There’s almost certainly a spy in your office - it could even be you

spy
(Image credit: Shutterstock / rogistok)

It has long been understood that employees represent one of the greatest cybersecurity threats, whether malicious or simply negligent. However, fewer businesses might imagine their employees are being puppeteered by a foreign state.

A recent paper from the US Senate suggests advanced actors now regularly plant individuals in large organizations, with a view to stealing data and research that can be used for economic, scientific or military gain.

China, for example, is said to operate more than 200 different recruitment programs, the most elaborate of which is the Thousand Talents Plan, which is estimated to have recruited 7,000 operatives or more. And China is by no means the only country to engage in these behaviors.

According to security company Mandiant, businesses need to take the threat of espionage more seriously, in the same way they would any other kind of cyberthreat, and improve their ability to detect the warning signs early.

“Access rules the landscape,” explained Johnny Collins, who heads up the insider threat division at Mandiant. “Every insider has it and every attacker wants it.” 

“Over the years, I’ve worked with every kind of organization you can imagine, from casinos to government entities. There is always [espionage] activity; if you haven’t found it, it’s there.”

Espionage

The goal of these nation state campaigns is effectively to cut in line, says Collins; it’s both faster and cheaper to steal somebody else’s research and intellectual property than to build a competitive product or medicine from scratch.

The methods used to access the information they are looking for vary, but the reality of spying is much less glamorous than pop culture might suggest. In many cases, the spy doesn’t even know they are spying.

“A lot of people don’t understand that most employees are victims in this equation. They don’t know they are doing something wrong, because they are tricked into thinking they are doing something for the greater good,” Collins explained.

A common strategy among recruiters is to invite the target to attend an industry event, where they are approached and asked to moonlight as an adjunct professor, or endorse a certain initiative; in short, to enter into an arrangement. The beauty of this in-person approach is that there is no paper trail to alert the business to a potential threat.

secret files

(Image credit: Shutterstock / Fer Gregory)

Nation state recruiters have also been known to approach staff in broad daylight, via their corporate inbox, social media accounts or over the phone. But by the time the business has realized there is a problem, tens or even hundreds of emails may have passed back and forth.

At any one time, Collins told us, recruiters are likely targeting tens of different employees at any given company, using a scattergun approach to improve the likelihood of success, not dissimilar to phishing.

“Researchers and administrators are hot targets, folks with privileged access, but [recruitment] happens across the gamut. It just depends on the type of information the threat actor is after, and how quickly they intend to extract it,” he said.

In rare instances, when recruiters fail to gain access to an employee, they have been known to train up an individual specifically for the task. Known as “embeds”, these imposters are much closer to traditional spies and have a full understanding of the ambitions of their handlers.

“Sometimes, these embeds are quiet for a long time, even years. Then all of a sudden they gain access to the information they were recruited to hunt down, before disappearing into thin air. There is another level of tradecraft on display here.”

Setting up a defense

Mandiant research suggests insiders will be responsible for more than a third of security incidents in 2021, up from roughly 20% in previous years.

One of the main problems for security teams, though, is that differentiating between an insider incident versus an attack from a malicious third party can be extremely difficult.

For example, many companies were convinced the now infamous SolarWinds attack was the work of an insider. How else would someone know so much about their environment, they asked.

However, advanced actors are often able to “live off the land”; to use the tools already built into the system as opposed to bringing in their own, so as not to trip any alarms.

Like an insider, these actors know how to move around the network stealthily, perhaps suppressing security alerts or removing keywords from data they intend to exfiltrate so as not to trigger data loss prevention solutions.

To diagnose insider attacks effectively, businesses need to combine technology with vigilance and a commitment to educating employees about the dangers nation state recruiters can pose, Collins claims.

From a technology perspective, it’s about having the ability to identify activity on the network (e.g. file transfers or data duplication) that is outside the norm. And when this activity is discovered, to be able to either explain it or shut it down.

“You’ve got to ensure you have technology that allows you to collect certain information. One of the most common issues we encounter is employees creating inbox rules to forward email to their personal address, but detections should be in place to keep tabs on this kind of activity,” said Collins.

“It’s about having the insight to be able to say: that doesn’t make sense. Many businesses can recognize traditional ‘badness’ but fail to distinguish between activity that could be both legitimate or illegitimate, depending on context.”

Equally important, however, is training employees to recognize an unusual interaction with a third-party and establishing a simple mechanism for reporting suspicious encounters. A common mistake is for businesses to focus on one of these factors, but not the other, rendering the system ineffective.

Ultimately, says Collins, businesses are bound to encounter insider threat as a result of nation state recruitment, in the same way as cyberattacks are considered inevitable. The ability to defend appropriately depends on the energy they dedicate to raising awareness and putting protections in place.

“We like to say that the juice is worth the squeeze; whatever effort you put into addressing insider threat, you’re always going to get an equivalent return on investment.”

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Read more
Concept art representing cybersecurity principles
How to combat exfiltration-based extortion attacks
A wall of data on a large screen.
“It's the same doors that the good guys use, that the bad guys can walk through” - former White House tech advisor on data-centric security in the wake of Salt Typhoon
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
Hack The Box crisis simulation event
“Everyone will experience a hack” - how incident response can protect your organization
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
An American flag flying outside the US Capitol building against a blue sky
US military and defense contractors hit with Infostealer malware
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why