The Client: The Galactic Empire


The situation: Security researchers at Check Point have attributed an attack on the client to a hacking group calling itself the “Rebel Alliance.” Researchers have identified the motive driving the attack was to exfiltrate the Empire’s intellectual property, specifically a file named “Stardust” containing the plans for a large weapons station or “Death Star.” This incident was consistent with a complex attack method which included data leakage by an insider, an exploit our researchers named DroidChanger targeting vulnerabilities in Internet of Droids or IoD devices, compromised physical security and insufficient access control over networks, documents and devices. Forensic analysis revealed the attack was executed through the theft of removable backup storage media (a data-at-rest data loss), followed by the attacker’s exfiltration of data across an air-gap network using an Empire RF transmission facility on site.




Logs reveal the cyber-attack started with an insider sending a file containing a hologram that leaked information about a design defect in the client’s weapons station. The attack could have been prevented at the beginning if the client had deployed Check Point software blades for Intrusion Prevention, and Data-Loss Prevention as well as restricting access to the hologram file using Check Point Capsule. When Check Point’s incident response team activated SandBlast Advanced Threat Prevention, our researchers found the Empire’s network was infected with bots that contained an exploit targeting a vulnerability in the enforcer droid operating system. The exploit gave attackers elevated privileges, which let them reprogram enforcer droids. SandBlast’s Anti-Bot feature blocked the bots from communicating with their C&C server preventing further infection of enforcer droids. Logs showed that before enabling SandBlast, one enforcer droid designated K-2SO was affected by the exploit and reprogrammed by the attackers. The reprogrammed enforcer droid enabled the attackers to bypass physical security and enter the client’s storage facility for backup tapes.


Because the client recognized the sensitive nature of the information stored in the facility, they had deployed air-gap security, meaning data had to be manually transferred from storage to an RF transmission system. In addition, the client employed an RF blocking device to further prevent data exfiltration, a data-in-motion data loss. Unfortunately, the client deployed the RF transmission facility and shield without user-access control leaving the facility open to a severe data-loss incident despite air-gap security.



As stated earlier, the client should immediately deploy Check Point Intrusion Prevention, Data Loss Prevention and SandBlast zero-day threat prevention to protect network assets. The client should immediately deploy Mobile Threat Prevention to protect droids against exploits. Enforcer Droids should be patched to fix the vulnerability. However since they are running the Android OS, it is uncertain when patches will be available so virtual patching is recommended. In addition, the client should create firewall rules controlling user access to critical network devices like the RF transmitter and shield. The client should also institute document access control using Check Point Capsule to prevent the exposure of files physically stolen from backup and other storage facilities.


Going beyond this data loss incident, our researchers found the client’s star destroyers’ and planet-based IT networks still used default passwords supplied by galactic defense contractors. This would make it it easy for droids controlled by threat actors to initiate brute force attacks to find passwords for the client’s IT and operating technology (OT) networks.  We recommend changing all of the client’s default network passwords to passwords more difficult to guess including upper case, lower case, numbers and special characters.  In addition, we recommend the client adds other authentication factors such as RFID cards and possibly biometric sensors which would prevent droids from entering networks to steal data and take over ICS systems controlling everything from security doors to trash compacting units.


We also recommend the client segments their network. For example, put physical systems like life support and door activators on one network sector, weapons control on another network, and personnel and security information on another network, protecting each sector with its own security controls under Check Point’s R80 unified security management platform.