Rogue One: A social engineering story | Titania

Warning: Star Wars spoilers ahead!

As with many of the Star Wars plots, the newest instalment of the franchise Rogue One: A Star Wars Story brings a lesson in attack techniques that the information security industry is already familiar with. Insider threat, social engineering, data breaches and corporate espionage are all common concepts in the cyber security world.

Recently we have seen breaches with devastating financial impact and complex campaigns conducted over years without any detection, deep in the networks of some of the world’s highest-ranking organizations. The Star Wars story serves as a demonstrative analogy to how highly targeted hacking operations take place nowadays.

Set between Star Wars: Episode III Revenge of the Sith and Star Wars: Episode IV A New Hope, Rogue One: A Star Wars Story is the background story to how Princess Leia finds herself in possession of the Death Star plans that eventually lead to its destruction.

The attack begins with a social engineering tactic, by which the Rebel Alliance use the daughter of Galen Erso, the scientist overseeing the project building the Empire’s weapon. Forming part of a larger agenda, Jyn Erso is used to steal the schematics for the superweapon. As the ultimate insider threat, Jyn’s father will be instrumental in the demise of the Death Star.


Footprinting is the gathering of information regarding a target and its environment. It can also include identifying the individuals with whom the attacker could establish a relationship, so as to improve the chances of a successful attack. Footprinting is what typically precedes a targeted attack.

A potential target’s profile can be harvested from information shared in the public domain. Footprint information can also be harvested using DNS interrogation techniques that delve deeper into the network. All this information is hugely valuable for an attacker with profiling the target network, its systems and individuals that can be socially engineered. 

Operation Monsoon, or Hangover was uncovered in 2016 by numerous security firms and was said to include some sophisticated malware, though its reporting capabilities had a “crude” C&C command and control server. However, the Monsoon group conducted a concerted campaign in targeting multiple sources within government department with spear-phishing campaigns built around military and political themes. As the operation ran successfully since 2010 there is evidence that carefully footprinting the network indicated what staff were likely to respond to.

Having recognised the destructive potential the Death Star may be yielding to entire planets, the Rebel Alliance send a squad of Rebel Soldiers led by Captain Cassian Andor and Sergeant Jyn Erso from the Yavin 4 hidden base to steal the construction plans from the Empire.


Another stage of a targeted campaign is network reconnaissance. This usually offers information on the network topology with ping sweeps to check what machines are alive, TCP scans on ports looking for services, UDP scans that send “bad” UDP packets to desired ports for OS identification.  Exploring and mapping the networks and getting access to the Windows Domain Controllers. Accessing domain controllers can yield usernames, system details and other information useful to an attacker. If an attacker is able to gain access to the password hashes, then they can be cracked offline.

In 2010 a Chinese hacking group started Operation Aurora which attacked and infiltrated second-tier defence industry suppliers in order to gain access to top-tier defence contractors. Water-hole techniques were used to target legitimate websites frequently used by company employees.

Once inside, attackers mapped out the network to further target the blueprints of a company's online presence: the source-code. By reaching the source code management system, the Chinese undercover operation gained access to intellectual property and was able to infiltrate malware down through the supply chain of the infected companies.

Recognizing the importance of the Death Star’s blueprints, the battle to steal them was the Rebellion’s first and most critical victory in their attempt to restore the Republic. After the plans were secured they were sent to the Tantive IV, the mobile headquarters for Bail Organa and his adoptive daughter Princess Leia. Later, in the sequel, Princess Leia is responsible for returning the plans to the Rebellion to be analysed.

Social Engineering, Privileged Access & Insider Threat

The most fundamental element of a threat is deeply human. As of 2016, a report by Accenture found that 69% of security executives have experienced an attempted theft or data corruption by insiders during the last 12 months.

The 2015 BlackEnergy campaign on the Ukrainian power grid used spear phishing for six months previous to the attack and exploited an MS Office Macro vulnerability on emails purportedly from the Ukrainian government. Upon infection, BlackEnergy3 opened a backdoor which allowed a modular component called KillDisk to wipe files from operator stations an render them inoperable. The campaign was well executed and used a combination of six months’ worth of spear-phishing with backdoor infiltration, which ultimately left 230 000 people in the dark the day before Christmas Eve last year.

When the Rebel Alliance intercepts communication that a rebellious captive orphan is the daughter of the scientist involved in the construction of the Death Star, Mon Mothma seizes an opportunity to use the girl in a social engineering attempt to exploit this relationship in furthering the Alliance’s cause in getting the plans.

It is revealed that the “insider threat”, Jyn’s father, had put in the fatal flaw that allows Luke Skywalker to blow up the Death Star later in A New Hope.

The stages identified in the Star Wars plot leading to the Death Star’s demise are not only available to criminals. Internal assessments including footprinting, host identification, service identification, network mapping and scanning are all performed as part of security assessments by security conscious organizations.

A fully comprehensive audit of systems and network infrastructure requires a configuration audit/build review, which would delve deeper than any scan could. Checking the actual fabric of your network and finding the gaps before a rogue one does, requires using an auditing tool such as Nipper Studio. Try your free trial today!