Blog

Mailroom Security – Warshipping

When it comes to physical security, your organization faces risks from every angle. One of the most overlooked and neglected components of a physical security plan is mail safety. A thorough assessment of how your organization deals with threats through the mail is paramount. 

When performing this assessment you have to think outside the box and be open to the evolution of threats and what they may look like in the future. The never-ending battle against cybercriminals has been fought on many fronts and the mailroom is now one of them. 

There is a new technique IBM X-Force Red is calling warshipping and it has been gaining some much-needed attention. X-Force Red presented this technique at the annual Black Hat Cybersecurity Conference and opened a few eyes to the ever-evolving nature of security.

Let’s talk through what worshipping is and two things you can do to help protect your organization.

What is warshipping?

Warshipping is when a small, computerized device is mailed to your organization with the intent to gain entrance to your network.

Using a cheap computer, which draws minimal power, this technique bypasses your physical security measures by entering your organization through the mail stream. It gets the attacker the close-proximity he needs, as he can operate it from a remote location, minimizing physical exposure to the target. The device can be as small as a cellphone allowing it to be concealed in a number of ways. 

A simple package, which looks like any other piece of mail your organization processes, can bypass your existing physical security measures, leaving your organization vulnerable.

Warshipping is a simple and cheap way for cybercriminals to utilize the mail to execute an attack on your organization. It allows an adversary to introduce the threat through one of the most vulnerable components of an organizations security, the mailroom.  

According to Charles Henderson, head of IBM’s Offensive Operations arm, “The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a child’s teddy bear (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.”

How can you prevent warshipping?

As an organization who is vulnerable to these types of attacks, what can you do to protect yourself?

1. Prioritize a strong network security

As technology and tactics evolve it is paramount to be up to date on techniques, trends, and more. Network audits, up-to-date wireless and mobile device policies, and constant training are just a few of the many things you need to stay on top of. As with all of your security efforts, complacency can your worst enemy.

2. Ensure your mail handling and mail screening procedures address threats such as these. 

Restricting personal delivery, using remote mailrooms for processing and screening, package imaging, cellular intrusion detection, and limiting connectivity are just a few of the options. Be sure to take a comprehensive look at your mail security to find the best way to integrate it into your security plan.


Solving a specialized problem requires specialized experience 

Your employee safety, financial loss due to downtime, and brand reputation is at risk. A security plan only works if it’s comprehensive. Mail security is often overlooked or neglected.
There are many qualified physical security consultants, but mail security requires specialized training and experience. The United States Postal Inspection Service is the only organization that can adequately train security experts in mail-related threats. You need this experience AND someone who is focused on your organization’s goals.

We have the necessary real-world experience screening and investigating high-profile bomb, biological, and white powder cases. As subject matter experts, we’ve developed dangerous mail training and conducted screening for America’s most senior political leaders and largest sporting events.

When your optimized mail screening efforts are combined with robust physical security, you can rest easy knowing you have a comprehensive plan in place.

Working together is simple. We’ll look at the security problems you’re trying to solve, develop a plan, and you’ll feel confident knowing your employee safety, organizational downtime, and brand reputation are secure.

Contact us to schedule a call. We can tell you more about Risk Strategy Group and go into detail about how our experience can help your company.

Types of Threats in the Mail

Prior to developing a mail screening and safety plan, you should be familiar with the types of potential threats that are possible to receive through the mail stream. Keep in mind, when I talk about the “mail stream” I’m talking about letters and packages received via the U.S. Postal Service, express carriers like UPS and FedEx, as well as regional and local carriers. Staff should be familiar with the types of credible threats they may see as well as the types of hoaxes that are often commonplace. Once they have gained a working familiarity with what to look for, proper responses should be addressed for the different types. 

Hoaxes are intended to represent real threats and are meant to threaten, scare, intimidate, disrupt, and cause general inconvenience to individuals, organizations, and society in general. Due to the potential risk associated with credible threats, hoaxes typically require the same response from first responders up until the point they are deemed non-credible. As such, the effects of a hoax are a lot of times similar to a real threat. 

Threatening letters

The most basic type of hoax is the threatening letter. Threatening letters are just that: they contain written threats on the communication inside the envelope or on the envelope itself. The statement may be a few words long or may be more detailed in nature.

Even though threatening letters are typically harmless, they can be precursors to something more serious. Suspects may escalate their tactics if they do not get the response they wanted. 

White-powder letters

Hoaxes take many different shapes and one of the most common and most familiar is the white-powder letter. Ever since the anthrax attacks of 2001, white-powder letters have been commonly used as a way to harass and intimidate. Normally containing a non-threatening substance like flour, corn starch, or baking powder, white-powder letters are simple to create and can cause a tremendous amount of disruption

In 2014, Hong Ming Truong of Rowlett, TX, was arrested by United States Postal Inspectors and FBI agents for sending more than 500 hoax letters spanning more than 5 years. The letters contained threatening verbiage and most, but not all of the letters contained a non-hazardous white powder. 

