareholder meetings various sensitive information is being discussed in there you can find out about new product rollouts you find

out about challenges that they're facing anything new um you find out about the structure of the organization there's so much you can find out in meetings that organizations hold thirdly hypothetically you could go into a rival store pretending to be a customer and just ask questions especially with small businesses um small business owners are very very willing to answer questions about their products so if you ask oh how did you do this what do you think you're going to do next you know what do you put in this you know what's your formula things like that they would be very willing to answer um the questions that you have and you can gather um a lot of

information in that sense especially from a small business perspective and another one um lastly you could purchase a rival Brand's product and reverse engineer it so figure out how they built it what kind of glue did they use what did they use that made it so strong and you can build your own product from there so I drew a red line at the bottom of the slide because we're about to head into some not so legal territory um so I wanted to speak about some examples of how actual Espionage activities have occurred in the industry across the globe firstly one thing you could do if I was a large company or large organization you hire a third party nobody likes to

do the dirty work so you pay someone else to do it let's make an example through a case um from the early 2000s between Proctor and Gamble PNG and uni Li so PNG and uni Li at the time they were rivals in the uh consumer goods industry specifically in hair care products and at the time PNG was manufacturing Brands such as head and shoulders and Pantene um uni Li was manufacturing Brands such as um Organics and sunsilk so PNG wanted to gain a competitive advantage over um unil and to do that they undertook a covert operation in order to gain some information about uni liver shampoo business so in 2001 PNG hired a general contractor and this general contractor

in turn hired a group of people um who were said supposedly to be exus um agents um us spies or allegedly um and these people were then tossed to obtain crucial information from Uni's brand and the products that they were making so the operatives were part who were part of the um of the operation they engaged in activities such as dumpster diving they also pretended to be journalists and Market researchers and so forth in order to help um to find out information from Unilever employees about how they were making their product and how work was and everything like that so apparently this operation was very very successful and before they got caught PNG managed to gather a treasure Trove of

information from unil going from um their pricing the profit margins and new product roll outs the way that PNG got caught is that a couple of the operatives were caught dumpster diving and trespassing on Uni's um property um and then an investigation was then started and the people were then linked back to PNG uh long story short PNG admitted to the Espionage well they have admitted they said that yeah we hired a company we didn't know what they're doing obviously these things don't correspond with our company policy um but yeah it's fine at the end of the day the two companies agreed to a settlement and PNG had to pay un Li a certain amount and

there were also certain limitations that were placed on PNG including them not being allowed to roll out any new products for a certain number of years um after the incident so let's say you don't want to hire a third party what else would you do if you were a large conglomerate or even a small business what else could you do you become an employee or you look for someone who's already on the inside so I wanted to speak about Dr Shannon yo PhD who was a former principal engineer for Coca-Cola between 2012 and 2017 um and essentially this woman wanted to sell $120 Million worth of Coca-Cola trade secrets to whoever was willing to pay so as the principal engineer um Dr

shanono was responsible for um looking after the formulas for Coca-Cola's BPA free lining for their cans that they did and BPA free Linings were important because at the time BPA had been linked to various medical defects such as um you know cancer um cholesterol diabetes and so forth so it was important that um companies started removing BPA from their products so these formulas were a very closely guarded secret and she had them on her hard drive so um it was observed that Dr shanan uh Dr Shannon was frequently going back and forth to China to interview for a program called the Thousand talents program that is run by the Chinese government unrelated maybe um the man who was helping her with the

application was Mr Le and he was a chief executive off uh chief engineer for a company called The Way High jinon group and this company was ironically or coincidentally also looking to get into the business of making linings for cans it was discovered also maybe coincidentally that she and Mr Lou were also planning on starting their own company together where she had agreed to sign on as the chief technical officer and assist with research and development um activities um this man through Communications after the investigation it was was found that he had told her to stay at Coca-Cola for some time keep gathering information while we build um our business on the side and ultimately investigators found that her

