• Insight
  • 6 min read

Hybrid warfare

When the Cyber Threat Comes From the Inside

Would you like to earn millions of dollars? The LockBit 2.0 ransomware is now trying to recruit insiders – and there is no reason to believe that your company wouldn’t be targeted.

We all know the importance of good cybersecurity. Incident after incident shows us that technical systems and security solutions are vulnerable. Threat actors, such as criminal hackers and state actors, constantly look for vulnerabilities to create access. Whether the purpose is to gain money through a ransomware attack or spy and steal valuable information, the consequences for the targeted company might be devastating. So, we take precautions – technical precautions to prevent these external technical threats.

But What If the Risk Comes From the Inside?

The cyber threat landscape has changed: today’s methods are not exclusively technical or human, but a hybrid of both. It is an old truth that the weakest link is the human being, and insider threats are among the fastest-growing categories of risk today. Yet, few are dedicating resources to counter the problem. Trends show that nation-states and criminal organizations exploit human vulnerabilities to access systems and information using Human Intelligence and Social Engineering.

In August 2020, the FBI arrested a Russian citizen who had been plotting a ransomware attack against the Tesla factory in Nevada. The Russian had approached one of the employees trying to bribe him to install ransomware at the factory from inside to avoid Tesla’s technical security solutions. The ransomware attack failed, but only because the Tesla employee reported the attempt to his manager, who contacted the FBI.

Bribing and Threatening Employees to Gain Access

This case clearly shows how today’s threat actors try to find alternative ways to bribe or even threaten employees. And it’s not just “something that happens somewhere else”; it could happen anywhere and to anyone.

Two years ago, a Swedish IT consultant was arrested at a restaurant in Stockholm when he was in the middle of a meeting with a Russian intelligence officer. According to the Swedish security service, SÄPO, the IT consultant had been spying for Russia for almost two years. Charges were recently brought to the district court, though it is not yet known what the outcome will be.

One Malicious Insider Is Enough to Bring Down a Company

In 2010, the American company AMSC, which develops and produces wind turbine technology, was targeted by a Chinese company called Sinovel.

But let’s start from the beginning. A few years earlier, China passed a clean energy law, calling for several wind farms throughout the country. This law made China the hottest wind market globally, and a new turbine was going up in China every hour. Sinovel was AMSC’s largest client, and production of turbines was about to start in China. Sinovel produced the hardware, and AMSC the electronic components.

The American company realized that its turbine control software was critical value data, and therefore, subjected it to elevated security:

  • The source code was kept out of China in a research facility in Austria.
  • Only a small group of people had access to the code.
  • It was on a network isolated from the Internet.
  • The code itself was encrypted.

While these were all good measures, they were insufficient against an insider. One of the employees working in the research facility in Austria was paid by the Chinese to leak information about the code. As a result, Sinovel no longer needed AMSC, which lost its largest client. This led to an 84% drop in stock value and the layoff of 600 people – about two-thirds of the American company’s workforce. One malicious insider almost took down the entire company.

What Actions Can We Take to Prevent This Growing Risk?

To counter these new threats, we need to mirror the attackers and their methods. However, changes and new ways of working might sometimes feel overwhelming. So where do we even start? Our advice is – start somewhere, do something. Even understanding the problem is a start, and from there, things can only improve.

Here are some recommendations on what to do:

  • Security Vetting: When hiring, we need to ensure, as much as possible, that the person we are letting inside is loyal and trustworthy and that there are no significant vulnerabilities that could be used by someone else.
  • Continuity Plan: People are rarely disloyal or have malicious intentions from the start. However, life changes, such as economic or personal, may create incentives and make them vulnerable. Following up on the security vetting and caring for your staff is a good investment.
  • Security Culture: Everyone in the organization needs to know that they are important and part of the company’s security culture since a chain is as strong as its weakest link. A good security culture comes from awareness.
  • Awareness Training: Knowing who the threat actors are and the different methods they use helps us create a secure environment for both internal and external threats.
  • Top-Down: An Insider Prevention Program should be established at the organization’s top and include top management. Actions taken seriously at the top are more likely to permeate the entire organization.

Malicious insiders are a major security issue, and the insider threat is a real challenge for organizations. Unfortunately, this is also a threat that is increasing in scale, scope, and sophistication. At Truesec Human Threat Intelligence, we are experts on threat actors, and we are here to help you create your own Insider Prevention Program to mitigate the risk.