Story image

Nation-state actors leverage insiders for economic espionage

01 Feb 2019

Article by Flashpoint Insider Threat Program principal advisor Eric Lackey

The term ‘insider threat’ often brings to mind an image of a disgruntled employee who abuses their internal privileges in an unsophisticated manner for personal gain. While insider threat certainly can manifest in this form, it can also take more coordinated, insidious forms when insiders act as agents of economic espionage.

Indeed, economic espionage has become such a pertinent issue for businesses and research institutions that on Jan. 7, the U.S. National Counterintelligence and Security Center (NCSC) launched an awareness campaign that aims to arm private-sector companies with information to help them better understand and defend against this threat.

While various countries have been known to conduct espionage, the U.S. NCSC notes that Chinese economic espionage operations are among the most active of any nation state. In 2017, the U.S.-China IP Commission estimated that Chinese intellectual property theft costs the U.S. economy between $225 billion and $600 billion annually. Much of this espionage is carried out through sophisticated cyber intrusions, but China has also been known to target corporate insiders in an effort to obtain intellectual property and trade secrets.

To better understand this development through the lens of insider threat, Flashpoint examined the targeting, objectives, recruitment efforts, tactics, and tradecraft of these recent espionage attempts:

Targeting and objectives

Recently reported cases involving China and China-based companies have made it increasingly apparent that Beijing’s objective is to acquire intellectual property to drive technological innovation, strengthen its dominance over global manufacturing, and modernise its military.

Although many aspects of the U.S. economy are of potential interest to state-sponsored actors, the U.S. government has identified a number of industries that may be more susceptible to economic espionage, including energy, biotechnology, defense technology, high-end manufacturing, and information and communications technology.

Insider recruitment

In many reported instances, Chinese operatives have leveraged social media to contact insiders at targeted organisations. One common tactic is for operatives to pose as researchers or academics and invite targeted individuals to speak at universities or institutes overseas in an effort to lower their guard and manipulate them into unwittingly divulging trade secrets.

In other cases, operatives been known to target Chinese nationals working at foreign companies by promising them high-salary positions in China if they exfiltrate intellectual property before leaving their current organisation.

Tactics and tradecraft

One of the main tactics observed in 2018 is the use of insiders to exfiltrate targeted information using email or external storage devices with the intent of bringing the acquired intellectual property back to China.

For example, in Dec. 2018, a Chinese national and U.S. resident was charged with stealing intellectual property from the U.S. petroleum company where he had worked until being offered a new job at a company in China. While working for the petroleum company, the individual downloaded hundreds of files containing proprietary manufacturing information and other trade secrets estimated to be worth over $1 billion USD.

Investigators believe that this individual intended to use the files to the benefit of his new employer in China. His ability to access and download such intellectual property—which was not relevant to his role at the company—shows why user-access management (UAM) is an essential measure for proactively combating insider threat.

In addition to leveraging company employees, Chinese economic espionage operations have also been known to steal information from company contractors and partners based in other countries. These types of incidents demonstrate why the scope of an insider threat program (ITP) should not be limited to company employees but also include any third parties with which a company is affiliated.

More sophisticated techniques such as steganography—the practice of concealing information within images and other types of files — have also been used by insiders as a means of disguising stolen assets. As organisations become more cognizant of the risk of insiders acting as agents of economic espionage, Flashpoint believes that steganography and other advanced methods of evading detection will become increasingly common.

Implications for defenders

Although numerous arrests have been made over the past year, China appears to have been relatively successful at leveraging insiders as part of its widespread economic espionage campaign directed against a variety of private- and public-sector industries. 
The rise of insider threat as a vector for economic espionage underscores the importance of proactively combating insider threat as part of an organisation’s broader risk-management strategy. The most effective defence is a combination of insider-threat response policies, rapid identification and reporting of suspicious activities, and enterprise-wide investigative support. These defence requirements can only be met by a full-fledged ITP with access to up-to-date knowledge of the latest insider-threat tactics and relevant internal and external data.

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.