Story image

Nation-state actors leverage insiders for economic espionage

01 Feb 2019

Article by Flashpoint Insider Threat Program principal advisor Eric Lackey

The term ‘insider threat’ often brings to mind an image of a disgruntled employee who abuses their internal privileges in an unsophisticated manner for personal gain. While insider threat certainly can manifest in this form, it can also take more coordinated, insidious forms when insiders act as agents of economic espionage.

Indeed, economic espionage has become such a pertinent issue for businesses and research institutions that on Jan. 7, the U.S. National Counterintelligence and Security Center (NCSC) launched an awareness campaign that aims to arm private-sector companies with information to help them better understand and defend against this threat.

While various countries have been known to conduct espionage, the U.S. NCSC notes that Chinese economic espionage operations are among the most active of any nation state. In 2017, the U.S.-China IP Commission estimated that Chinese intellectual property theft costs the U.S. economy between $225 billion and $600 billion annually. Much of this espionage is carried out through sophisticated cyber intrusions, but China has also been known to target corporate insiders in an effort to obtain intellectual property and trade secrets.

To better understand this development through the lens of insider threat, Flashpoint examined the targeting, objectives, recruitment efforts, tactics, and tradecraft of these recent espionage attempts:

Targeting and objectives

Recently reported cases involving China and China-based companies have made it increasingly apparent that Beijing’s objective is to acquire intellectual property to drive technological innovation, strengthen its dominance over global manufacturing, and modernise its military.

Although many aspects of the U.S. economy are of potential interest to state-sponsored actors, the U.S. government has identified a number of industries that may be more susceptible to economic espionage, including energy, biotechnology, defense technology, high-end manufacturing, and information and communications technology.

Insider recruitment

In many reported instances, Chinese operatives have leveraged social media to contact insiders at targeted organisations. One common tactic is for operatives to pose as researchers or academics and invite targeted individuals to speak at universities or institutes overseas in an effort to lower their guard and manipulate them into unwittingly divulging trade secrets.

In other cases, operatives been known to target Chinese nationals working at foreign companies by promising them high-salary positions in China if they exfiltrate intellectual property before leaving their current organisation.

Tactics and tradecraft

One of the main tactics observed in 2018 is the use of insiders to exfiltrate targeted information using email or external storage devices with the intent of bringing the acquired intellectual property back to China.

For example, in Dec. 2018, a Chinese national and U.S. resident was charged with stealing intellectual property from the U.S. petroleum company where he had worked until being offered a new job at a company in China. While working for the petroleum company, the individual downloaded hundreds of files containing proprietary manufacturing information and other trade secrets estimated to be worth over $1 billion USD.

Investigators believe that this individual intended to use the files to the benefit of his new employer in China. His ability to access and download such intellectual property—which was not relevant to his role at the company—shows why user-access management (UAM) is an essential measure for proactively combating insider threat.

In addition to leveraging company employees, Chinese economic espionage operations have also been known to steal information from company contractors and partners based in other countries. These types of incidents demonstrate why the scope of an insider threat program (ITP) should not be limited to company employees but also include any third parties with which a company is affiliated.

More sophisticated techniques such as steganography—the practice of concealing information within images and other types of files — have also been used by insiders as a means of disguising stolen assets. As organisations become more cognizant of the risk of insiders acting as agents of economic espionage, Flashpoint believes that steganography and other advanced methods of evading detection will become increasingly common.

Implications for defenders

Although numerous arrests have been made over the past year, China appears to have been relatively successful at leveraging insiders as part of its widespread economic espionage campaign directed against a variety of private- and public-sector industries.  The rise of insider threat as a vector for economic espionage underscores the importance of proactively combating insider threat as part of an organisation’s broader risk-management strategy. The most effective defence is a combination of insider-threat response policies, rapid identification and reporting of suspicious activities, and enterprise-wide investigative support. These defence requirements can only be met by a full-fledged ITP with access to up-to-date knowledge of the latest insider-threat tactics and relevant internal and external data.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.