goal had been to make as much money as possible as much money as she could from sharing the information that she had um it wasn't um also discovered that the way high Jan group had also received a cash injection from the Chinese government um which maybe is also still a coincidence um it was also discovered that she had won the uh sponsorship from the Chinese um from the Chinese thousand talents group maybe also a coincidence um but an investigation through Coca-Cola ended up identifying her as uh someone partaking in Espionage activities so she didn't really get the chance to share the information that she had but it's the fact that she took it and she did intend

to give the information away to the highest bidder essentially so fine you don't want to plant someone on the inside that's fine what else can you do you can plant spy wear um we all know about the o group's um pegas uh Pegasus software um and how it was originally created to surveil criminals and terrorists but in practice more often than not we see it being used to spy on individuals such as government officials activists journalists and so forth um if you remember as well late last year operation triangulation was discovered um which was a spye that had been delivered to Apple iOS devices and was being used to spy on government officials and other important um

individuals so another example that I wanted to give on this was a case from 2019 that happened between Uber that we all know and an Australian right share company called go catch in 2019 reports started surfacing that a rogue Uber employee had deployed a spyware called surf cam um to gain a competitive advantage over the Australian right Sher so surfcam was developed in 2015 and it was discovered that it was being used to monitor go catch drivers in real time monitoring meaning it would find out their root data um it would also capture information such as their names their registration numbers and contact numbers numers Uber would then use this information to essentially poach go- cat

drivers so they' used their contact details to call them make them a better offer and then poach them um the court case for this actually happened in April this year in 2024 and in the court filings that goat submitted they actually submitted emails that they identified um from David rosheim who was the general manager of uber at the time and within the emails you could actively see Uber actually plotting against go catch he was using words words such as I want to crush them you know we need to be the number one in Australia we've already dominated the American market and now we need to dominate this Market eventually Uber admitted that they did develop serf cam however it denied that

it wasn't used in the way that people will say it was being used and yeah we we believed them companies never lie so cool you don't want to plant someone on the inside you don't want to just uh deploy spway maybe that's too much work what else can you do let's talk about Huawei for a moment um many of us were pretty upset probably when Huawei was banned from using Google services on their devices I know I was I had a P20 at the time and um at the time I was very hellbent on staying with Huawei for the rest of my life cuz it's a good phone um but yeah that couldn't happen um it was at the time when the

USA was worried that China was using Huawei devices to spy on its citizens and that's a whole other Rabbit Hole to go to maybe we'll speak about it at a later stage um but back to Huawei there are two separate incidents that I wanted to discuss um where Huawei had actually been caught spying to gain a competitive advantage over its competitor over its rival the first one involves Huawei and a Canadian telecoms company called Nortel so in 2014 it was discovered that Nel's systems had been invaded by a threat actor traced back to China for at least 10 years so these people were in the systems for at least 10 years the hack had resulted in the exfiltration of

hundreds of sensitive information these people had also acquired um sensitive credentials of Executives including those of the CEO later on it was discovered that listening devices had also been placed in Nel's um research and development complex Nel security Personnel also reported various incidences where people had purchased the product and then brought it back and it looked that like it had been pulled apart and reverse engineered sources also discovered that there had been mile way malware that was planted on the CEO's cell phone that was recording every single call that they made this hack was then later traced back to to Huawei definitively Huawei had used this information to better their product and essentially gain a competitive advantage

over Nel in Canada although Nel had already been facing Financial issues at the time it is said that the hack could have been the reason why noal fell off it could have been the nail in the coffin in the end Huawei grew and Nal faded into Ian eventually they went bankrupt now apparently on um on the wall of fame that is on huawei's in huawei's shenzen campus in China you can see various former employees from Nel hung on the wall associated with really really great technological accomplishments could be a coincidence may maybe not another instance that I wanted to talk about where Huawei was caught is an instance from 2019 in Denmark so on the 5th of March

