What happened with the recent Apple data breach?

Former Apple engineer, Xiaolang Zhang, recently pleaded guilty to stealing sensitive trade secrets from Apple. Upon quitting his job at Apple, he told his supervisor that he was set to join Guangzhou Xiaopeng Motors Technology, a Chinese electric vehicle startup also known as XPeng.

Zhang specifically worked on Apple’s secretive, self-driving car project’s Compute team, which designed and tested highly-specialized circuit boards for sensors. The schematics for these components are regarded to be the highest tranche of trade secrets in the tech industry, especially in the self-driving car segment — which has already seen a few high profile lawsuits over rogue employees taking sensitive IP to competitors.

Apple determined that Zhang had transferred around 24GB of “highly problematic” data to his wife’s laptop via AirDrop related to Apple’s car project including:

• A 25-page document with engineering schematics of a circuit board for an autonomous vehicle
• Reference manuals and other PDFs describing Apple’s prototypes and prototype requirements

Furthermore, Zhang had also physically taken circuit boards and a Linux server from Apple’s autonomous vehicle lab as witnessed by CCTV footage.

Why it’s difficult to prevent these types of data breaches:

From WeChat and Signal to AirDrop — it’s difficult to keep up with the plethora of new apps and features employees use to communicate and share data every year. AirDrop is a newer technology for sharing files, steadily scaling in popularity since its introduction in 2013 by Apple. Modern egress vectors like AirDrop must be matched with modern security tools. While traditional security tools are able to monitor AirDrop via application monitoring, they would require a policy to be created manually for this newer application. Furthermore, many traditional tools wouldn’t be able to block AirDrop at the point of exfiltration.  

Another newer vector for data exfiltration is encrypted mobile messaging apps. Seemingly everyone uses a messaging app to chat with friends nowadays, so it’s no surprise that WeChat and WhatsApp have emerged as common exfiltration vectors. Furthermore, most messaging apps have adopted end-to-end encryption as the standard, an obstacle many data security tools can’t overcome. For example, it’s impossible for network-based DLP and CASB/SSE tools to see end-to-end encrypted messages sent through messaging apps. Network-based security tools are similarly challenged by cloud applications that use certificate pinning, which prevents  these tools from inspecting the content.

Traditional content inspection techniques can also be stifled by file obfuscation techniques, such as downloading compressed files directly from a web app. For example, traditional data security tools cannot inspect for specific text (i.e. “engineering roadmap”) within a compressed ZIP file. As seen in this Apple Car case, Zhang downloaded 24GB of data, so it’s possible the format it was transferred via was a ZIP file. Furthermore, rogue insiders may employ a series of tactics to obfuscate their tracks, by encrypting the data, hiding it within archives, changing file types, and other evasion techniques.

Simply tracking and setting policies based on file types isn’t an accurate security measure nowadays. For example, sensitive data can be in the format of code, PDFs or JPEGs, but there’s a tangible difference between 10GB of marketing images of the unreleased smartphone, versus 10GB vacation photos from Cancun. Focusing on context, and not just content is really important. Being able to discern between an engineer downloading 5GB of code of this month’s hottest open-source package, i.e. github.com/CompVis/stable-diffusion, versus 5GB of proprietary source code is a key distinction to prevent false positives. A barrage of false positive alerts can often overload a SOC team, giving actual threats more lead time for malicious intentions.

Post-incident forensics tools can be used to investigate what actions a user performed, but not stop data exfiltration in progress. Post-forensics tools often require physical custody of devices – which can increase business risk.

Furthermore, when employees quit, they know they’re leaving before the company does. Thus, companies tend to monitor this activity more closely after an employee gives their notice. In reality, waiting to monitor a departing employee’s unusual behavior after they give notice may be too late. In fact, in our recent 2022 Insider Risk Report, we found that there’s a whopping 83.1% increase in data exfiltration incidents during the two week period before an employee gave notice, compared to the baseline.

How to protect data from this type of insider threat:

• Use source context: Trace and track the origin and movement of data whether contained in a file or copied and pasted directly from an application (i.e. PCB design files from Altium, or CAD drawings from AutoCAD). Data tracing can show the flow of sensitive data through multiple channels, including SaaS apps (from Zoom recordings, Slack files, to Chorus calls), network shares, endpoints, email, and Apple AirDrop — starting from creation through egress.
• Establish specific policies: For example, enabling automated alerts of unusual download attempts of source code from web applications (i.e. Github), and sensitive CAD drawings downloaded from a PCB design software (i.e. Altium).
• Leverage business context: For example, why is an engineer on our Compute Team downloading troves of CAD drawing files owned by the mechanical engineering team?), to monitor unusual behavior, and enforce policies.
• Educate in real time: Don’t rely entirely on quarterly security training. When an employee does something wrong, warning or redirecting them to a safer, approved path is key. At the point of unusual downloads, provide employees with a gentle warning pop-up message, just in case it was an unintentional accident.
• Block bad behavior: If an employee attempts to exfiltrate data post-download, modern enterprises can defend themselves by setting a policy to block the exfiltration of data via a specific egress vector (like AirDrop or USB hard drives) outright.

Data Theft Risks for Research & Development are Ever-Evolving

In Cyberhaven’s 2022 Insider Risk Report we analyzed anonymized behavioral data for 1.4 million workers at companies across industries to determine what types of corporate data are most at risk and how employees commonly exfiltrate data. Client/customer data, source code, and regulated personal data (PII) have continued to reign supreme as the most valuable assets for modern enterprises.

Across industries, we found that the theft of source code is actually the second most common type of data employees exfiltrate, at 13.8%. Possible victims of source code theft aren’t just software companies, but also airlines, retail, financial services, and manufacturing, all of whom develop their own applications and algorithms to gain competitive advantages. Having one’s source code stolen and shared with a competitor can be devastating to these businesses.

As more and more new egress vectors are being created and exploited daily – from Apple’s AirDrop, to the latest encrypted messaging app, it’s getting more challenging to keep sensitive data safely within the enterprise. As shown in our 2022 Insider Risk Report, exfiltration via AirDrop is still relatively rare, in part because macOS is less common than Windows in corporate environments. However, as Apple’s overarching hardware empire continues to grow with the proliferation of iPhones, Macbooks, and iPads – we anticipate AirDrop to be an emerging egress vector to watch and be vigilant of. Ultimately, it doesn’t matter if you’re secured against the most common threats, you must have all bases covered as you’re only as strong as your weakest link!