0%
BACK TO OVERVIEW

€50,000 for the CTO. €500 for the Cleaner. Who Says No?

€50,000 for the CTO. €500 for the Cleaner. Who Says No?
Cleaner, USB Drive, Network Access – Access Granted

€50,000 for the CTO. €500 for the cleaner. Who says no?

Picture two scenarios. First: an attacker tries to bribe your CTO. He offers €50,000 to plug a USB stick into a computer just once — a standard, unremarkable-looking drive. What happens? The CTO laughs. He calls the security team. He has a good anecdote for the next conference. The attack fails before it even starts.

Second scenario: the same attacker. The same USB stick. The same ask — but this time directed at a cleaner employed by a subcontractor, someone who has been cleaning the same offices every Thursday evening for three years. €500 in cash. Plug this stick into any PC that's switched on. No need to know what it does. Just plug it in.

What happens? The honest answer: nobody knows. Because nobody has ever tested it. The cleaner has never attended a security briefing. She doesn't know what a USB stick means in the context of her work. She isn't covered by any internal policy. She has no escalation path. And she works for a subcontractor that may itself have subcontracted further — under a cleaning contract that contains not a single word about information security.

The weakest link in your security architecture is not the employee who writes their password on a sticky note. It's the person who comes into your offices every evening, has access to everything — and appears nowhere in your security concept.

∅ 15+
External contractors with physical building access at the average company
74%
Of all data breaches involve a human element (Verizon DBIR 2024)
45%
Of people plug in a found USB drive (Univ. Michigan / Illinois / Google study)
0
Security clauses in a typical cleaning contract

This is not a hypothetical. It's a documented attack pattern.

The idea of using cleaning staff or service workers as an attack vector sounds like a poorly written thriller. In reality, it's documented at the highest level.

Documented Case // Oracle vs. Microsoft, USA, 2000
Oracle hires detective agency — detective agency bribes cleaning staff
In 2000, Oracle Corporation admitted to having hired Washington-based Investigative Group International (IGI) to investigate pro-Microsoft lobby groups. IGI operatives attempted to bribe cleaning staff at the offices of the Association for Competitive Technology — paying for access to the contents of their wastepaper baskets. Oracle CEO Larry Ellison was unapologetic when confronted on CNN: "Should I feel bad that we've exposed Microsoft?" The Wall Street Journal, Washington Post, and New York Times all covered the case. Oracle's goal was to obtain documents embarrassing to Microsoft — and it was willing to pay service workers to get them.
Sources: Washington Post (28/06/2000) · Wall Street Journal · New York Times · TechLaw Journal
Documented Case // Mandiant Incident Response, 2025–2026
"Bribed employees" confirmed as an attack pattern in physical cyberattacks
In June 2026, Mandiant CTO Charles Carmakal confirmed to The Register: "Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks." In the context of attacks by UNC3753 (Silent Ransom Group) — which targeted dozens of banks, law firms, and professional services companies in the US — bribery was described as a documented method for achieving physical network compromise. The combination of digital social engineering and physical access is classified by Google Threat Intelligence as a significant escalation.
Source: The Register, 05/06/2026 · Google Mandiant Threat Intelligence

Two cases, 25 years apart. The same underlying principle: anyone who can buy access doesn't need to hack it. And when buying, you buy where the price is lowest and the protection is weakest.

Wikipedia has documented this pattern under "Industrial Espionage" for years: "Information is commonly stolen by individuals posing as workers, such as cleaners or repairmen, gaining access to unattended computers and copying information from them." It's no coincidence that cleaning staff and maintenance technicians are mentioned explicitly — they are structurally the least controlled people with the most comprehensive physical access.

Why a rational attacker would never bribe the CTO

Security professionals often model threats through the lens of a technically sophisticated, well-resourced attacker: zero-days, APT groups, months of infiltration. What gets missed: attackers are economically rational too. They optimise their return on investment just like any business — and attacking the strongest link in a chain is always poor economics.

Technical Attack
Zero-Day + Infrastructure
Targeting the strongest link
Zero-day exploit (e.g. unpatched VPN software): €50,000–€500,000
C2 infrastructure, malware development, OPSEC: €10,000–€50,000
Time to execution: weeks to months
Risk: EDR detection, forensic traceability, criminal prosecution
Barrier: technical security measures, monitoring, incident response
Entry barrier: HIGH · Risk: HIGH
Physical Supply Chain Attack
Bribery + USB Device
Targeting the weakest link
Rubber Ducky / O.MG Cable / BadUSB device: €50–€200
Bribery sum (service worker): €200–€2,000
Time to execution: days
Risk: minimal forensic trace; intermediary carries prosecution risk
Barrier: supplier contract clauses, awareness training, escort policy
Entry barrier: LOW · Risk: LOW

The asymmetry is stark. An attacker with a €5,000 budget, a commercially available BadUSB device, and an envelope of cash can achieve the same initial access as a nation-state threat actor with months of preparation — if the company hasn't extended its security perimeter to cover its supply chain.

The key point is not the bribe amount. It's the fact that the cleaner isn't making a decision against your company — she's making a decision for herself. €500 for something she doesn't understand and that carries no visible consequences for her. Any security concept that doesn't address this decision logic has a hole in it.

Plug in. Done. The rest runs itself.

The alarming thing about a BadUSB attack: the person plugging in the device has to do absolutely nothing beyond the act of plugging it in. No click. No password. No further action required. The device takes over.