2019 in Denmark a meeting was supposed to happen where TDC which is Denmark's telecommunications was supposed to announce the decision that they made for who they were the company that they were going with with to help them move or take the leap into a 5G wireless network the BDS were between two companies Huawei technology and a Swedish company called Ericson obviously both companies wanted to win um but at the time Huawei winning would have held much more symbolic value because 2019 was a time when governments in the West specifically USA were heeding um governments in the EU from working with Chinese companies such as Huawei it was still around the time when um the USA was thinking that Huawei was

hacking into the into um or Huawei was stealing information of USA citizens so the meeting was supposed to happen on the 5th of March 2019 and at 2:52 a.m. on that morning for some reason Huawei decided to make a last minute emergency bid the bid undercut Ericson's by just enough for them to not lose too much money but to also be favorable to TDC so this was funny because weeks earlier Huawei had said that the bit that they had already made was their last and final offer we're not changing we're not moving and it was also funny because how could they undercut Ericson if competitors weren't supposed to know about each other's bits so this prompted

an investigation by TDC the investigation ultimately revealed revealed that tdcs boardrooms had been bugged there were listening devices placed and one of tdcs directors had been paid off to pass off various information about their competitors BDS during the investigation several TC employees also reported that they had been followed by drones and been tailed around the the City by cars and ultimately it was discovered that Huawei had been behind all of these activities it's safe to say that they did not win the bit so what's next what else could you do what if I am not a small business I am not a large conglomerate what else is it that I can do I can be one of the world's largest

economies so we all have heard about the USA spying on everybody um I think at this point everyone expects that they are American spies stationed in some very important spaces everywhere across the world um the Cina as we know it the elusive ones um I've also um I have also discussed at least two examples today of Espionage that involved meddling by the Chinese government so while discussing the story on Coca-Cola um I mentioned that Dr Shannon yo was interviewing for the Thousand talents program in China which she won by the way be before she got arrested I don't think she still has it um many people have speculated that the Thousand talents program is not

a farce but mainly aims to attract foreign experts to bring knowledge and Technology back to China this sometimes involves the theft of Trade Secrets and intellectual property participants in these programs including scientists and researchers and um may be required to share technological advancements with China sometimes breaking laws and Export control regulations granted these are allegations that are made mainly by the USA they seem to have a thing going on between the two um there's literally a page on the FBI website that's called the China threat that details how this program could harm the USA but we know that at least on one occasion these allegations would have been considered true as discussed earlier I mean has

anyone else ever wondered why almost overnight there are so many Chinese EVS on our roads just be okay cool um Russia I know Russia is not in the top 10 economies of the world at the moment I think it's number 11 um lost I checked but it is considered a very big player in this never-ending game of Espionage between countries it's like a monopoly it never ends maybe that's why it's called a monopoly it has been alleged um alleged alleged according to intelligence agencies again in the USA cuz they're so paranoid um that Russia had interviewed in the 2016 elections between Hillary Clinton and Donald Trump um several individuals were also arrested with regards to this I don't

know whether or not the charges that were placed forced against them were true or not but I'm still going to say alleged um Russia allegedly leveraged social media propaganda they hacked into Clint uh Hillary Clinton's emails as well and leaked the emails all in an attempt to establish connections with Trump's campaign Russia also has a lot of well-known APS such such as a28 known as fancy bear and AP 29 known as Cozy Bear and these have been implicated in various high-profile cyber attacks that resulted in information Warfare and cyber Espionage Russia has also been observed infiltrating emerging markets and Regional Powers including Europe Africa Asia and Latin America that's pretty much the whole world having said all of that I wanted to pose

the question should you have a private intelligence or Counter Intelligence unit in your organizations this can be beneficial especially if your organization is within an industry with high value intellectual property sensitive data or strategic information however there are various factors that you can consider when deciding this um Is it feasible um think about your organization size are you large enough to have a unit like that um costing do you have the resources to have a unit like that and is it possible would you really be able to notice if an employee of yours sold information I don't think so maybe and could you tell if people we're doing interviews elsewhere I think people are free to want to change jobs and so for

