Officials from the Cybersecurity & Infrastructure Security Agency (CISA) have pointed to software and managed service providers (MSPs) as being on the front lines of national defense against threats actors, both inside the U.S. as well as nation state actors and international spies. But it’s not every day you see this in action.
Lincoln, Nebraska-based technology service provider ArcLight Solutions recently identified what looked like activity from a Chinese spy ring that had infiltrated an unnamed midwestern manufacturing company.
Anomalous Activity Discovered
As part of a routine analysis of this prospective client that was looking for help with their ERP system, ArcLight Solutions added monitoring from SaaS Alerts to this prospect’s Office 365 setup. After four days in the system, SaaS Alerts identified multiple hits on the system from China, even though this prospect said they had protection in place to prevent access from everywhere except the U.S., one part of the U.K., and some outsourcing to India, according to ArcLight Chief Technology Officer Frank Barrett.
“I told them, ‘I’m getting these hits from China. Are you sure you don’t do any business over there?’” Barrett said.
This manufacturing company confirmed that it didn’t do business in China, and said it wanted to take a closer look. Barrett and officials from the manufacturer looked at log files together. Barrett said that when they saw the user ID associated with the activity, the manufacturing company representatives said were quiet for a moment and then told Barrett they had suspected that individual of being a spy for some time.
“That’s not something you hear every day,” said Barrett, who is also an Army veteran and a former government IT worker.
Next Steps
Barrett said he leveraged Barracuda to chase the emails using Sharelink. Some of these emails were sent to generic email servers that were all geolocated within a two-block area in China. Barrett contacted SaaS Alerts for more guidance. Together with Barrett and the manufacturing company, SaaS Alerts watched the account to make sure that the findings weren’t some kind of anomaly. However, the activity continued. SaaS Alerts and ArcLight recommended to the manufacturing client that they turn over the investigation to federal authorities that track international spy activities.
Barrett and SaaS Alerts said that they can’t share any additional information about any investigation. It’s been about 45 days since the behavior was first discovered at the manufacturing company.
What SaaS Alerts Identifies
Jim Lippie, CEO of SaaS Alerts, told ChannelE2E that the SaaS Alerts platform is set up to provide security monitoring and response for software as a service (SaaS) for MSPs. The service was introduced as the world moved from a network and on-premises approach to software — i.e. Microsoft Office loaded on your PC — to cloud-based systems such as Office 365. SaaS Alerts works with both Microsoft 365 and Google Workspace. It is set up to track user behavior, both internal and external.
Lippie said SaaS Alerts tracks 254 different events specific to user behavior. For instance, one such event is someone changing an email forwarding rule. Or they may give themselves elevated privileges in the system.
Although there’s no additional information available about what happened in the suspected Chinese spy case, there is positive news for ArcLight Solutions, which began as a data center services company and recently began building out managed services and managed security services practices. ArcLight Solutions is in talks with the manufacturing company about establishing a long-term virtual CIO/CISO engagement.