The cost of emergency response by first responders exceeded $2.8 million. Keep in mind, this figure does not include financial loss from businesses, schools, and government offices. I can say from first-hand experience in personally responding to a number of these incidents, the amount of disruption and concern he created was enormous.

Truong was sentenced to serve 60 months in a federal prison in December 2015.

Hoax devices

Hoax devices are explosive devices missing one or more components preventing them from functioning. The intent of these devices is to threaten, scare, and intimidate, and often the suspect wants the intended target to know a functioning device could have been sent.

There is more intention behind these mailings when compared to the other types of hoaxes and they should be taken as such. A thorough screening process with comprehensive x-ray imaging and interpretation is paramount in identifying these types of devices early in the process.

CBRNE (Chemical, Biological, Radiological, Nuclear, Explosive) Threats

CBRNE threats move up the chain in severity, disruptive nature, and response. Fortunately, these types of threats are rare; however, the consequences could be grave in nature. It is important to know what the different types are and how they may present themselves in the mail stream. Once the familiarization process is complete you can make better assessments in policy, procedure, and the equipment needed to help you deal with these types of risks. 

Chemical 

Chemical agents or chemical weapons through the mail stream are rarer than other types of threats. Typically, this is due to the complexity of acquiring the agents and weaponizing them in a mailable form. When we are talking about chemical threats in a categorical sense, they are usually broken down into the following: irritants, commercial (industrial) chemicals, blood agents, nerve agents, blister agents, and pulmonary agents. If you are screening for these types of threats, your capabilities should cover vapors, liquids, and solids.

Biological

Biological threats made their grand entry into the public eye due to the 2001 anthrax attacks, which killed 5 people and sickened many more. The significance and public nature of this case created a sense of paranoia across America. It also resulted in the use of white-powder letters as a method of intimidation and harassment. As a result of these mailings, numerous facilities, buildings, complexes, and postal facilities had to go through decontamination processes costing hundreds of millions of dollars. 

The anthrax mailings of 2001 were followed by several ricin letters in 2003. One of the letters was discovered at a mail processing center in South Carolina and an additional ricin letter was discovered addressed to the White House at their mail-processing facility. In 2004 a white powdery substance was located on a sorting machine in the Dirksen Senate Office Building, which later tested positive for ricin. This incident caused employees to undergo decontamination and resulted in the closing of several government buildings. The availability and dangerous nature of ricin make it more of a potential threat than a lot of the other biologicals. 

These are high-profile incidents and as such, they have garnered a lot of public attention. However, there are threats outside of anthrax and ricin, which are possibilities. Tularemia (rabbit fever), smallpox, and plague, also fall within the realm of mailable biologicals. However small the risks are, familiarity and basic knowledge of these types of threats is important.

Radiological & Nuclear

When most folks think of radiological or nuclear threats they think of dirty bombs, which is simply distributing radiation via an explosive device. The odds are in our favor in regards to this type of device being sent through the mail. Despite the fact this type of device may not cause large numbers of deaths, the amount of collateral damage would be significant. Panic, paranoia, evacuations, cleanup efforts, etc., would be quite the undertaking.

Fortunately, these types of materials are extremely difficult to obtain, but not impossible. Although a little dated, in 2008 the British Environment Agency and MI5 began to track and destroy unused hospital devices containing radioactive material. As of the reporting, there were 9 missing devices which were either lost or stolen. The devices only contained a small amount of radiation, but enough to be used in a weapon.  

Experts have noted that such materials are too plentiful to count precisely, but roughly estimate they are contained in more than 70,000 devices, located in at least 13,000 buildings all over the world — in many cases without special security safeguards.

The odds of this type of device is extremely low but possible. A comprehensive risk assessment will determine your organization’s risk level and will identify what screening measures you may need to employ. 

Explosive

An explosive device sent through the mail is a lot more probable and there has been a history of these devices going through the mail stream over the years. These incidents have occurred all around the world and include everything from letters to larger packages. 

In late 2018, Cesar Sayoc, Jr., sent 16 explosive packages (pipe bombs) through the U.S. mail stream to a number of prominent government officials and news agencies. All of the devices were designated as IED’s (improvised explosive devices), but were missing components of, or had incomplete, firing trains. Sayoc admitted to sending the devices as a means to threaten or intimidate. The suspect pled guilty and will be sentenced late 2019. 

Pipe bombs are a common favorite due to the fact they are easy to construct, but most are very crude in nature and are sloppily designed. The Unabomber is one of the most well-known criminals utilizing pipe bombs, which were quite advanced compared to most. He used a combination of placed devices and mailed devices, which ended up killing 3 people and injuring 23 more. 