so could you really tell if someone was maybe doing an interview with someone who wanted to spy on your organization and could that be considered micromanaging if you're asking everyone where you're going what's on your laptop did you do that interview and so forth so it boils down um to whether you can afford it and whether you think the information that you have is important enough that someone would go to the length discussed in this presentation to get it for countries however having a robust Counter Intelligence um having robust Counter Intelligence um capabilities is crucial for National Security it is crucial it's crucial for economic stability as well and safeguarding the sensitive information of the country and

the citizens within so I'll leave that decision to you guys guys with that which as we Sorry with that being said I wanted to end off with a quote by an author that we all know s Su and it says that the opportunity of defeating the enemy is provided by the enemy himself which as we discussed it's obviously through spying um thank you so much everyone for coming to my talk

um any questions awesome oh yes so in your research have you been some of the online marketplaces are given some thoughts to some of the online marketplaces she te you yes yes definitely there have been so many um reports that have come out um places like shin timu have been actually involved in exfiltrating data um it's important to note when you sign up to think I know everyone says this when they're doing cber security talks it's important to note when you sign up to things what are they asking permission for because sometimes we inadvertently do give out this information and then we're like oh they were spying on us but it's information that we gave permission

to them to have so there is a lot of information that is being shared around everywhere but yes definitely um those have been implicated in a lot of scandals recently yes thank you uh any more questions yes yeah a question on specifically when it comes to changing these privacy terms thank you specifically when it comes to changing these terms and conditions associated with privacy policies we're seeing like these um cases very recently where large organizations um would amend their privacy policy in a way to maybe support an internal prerogative of developing uh models to to uh compete in that race or in other in other cases comp uh uh achieve a competitive Advantage specifically when it comes to a trade

war or the like what what other examples have you seen that that would be particularly interesting of of organizations really changing those terms and conditions maliciously or uh within the within the bounds of of the law but still in a gray gray way um I wouldn't say in terms of changing privacy policies but a very big example that I saw of organizations playing within the bounds of the law is using competitive intelligence firms so if you just Google competitive intelligence firms there are so many and these people offer the servers to companies of saying we'll gather all the information for you you just need to pay us and you don't know when you sign up for that what

length they go to to gather that information but they say it's through publicly um accessible information but we all know that there are people such as access Brokers and um information Brokers data Brokers that have this information that they get it from but I think it's just that pipeline to see to say um you might be doing the right thing but is the person that you're doing it with doing the right thing the next person might also be doing the right thing but where do they get their data from and are they doing the right thing so this is very like various examples in that case yeah so thank you any more

questions thank you um I'd like to know um what tools do you use when you conduct investigations and also what's your favorite um type of intelligence to conduct investigations Google you always start with Google and you go from there um there are other proprietary tools I use um oen tools malego and so forth um but my favorite type of investigation to do is a criminal investigation I've always said that I wanted to end up in Interpol somewhere so looking for um actual criminals and investigating them and getting to find them ultimately is very fulfilling to me um but yeah always thought at Google it gives you so much information and then you just go from

there thank you thank you um hello hi hi um I wanted to ask uh you know that regulator who um regulates the anti-competitive practices of companies are they also aware of these things that could happen in companies and are they um maybe trying to help companies or giving them guidelines to track the stuff um um to an extent um so they mostly regulate for the companies doing market research and in their space they regulate publicly available market research they generally would be aware of people doing Espionage activities and which I guess that's why they would be there to make sure that the people that they work with don't cross any legal bounds to do that um but in terms of

regulating the law I think that's out of their scope um it's like the police's job and intelligence um organization job to regulate those kinds of things thank you thank you uh any more questions cool um thank you so much guys for coming to my talk I hope you enjoy the rest of your day thank you