Warshipping - cyber threat sent by regular mail

Attempts by cybercriminals to threaten IT systems are constantly evolving. For example, among the techniques that we saw this year, it is worth noting the introduction of malicious code on thousands of e-commerce sites to steal personal data and using LinkedIn to install spyware. Moreover, these techniques work: the damage from cyber crimes in 2018 reached $ 45 billion .



Researchers at IBM's X-Force Red have now developed a concept check (PoC) that could be the next step in the evolution of cyber crime. It is called warshipping , and combines technical methods with other, more traditional methods.

How warshipping works

Warshipping uses an affordable, inexpensive, and low-power computer to remotely execute attacks in close proximity to the victim, regardless of the location of the cyber criminals themselves. To do this, by regular mail in the form of a parcel, a small device containing a modem with a 3G connection is sent to the victim’s office. Having a modem means that the device can be controlled remotely.



Thanks to the built-in wireless chip, the device searches for nearby networks to track their network packets. Charles Henderson, the head of X-Force Red at IBM, explains: “As soon as we see that our“ warship ”has arrived at the victim’s front door, mail room or unloading point, we are already able to remotely control the system and run tools for the passive or an active attack by the victim’s wireless network. ”

Warshipping attack

As soon as the so-called “warship” is physically inside the victim’s office, the device starts listening to data packets over the wireless network, which it can use to penetrate the network. It also listens for user authorization processes to connect to the victim’s Wi-Fi network and sends this data to the cyber-criminal through cellular communication so that he can decrypt this information and get the victim’s Wi-Fi password.



Using this wireless connection, an attacker can now move around the victim’s network, searching for vulnerable systems, available data, and stealing confidential information or user passwords.

A threat with great potential

According to Henderson, this attack may well become a hidden, effective insider threat: it is inexpensive and not difficult to implement, and may also go unnoticed by the victim. Moreover, an attacker can organize this threat from afar, being at a considerable distance. In a number of companies where a large volume of mail and parcels passes daily, it is easy enough not to notice or not pay attention to a small parcel.



One aspect that makes warshipping extremely dangerous is that it can bypass the email protection that the victim has in place to prevent malware and other attacks that spread through attachments.

Enterprise protection against this threat

Given that in this case we are talking about a physical attack vector over which there is no control, it might seem that there is nothing that could stop this threat. This is one of those cases where caution when working with e-mail and distrust of attachments in emails will not work. However, there are solutions that can stop this threat.



Management teams come from the warship itself. And this means that this process is external to the organization’s IT system. Information security solutions automatically stop any unknown processes in the IT system. Connecting to an attacker’s control server using this “warship” is a process that is not known for security solution , therefore, such a process will be blocked and the system will remain safe.

At the moment, warshipping is only a concept check (PoC), and it is not used in real attacks. However, the ceaseless work of cyber criminals means that in the near future this method can become a reality.