However, more sophisticated devices have been used in the past. The 2010 Transatlantic aircraft bomb plot consisted of two separate packages shipped via FedEx and UPS and originated in Yemen. These sophisticated devices used toner cartridges to conceal the high explosive PETN (pentaerythritol tetranitrate) and utilized a cell phone alarm to trigger the devices. They were constructed in a manner to make it difficult to detect on x-ray screening. 

Parcel bombs can be made from a wide variety of explosive material with varying degrees of lethality and complexity. Despite the complicated nature of some of these devices, there are methods of screening and detection which can be utilized to reduce risk. Mailed devices are typically designed to initiate when opened, which allow more margin than placed devices in terms of screening. However, early identification is needed in order to initiate a prompt and proper response.

Regardless of the company or organizational size, a comprehensive mail screening and safety assessment needs to be completed. There are a lot of factors that contribute to an organization’s level of risk and vulnerability. Once these are determined, proper policy and procedure can be put in place to help mitigate the most common threats.

Physical Security: Mail Room Safety

Mail screening and mailroom security are easily overlooked components of a comprehensive risk assessment. A lot of organizations downplay the importance and often ask, “Why would our organization be a target?”

A large number of the issues are individualized as most mail related incidents are the result of:

  • Personal revenge
  • Relationship issues
  • Jaded employees
  • Scorned business partners

But, that’s not always the case and there are other reasons as well.

Depending on your business or organizational structure, your external threats may expand beyond those listed above.

  • Do you have international or foreign offices, overseas business relationships, and overseas suppliers?
  • Do you operate in a geopolitical climate with civil unrest and increased terroristic activities? If it’s not your company, it could be happening with countries you are connected to.
  • Does your organization have a history of issues with difficult or jaded employees? Is your human resource department constantly fielding reports related to ongoing issues within the workplace? If your organization going through an unpopular restructure, layoffs, or other negatively received change, workplace violence should be a concern.
  • How about being in the center of public controversy? Is your organization centered around issues, politics, products, or personalities, who draw negative attention from the public?

All of these are potential reasons an outside threat may want to target your organization. The question remains, just how vulnerable are you? In reality, you’re probably not very likely to be at risk from a credible physical threat. However, the consequences of a legitimate incident could be devastating.

Mail screening prevents more than just violence

A large portion of these mail related incidents are non-credible in terms of violence and are usually meant to scare, harass, or intimidate. These types of issues can have negative consequences as well. Think of side effects such as:

  • Evacuations
  • Lost work hours
  • Employee stress
  • Operational disruptions
  • Negative publicity

With these things in mind, a thorough risk assessment related to mail screening and security is paramount to your organization. To name a few, your organization needs to make sure it evaluates:

  • Mail room structure
  • Organization
  • Physical location
  • Alarm consideration
  • Surveillance equipment
  • High-value control procedures
  • Employee screening
  • Employee access
  • Public access
  • Screening methods
  • Response protocol

The list goes on and on. A comprehensive review will cover all of these issues plus many more. It will help identify your level of risk and the appropriate response to mitigate those concerns. The solution could be as simple as implementing a new system to log employee activity, or it could be more complex consisting of CBRNE inspections and screening, x-ray operations, and more.

A strong mail security and screening program can not only protect your employees and your assets, but it can also work as a deterrent as well. Make sure your organization has a solution in place that addresses potential risk in a logical manner.  

NGO Security

Just today, the Taliban carried out an attack on the office of a US-funded aid group in Afghanistan based on the claims they were involved in “harmful Western activities.  According to the BBC, militants are believed to have set off a vehicle-borne improvised explosive device (VBIED) before making entry into the offices of Counterpoint International in Kabul, Afghanistan. The incident ultimately resulted in a standoff with Afghan security forces which led to all the attackers being killed during the security forces response.

The Counterpoint International website states the following:

“Counterpart International’s office in Kabul was attacked at 1140 local time today by suspected suicide bombers in a series of explosions.  The Taliban claimed responsibility for the attack. We are in close contact with our security team on the ground to account for our staff.

We are incredibly saddened by this attack and are working as quickly as possible to account for our staff.   Their safety and security is our primary concern.

Counterpart International runs a civil society engagement program in Afghanistan to encourage peace, increase youth participation, strengthen rights, and improve opportunities for women. We have worked in Afghanistan for more than 12 years.  This attack is the first of its kind in our long history there.

Security while abroad, regardless of the basis of travel, is something that should always be addressed. Threats may not be centered or local to the area you are in; however, proximity and access by entities outside of specific areas should be considered. Like anything else, horrible events ebb and flow and are extremely hard to predict. Pre-deployment or pre-travel security training can be an integral part of mitigating these types of incidents.

Contact Form