Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Elementary Threat · BSI IT-Grundschutz

G 0.14 — Information Gathering (Espionage)

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.10A.5.14A.5.15A.5.16A.5.17A.5.18A.5.19A.5.20A.5.21A.5.23A.5.29A.5.37A.6.1A.6.2A.6.3A.6.6A.6.7A.7.2A.7.5A.7.6A.7.7A.7.8A.7.9A.7.10A.7.11A.7.14A.8.1A.8.2A.8.3A.8.4A.8.5A.8.7A.8.9A.8.10A.8.12A.8.15A.8.18A.8.19A.8.20A.8.21A.8.23A.8.26A.8.27A.8.28A.8.29A.8.30A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

A mid-sized mechanical engineering company discovers that its latest product appears in a slightly modified form at a foreign competitor just weeks before its own market launch. The design data is nearly identical. Two years of development costs and several million euros have been devalued — the head start is gone.

Espionage aims to gather, analyse and exploit information about companies, people or products. The BSI lists this threat as G 0.14. The methods range from highly complex technical attacks to simple shoulder surfing at an ATM.

What’s behind it?

Espionage is any systematic attempt to obtain confidential information. The motivation may be economic espionage (state-directed), industrial espionage (private sector) or personal enrichment. The processed information gives the attacker competitive advantage, enables blackmail or serves to replicate protected products.

Attack methods

  • Technical attacks — trojans, keyloggers, network sniffing, man-in-the-middle attacks. Malware is often delivered via spear-phishing emails tailored to specific people in the company.
  • Social engineering — attackers pose as suppliers, IT support or job applicants to gain access to premises or information. Particularly effective in combination with previously gathered OSINT.
  • Visual observation — reading along at the screen (shoulder surfing), photographing documents, observing PIN entry. Simple but effective — especially in public spaces.
  • Acoustic eavesdropping — listening in on conversations in offices, meeting rooms or public transport. Open-plan office concepts favour this attack form.
  • OSINT aggregation — individually innocuous public information (job advertisements, social media posts, company register entries) is combined so that it reveals confidential connections.

Impact

The damage from espionage primarily affects confidentiality but can have significant financial and strategic consequences: loss of competitive advantage, devaluation of research investments, reputational damage and — for personal data — regulatory consequences. Espionage attacks often remain undetected for months or years because the attackers take care to cover their tracks.

Practical examples

Spear phishing against the research department. An attacker analyses the LinkedIn profiles of engineers at a technology company and identifies an ongoing research project. They send a convincingly genuine email referencing a real industry conference, with a crafted PDF attached. The keylogger that installs itself records access credentials and confidential correspondence for weeks.

Conversation recording in the meeting room. An external service provider who regularly performs maintenance work in the building places a miniaturised recording device in an executive meeting room. Strategic decisions, acquisition planning and financial data are recorded over weeks and forwarded to a competitor.

OSINT aggregation from public sources. A competitor systematically evaluates a company’s job postings, patent applications and conference contributions. From the combination of these sources they reconstruct the technology roadmap, the planned market entry strategies and even internal organisational structures — without ever compromising a system.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 47 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

Detection:

Response:

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.14 to a large number of modules, including:

  • DER.2.3 (Remediation of far-reaching security incidents) — requirements for the processing of serious incidents, which espionage regularly is.
  • ORP.1 (Organisation) — organisational foundations: roles, responsibilities and information classification.
  • INF.7 (Office workplace) — security requirements for office spaces that impede visual and acoustic observation.
  • CON.7 (Information security while travelling) — protection measures for mobile work and business trips.

Sources

ISO 27001 Controls Covering This Threat

A.5.10 Acceptable use of information and other associated assets A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.23 Information security for use of cloud services A.5.29 Information security during disruption A.5.37 Documented operating procedures A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.7.2 Physical entry A.7.5 Protecting against physical and environmental threats A.7.6 Working in secure areas A.7.7 Clear desk and clear screen A.7.8 Equipment siting and protection A.7.9 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.7 Protection against malware A.8.9 Configuration management A.8.10 Information deletion A.8.12 Data leakage prevention A.8.15 Logging A.8.18 Use of privileged utility programs A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.23 Web filtering A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments

Frequently asked questions

What distinguishes economic espionage from industrial espionage?

Economic espionage is carried out by states or state-directed actors and is directed against companies of another country. Industrial espionage (illegal competitive intelligence) originates from private actors — for example competitors seeking an advantage through illegal means. Both target confidential information but differ in their means and reach.

Is open source intelligence (OSINT) also espionage?

OSINT refers to the systematic collection and analysis of freely accessible information. That alone is legal and widespread. It becomes problematic when individually harmless pieces of information are combined so that they expose confidential matters — for instance drawing conclusions about business strategies, personnel movements or product plans.

How do I protect against social engineering in an espionage context?

Regular awareness training, clear policies for the handling of confidential information (including verbally) and a culture in which questioning unusual requests is normal. Technical measures such as access controls and logging complement the human factor.