The Luxembourg Job
Discover how a combined physical and social attack a single member of our Swarm exposed network and process vulnerabilities.

Discover how a combined physical and social attack a single member of our Swarm exposed network and process vulnerabilities.
For us, client confidentiality is key. So, while we can’t reveal names, know that the world’s leading organizations trust their offensive cybersecurity needs to us.
The focus of this attack was a large global financial organization.
The organization needed to assess the physical controls and local processes at their European remote offices, including an assessment of site security, physical vulnerabilities, untested environments and security blindspots.
Our cybersecurity specialist (let’s call him Doug) was dispatched to the client’s Luxembourg site for a physical security and social engineering engagement.
After deciding against entering via the slow moving door of an underground car park, Doug simply gained access by tailgating a delivery driver into the reception area.
An empty room in a quiet part of the building was the chosen spot to set up a laptop, which then deployed a ‘dropbox’ preconfigured to attack the company’s domain in order to gain admin privileges.
As the scripts ran, Doug was able to sit at his post for almost three hours, entirely undisturbed. However, we have to admit that, in this case, things didn’t go exactly as planned.
Doug decided to explore the office, making sure his phone was set up to receive remote updates. After helping himself to coffee and chatting with the staff, the MD arrived and, as there was no record of Doug signing in at reception, he was immediately suspicious.
Although holding up to some intensive questioning from the MD in a locked room, Doug decided the game was up when he saw two police officers entering the building. To prevent the situation from escalating, he produced his letter of authorisation, signed by the company’s Chief Technology Officer and validating what he was doing. His ‘get out of jail free’ card.
The MD was pleased to have identified Doug as an attacker, thinking he had managed to stop him before doing anything malicious. That is until Doug flashed his phone, still connected to the dropbox, which now displayed the message ‘Domain Admin Obtained’.
Doug managed to identify several weaknesses within the physical security posture and processes of the business, as well as finding a number of vulnerabilities on their network.
These vulnerabilities could easily have put the company at risk, not only by enabling access to sensitive information, but by giving permissions that could lead to the takeover of the network and, potentially, access to other areas of the business.
Following our thorough insights report, the organization took steps to prevent this from happening in a real-life scenario.
As you can see, our work isn’t just about sitting behind a screen. We also go on location to attack from every angle – whether it’s monitoring staff traffic, scoping entry and exit points or identifying and replicating staff lanyards.
Our proven expertise in conducting realistic physical security attacks will give you complete confidence in what should be your first line of defense.
Radical thinking and constant research inform all we do. Think ahead with shared intelligence from the CovertSwarm experts.
TechRound names CovertSwarm among the Top 20 Cybersecurity companies
The leading tech publisher recently released its inaugural Cybersecurity40 winners, celebrating the most innovative cybersecurity companies and initiatives across the UK and Europe.
The trials and tribulations of secure software development
Discover effective strategies for managing third-party libraries, tackling security challenges & handling technical debt in secure software development.
CovertSwarm launches in-house Academy Program
Socially-focused initiative has been designed to make a career in cybersecurity more accessible than ever before