During a TSCM inspection of a FORTUNE 500 company’s HQ QCC’s sweep team discovered a GSM bug deep fitted in a laptop docking station on the CFO’s desk.
The docking station had been bespoke modified with the GSM / 3G bug which contained a covert microphone to remotely listen to clear room audio from the CFO’s office. The bug was also connected to both the power supply of the docking station to power the bug indefinitely and to the RJ45 network port inside the docking station which gave the eavesdropper remote access to the corporate computer network either to steal company data or deploy APT (Advanced Persistent Threat) malware.
Review of the situation with the CFO flagged that for the previous 6 months the CFO had been heavily involved in negotiations with an Asian government regarding a multi-billion dollar project the company wished to undertake in that region. QCC advised the CFO on protective security improvements going forward to control and monitor the offices including proactive ongoing TSCM inspections to counter the threat of eavesdropping occurring again.
While QCC was conducting a regular counter-eavesdropping inspection of a global banking corporation HQ in Toronto, Canada we discovered an RF signal coming from a working Blackberry USB phone charger plugged in under a meeting room table. The lead of the USB charger came up through the table and it was used by staff to top-up charge Blackberry’s during meetings. When QCC checked, we found that all of the meeting rooms had the same chargers installed for staff to use but this charger was the only one emitting RF at 427.5MHz. QCC used our radio spectrum analyser to listen to the transmission and found it was indeed transmitting room audio from the meeting room.
Further investigation of the device proved that a tiny Russian radio transmitter and covert microphone had been custom fitted inside the charger so that as a bug it did not look out of place in the meeting room. QCC installed a covert camera in the meeting room and 2 weeks later a disgruntled member of staff based at the site was caught trying to remove the bug. The rogue member of staff who had bugged the room was questioned and said he was unhappy with his pay rise and was bugging the ongoing HR meetings with other staff members to see what they had been awarded.
During the TSCM inspection of a FTSE 100 company’s regional offices in the Caribbean, QCC identified the TV in the Chief Legal Officer’s office as having been used to eavesdrop on the CLO.
The TV was connected to the LAN via a CAT5 cable but also its Wi-Fi function had been enabled. When QCC analysed the TV’s Wi-Fi and any connected devices we discovered a second Wi-Fi signal coming from the TV with a very similar SSID name to the first SSID. On further examination of the TV we found that it had been modified with the internal installation of a Wi-Fi store and forward device and covert microphone which could capture clear room audio and store it for download via the Wi-Fi link and subsequent review at a later time by the eavesdropper.
QCC connected a write blocked cyber forensics laptop to the fake TV Wi-Fi connection and found that we could access the digital memory of the store and forward device where we initially found no digital audio recordings. Further cyber forensics eventually uncovered 37 digital audio recordings going back over a 7-week period which had been downloaded and then deleted from the device by the eavesdropped but which were still present in unallocated space within the devices memory.
QCC were engaged to perform a counter surveillance sweep for a FTSE 100 Client who had just completed the takeover of another large European company. QCC inspected the offices of the acquired company in Paris and during the physical inspection of the two main conference rooms we discovered two covert Knowles microphones and cabling in the suspended ceilings of the rooms proving an active surveillance operation had been in place prior to the inspection. The location of the microphones and cabling also proved that someone had unsuccessfully tried to remove the attacks in a hurry.
This find was particularly important as the meeting rooms which had been subject to the bugging had been used to discuss the details and strategy of the takeover.
Following the sweep, the Client decided to move from these offices to a new building.
This case illustrates the importance of a thorough physical search, the only way possible of finding and identifying these covert microphones ends and small pieces of broken cable.
An international law firm engaged QCC to conduct a TSCM inspection (bug sweep) of selected offices and meeting rooms within their Swiss headquarters. The Client suspected eavesdropping after confidential information relating to financial negotiations was leaked. Initial investigations ruled out some common causes of information loss and QCC were asked to sweep the areas in which this confidential information had been discussed.
During the inspection QCC tested the digital telephone system and discovered analogue audio present on spare cables from the telephones in three of the target meeting rooms. Audio was present when the telephones were both on hook and off hook meaning room audio was being passed constantly down a spare pairs of wires out of the rooms.
QCC traced the cables and found that the structured cabling had been and modified and the spares wires had been diverted to terminal blocks under the sub floor within the IT equipment room. This modification was used to connect suitable recorders to the spare pairs containing the room audio.
Inside staff were suspected to be involved in this spying operation and without QCC’s covert handling of the inspection arrangements the spies could well have removed the devices before they were discovered. Other QCC specialist monitoring services were then used and 8 weeks later the eavesdropper was caught and admitted what had been going on.
The Chairman of an international media company employed QCC to carry out TSCM inspections of the chairman’s transport fleet including inspections of two executive cars, a superyacht moored in the Mediterranean and a 12 seat executive jet hangered in the UK.
The inspection of the yacht discovered an historic eavesdropping attack within the main stateroom of the vessel. The solid state recorder bug found had corroded batteries and could have been in place for up to 2 years following a refit. On digital forensic examination the bug was found to hold recordings of conversations between 15 and 18 months before. QCC removed the device on the Clients instruction and now conducts regular inspections to maintain a suitable security stance for the Client.
The inspection of the jet discovered that the installed Wi-Fi system on-board was completely unsecured allowing interception of emails and data transmissions to and from the passenger’s laptops and tablet computers. QCC advised the Client on securing the systems involved including secure protocols for their use going forward.
The inspection of the 2 executive cars identified the unsecured Bluetooth wireless telephone systems installed leaving phone calls vulnerable to interception. QCC reconfigured the systems involved and installed handsets for secure use.
Trackers & homes
A Client who was the subject of significant level of press intrusion instructed QCC to provide support to counter the threat to his privacy. QCC carried out a risk assessment and proposed an inspection of the London residence and vehicle used by the Client.
During the vehicle TSCM inspection QCC discovered a live GPS tracking device had been attached to the rear of the vehicle which incorporated a GSM capability that enabled the eavesdropper to live track the principles vehicle. The device was removed and passed to the Clients solicitors who have made representations to the press complaints commission.
The security assessment of the London apartment revealed a failed attempt to gain access by a person posing as a pest control operative in the days previous. The concierge at the apartments block had refused entry as the building did not employ a pest control contractor and no appointment had been made. The concierge also became suspicious as the man claiming to be from the pest control company arrived as the passenger on a motorcycle (this was observed on perimeter CCTV) only a few minutes after the Client had left the building in the car containing the tracking device. QCC advised the Client on improving security procedures and now conducts regular TSCM inspections of the car and other sites relating to the Client.