A Rubber Ducky, an O.MG Cable, or a commercially available BadUSB device doesn't register as a storage medium when inserted — it registers as a keyboard. Keyboards are accepted by Windows, macOS, and Linux without question, because they are treated as trusted input devices. What follows is an automated sequence of keystrokes: open PowerShell, download payload from the network, execute. This takes seconds. The payload can be a reverse shell, a keylogger, a ransomware dropper, or a silent reconnaissance tool that spreads through the network.

The FBI's 2022 warning about FIN7 describes exactly this scenario: the group mailed weaponised USB drives to US companies in defence, transport, and insurance — packaged in boxes mimicking deliveries from Amazon or the Department of Health and Human Services. The goal: get any employee to plug the drive in out of curiosity. The success rate was high enough to make it a primary attack channel.

For a cleaner plugging in a drive, there is no visible difference from a normal USB stick. The device does nothing visible. No window opens. No alarm sounds. Nothing happens — except that in the background, a network foothold has been established in seconds. The technical detail on BadUSB, Rubber Ducky, and O.MG Cable is covered in the post on Rogue Devices.

Why your security concept ends at reception

Most companies have a security concept for their employees: awareness training, acceptable use policies, badge policies, offboarding processes. What these concepts share: they stop at the employee boundary. External contractors are a different category — and in that category, there is structural blindness.

Group Physical Access Security Onboarding In Security Concept Contractually Covered
Permanent employees Badge, role-based ✓ Standard ✓ Complete ✓ Contract + AUP
Temporary staff Badge, often broad Partial Partial Patchy
IT contractors / MSPs Privileged, often remote + physical Rarely Rarely Patchy
Cleaning staff (direct) Full, uncontrolled, evenings Almost never Almost never Almost never
Cleaning staff (sub-sub) Full, uncontrolled Never Never Never
Maintenance technicians (external) Full incl. plant rooms Never Rarely Rarely

The subcontractor problem

The gap deepens when you look at the subcontractor chain. Your company has a contract with a cleaning firm. The cleaning firm employs staff — some directly, some through subcontractors. Of the five people cleaning your building on Monday, how many are directly employed? How many come through a subcontractor chain? Who has vetted those subcontractors? Who is liable if one of them plugs something in?

NIS2 and equivalent supply chain security regulations answer this clearly: you do. As the operator of the infrastructure, you bear responsibility for the security of your supply chain — including facility providers, cleaning companies, and their subcontractors. A cleaning contract without security clauses is not a trivial oversight. It is a documented compliance gap.

The uncomfortable question for every company: how many people have access to your offices tonight — and how many of them do you know by name? Cleaning, security guards, building services, night porter, maintenance contractors. The number is regularly higher than expected. And for most of them, there is no procedure that would prevent or even detect a bribery attempt.

What actually helps — and why most companies don't do it

The countermeasures are not complex. They don't require a new technology stack. They require a conscious decision to extend the security perimeter to external contractors — and the consistent implementation of that decision in everyday operations.

  • Security clauses in every contractor agreement: Every cleaning contract, every facility contract, every maintenance contract contains explicit requirements: no personal devices, no manipulation of IT equipment, mandatory reporting of unusual incidents, and the obligation to pass these requirements on to subcontractors. No contract without these clauses.
  • USB port blocking as a technical backstop: No operating system should automatically accept unknown USB devices as keyboards. Endpoint policies that only allow authorised USB devices are the technical layer — they don't replace organisational measures, but they limit the damage when everything else fails.
  • Physical port locks on exposed workstations: Devices left unattended overnight — particularly in shared spaces, reception areas, or open-plan offices — should have physically locked USB ports. Inexpensive. Effective. Consistently overlooked.
  • Supervision in sensitive areas: Server rooms, data centres, and network plant rooms are not left unaccompanied during cleaning. This sounds obvious. In practice, it is rarely enforced.
  • Complete inventory of all external access holders: Who comes into the building, when, from which company, through which contract chain? This list doesn't exist in complete form at most companies. It is the foundation for everything else.
  • Physical pentest with supply chain component: The only way to know whether any of this holds is to test it — with real scenarios that include the contractor channel. A test that assesses whether a bribery attempt against a service worker would succeed reveals what audits and checklists never can: whether the processes hold in the real moment.

Most of these measures are inexpensive. What they cost is a conscious decision to treat cleaning staff, facility contractors, and maintenance technicians as part of your security architecture — not as people who go home in the evening and thereby exit your security perimeter.

Conclusion: Your perimeter doesn't end at the front door.

Security architectures are built against attackers who behave as expected: strong passwords, phishing-resistant MFA, EDR on all endpoints, penetration tests for the web application. All of this protects against an attacker who targets your strongest lock. It does not protect against an attacker who takes the back door.

And the back door is open. Every evening. To the people your company knows best and controls least: those who keep the offices clean, maintain the HVAC, inspect the lifts. Their physical access is unrestricted. Their security awareness is untrained. Their contracts contain no security requirements. And their willingness to help an attacker — without understanding that they're doing so — is an open question that most companies have never asked.

The question "Would our cleaner plug in a USB drive if someone asked them to?" is not rhetorical. It is a security test. Anyone who hasn't run it doesn't know the answer.

Further reading: what BadUSB devices technically do is explained in the post on Rogue Devices. How attackers gain physical access through pretexting is covered in the post on the Legend. And what NIS2 specifically requires on supply chain security is explained in the post on Physical Compliance.

Do you know who's in your offices tonight?

We test whether your security perimeter covers external contractors — with physical pentests that include supply chain scenarios and social engineering attempts against service staff.

Request Physical Pentest →
Tags // #SocialEngineering #Awareness #PhysicalPentest #CriticalInfrastructure #BuildingSecurity #RedTeam #NIS2 #SupplyChain #InsiderThreat

© AccessGranted X GmbH