The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Hacker Faces Jailtime After Stealing Employee, Company Data At Two Firms

by Chris Brook on Friday November 1, 2019

Contact Us
Free Demo
Chat

A man admitted he installed keyloggers at two companies and used them as a launching pad to steal data on emerging technology they were developing.

A New Jersey man is under investigation for allegedly breaking into two companies, establishing a foothold into their networks, and stealing more than 15,000 files on emerging technology.

According to an indictment released by the U.S. District Court of New Jersey last week, it sounds like the man, Ankur Agarwal, had a relatively easy time stealing the data once he was inside.

To secure access, Agarwal physically broke into one of the companies in February 2017 and installed a series of hardware keylogger devise on their machines, something which granted him access to employee login credentials. While inside, he also devised another way to steal data, through seemingly legitimate software that was secretively another keylogger, which he used to siphon away additional logins.

With this privileged access, Agarwal created a code and over the course of several months, from March 2017 to September 2017, exfiltrated the data he was after, namely information on the technology and information on members of the team who were creating it.

Agarwal waited three months then sought access to additional machines used by employees there, something he managed to obtain from January to February 2018. It wasn’t until two months after this timeframe that employees at the company realized Agarwal had been inside. Because he already had access to the network, stunningly, Agarwal was able to track the company's investigation around his own activity.

Agarwal was able to compromise the second company just like the first company, physically.

Agarwal trespassed onto the second company’s property and managed to install a keylogger device on the company's machines. After a period of time he retrieved it to obtain login credentials belonging to several employees. From there he was able to use his exfiltration script, beginning in April 2017, to steal data on the company's technology, including email files and documents, from its servers.

Aside from "email files and documents," the indictment is scant on what type of data Agarwal made off with. The document does note the devices he was able to use to pull the whole scam off though, including a Dell laptop, a Hewlett Packard laptop, a USB keylogger, and a series of thumb drives.

Neither companies are named in an indictment released by the U.S. District Court of New Jersey last week.

While the legitimacy of physical security is certainly the story here – it can be argued Agarwal may have not been able to gotten onto the company’s systems in the first place had he not been able to secure access in person - the case says a lot about the importance of being able to detect data exfiltration.

Exfiltrating data can be notoriously difficult to detect, especially when it’s camouflaged as activity carried out by an employee that works there. If this emerging technology was indeed valuable, its curious that access to it wasn't more highly regulated. Even if it had been kept under lock and key, having a solution in place to flag anomalous activity, like the access and exfiltration of roughly 15,000 files over the course of a month, could have proved valuable here.

Tags: Cybercrime, Data Theft

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.