Industrial Espionage Worm Steals AutoCAD Designs, Sends to China
From: PC Magazine
Picture this. Over the last few months your company’s engineers used AutoCAD to design a brand-new revolutionary device. You go to patent the final design… and find that someone in China already patented it. This cloak and dagger scenario is very real, according to researchers at ESET. A worm they’re calling ACAD/Medre.A exists specifically to steal AutoCAD designs and send them to its masters in China. Worse, their analysis shows that it has already stolen tens of thousands of designs.
According to ESET Senior Research Fellow Righard Zwienenberg, ESET identified dozens of email accounts with Chinese ISPs that served as data drops for ACAD/Medre. Working with the ISPs, Autodesk, and the Chinese government, ESET managed to get those accounts shut down, but the damage was already done.
“ACAD/Medre.A represents a serious case of suspected industrial espionage,” said Zwienenberg. “Every new design is sent automatically to the operator of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production.” He went on to observe, “They may even have the guts to apply for patents on the product before the inventor has registered it at the patent office.”
Almost all of the infections occurred in Peru, with just a handful in other countries, mostly other Latin American countries. This led ESET’s researchers to speculate that “malware disguised as AutoCAD files may have been distributed to companies that were conducting business with public services in Peru,” and that Peru was indeed the primary target.
A blog post by Zwienenberg goes into great detail on just how ACAD/Medre.A accomplished its thefts. It’s actually less complex than many. It replaces an AutoCAD startup file and runs Visual Basic scripts to steal any AutoCAD design that’s opened. Open your latest secret project and boom! Some young guy in China gets a copy.
Protect Your Property
With the receiving accounts shut down and the threat itself identified, this particular threat is no longer a danger. But what about the next threat? Enterprise-level companies have IT security experts on staff to lock down the system against suspicious network traffic. The minute those emails to China showed up, the alarm bells would have started ringing.
If your small startup can’t afford that level of sophisticated protection, consider an “air gap” for your most sensitive work. Put those systems on a network that isn’t connected to the Internet at all. That technique almost worked to protect Iran’s nuclear centrifuges from Stuxnet; the threat only got through because a technician plugged in an infected USB drive. Yes, it’ll be awkward, but consider how awkward you’ll feel when you see your design on sale by another company.