What does a thrift store tie, keen observation and the owner’s last name get you at a multimillion-dollar corporation?

For a cybercriminal, that may be all you need for access to employee data, financial records, security systems, networks, confidential information and facilities. 

Just ask Southwestern Electric Cooperative Director of Information Technology Thaddius Intravaia. As a cybersecurity consultant prior to joining the Greenville, Illinois-based co-op in 2014, he spent 10 days undetected inside a private company, where he collected enough proprietary information for a major cyberstrike.

At NRECA’s 2024 Co-op Cyber Tech Conference earlier this month, Intravaia shared his story and discussed how open-source intelligence and social engineering—which involves mining online information and is 100% legal—can be weaponized. 

“To launch an attack, you only have to be patient and observant,” he told Co-op Cyber Tech attendees. “Had I been challenged or reported, I would have been stopped dead in my tracks before I ever made it inside the building.”

The privately owned corporate subsidiary with annual revenue of $600 million had five locations and a staff of over 300 at this particular facility. Its owner was livid that the parent company, which had a total of 1,500 employees, hired “a bunch of nerds” to find holes in its security, he said.

For reconnaissance, Intravaia said he went to the corporate website, where he found “everything we needed for a spear phishing campaign.”  

It had the entire employee directory and board members’ names, phone numbers and email addresses. Intravaia said many employees had the same last name as the owner. 

He also ran a Google Dork—an advanced search query—that uncovered more information about the company’s operations. 

To learn its office culture, Intravaia sent Facebook invites to employees using several phony profiles that ranged from a flirty 20-something to an orange tabby cat named Cheddar. Within a couple of weeks, 22 employees—including the office manager, IT manager and chief operating officer —friended these profiles. 

Intravaia learned their interests and complaints about work, company procedures and how well they got along with the boss. In a matter of hours, he was able to guess their work passwords, which included anniversary dates or the name of a spouse or pet. No one practiced multifactor authentication, he said.  

For the physical entry, Intravaia observed the company for several days from a gas station across the street. He saw semi-secure fences, cameras and electric entry on all doors and a security guard who left his post every day at 10:15 a.m. He also watched a car gain entrance by tailgating behind a daily delivery truck. 

Wearing an old tie and jeans like staffers in online photos, Intravaia timed a successful entrance. Once in the parking lot, he saw a group of employees, including the security guard, on a smoke break. He introduced himself as the owner’s nephew and asked to see the office manager calling her by a nickname, to which one employee immediately responded that he must be filling in for the IT guy out on sick leave. They let him in the door. 

“They were happy to help,” said Intravaia. “I got in focusing on people. People in the halls assume other people are supposed to be there. It’s how are brains are wired to work.”

He deflected one inquiry from the office manager by bringing up her volunteer work and was never asked to produce identification or to meet with human resources. Instead, he got a key card, a computer, a tour of the entire facility’s systems and entrée to whatever he wanted.

“The damage was done,” he said. “I got a badge with my picture with the last name of guy I’m not related to, and for 10 days I showed up at the facility.”

Intravaia said he created fake names for payroll and multiple key cards under existing employee names by using the employee database. He built new admin accounts to gain access to secure servers and placed Wi-Fi eavesdropping devices called “pineapples” all over the place to collect data.  

By day four, he was so bored, he tried to get caught. In plain view of others, “I took photos of files. I opened drawers. I spread files around.” To no avail. 

Intravaia said on day 10, he just walked out.

“I couldn’t do any more damage. I had gained complete access.”  

To prevent a similar attack, co-ops should beef up their IT staff and have an employee cybersecurity policy that is enforced, tested and updated, he told conference attendees. 

All visitors—including vendors—should be required to sign in, wear visible badges and be accompanied while on co-op property, he said. Tailgating—allowing someone to enter behind you without using their security credentials— at secure sites and office entrances must be prohibited, and staff must be required to report lost key cards and badges.

“This organization had focused on technology, but that does no good if don’t have an internal policy and you let someone like me walk in,” he said. “The No. 1 lesson is real attackers don’t play fair.”