Story image

Nation-state actors leverage insiders for economic espionage

01 Feb 2019

Article by Flashpoint Insider Threat Program principal advisor Eric Lackey

The term ‘insider threat’ often brings to mind an image of a disgruntled employee who abuses their internal privileges in an unsophisticated manner for personal gain. While insider threat certainly can manifest in this form, it can also take more coordinated, insidious forms when insiders act as agents of economic espionage.

Indeed, economic espionage has become such a pertinent issue for businesses and research institutions that on Jan. 7, the U.S. National Counterintelligence and Security Center (NCSC) launched an awareness campaign that aims to arm private-sector companies with information to help them better understand and defend against this threat.

While various countries have been known to conduct espionage, the U.S. NCSC notes that Chinese economic espionage operations are among the most active of any nation state. In 2017, the U.S.-China IP Commission estimated that Chinese intellectual property theft costs the U.S. economy between $225 billion and $600 billion annually. Much of this espionage is carried out through sophisticated cyber intrusions, but China has also been known to target corporate insiders in an effort to obtain intellectual property and trade secrets.

To better understand this development through the lens of insider threat, Flashpoint examined the targeting, objectives, recruitment efforts, tactics, and tradecraft of these recent espionage attempts:

Targeting and objectives

Recently reported cases involving China and China-based companies have made it increasingly apparent that Beijing’s objective is to acquire intellectual property to drive technological innovation, strengthen its dominance over global manufacturing, and modernise its military.

Although many aspects of the U.S. economy are of potential interest to state-sponsored actors, the U.S. government has identified a number of industries that may be more susceptible to economic espionage, including energy, biotechnology, defense technology, high-end manufacturing, and information and communications technology.

Insider recruitment

In many reported instances, Chinese operatives have leveraged social media to contact insiders at targeted organisations. One common tactic is for operatives to pose as researchers or academics and invite targeted individuals to speak at universities or institutes overseas in an effort to lower their guard and manipulate them into unwittingly divulging trade secrets.

In other cases, operatives been known to target Chinese nationals working at foreign companies by promising them high-salary positions in China if they exfiltrate intellectual property before leaving their current organisation.

Tactics and tradecraft

One of the main tactics observed in 2018 is the use of insiders to exfiltrate targeted information using email or external storage devices with the intent of bringing the acquired intellectual property back to China.

For example, in Dec. 2018, a Chinese national and U.S. resident was charged with stealing intellectual property from the U.S. petroleum company where he had worked until being offered a new job at a company in China. While working for the petroleum company, the individual downloaded hundreds of files containing proprietary manufacturing information and other trade secrets estimated to be worth over $1 billion USD.

Investigators believe that this individual intended to use the files to the benefit of his new employer in China. His ability to access and download such intellectual property—which was not relevant to his role at the company—shows why user-access management (UAM) is an essential measure for proactively combating insider threat.

In addition to leveraging company employees, Chinese economic espionage operations have also been known to steal information from company contractors and partners based in other countries. These types of incidents demonstrate why the scope of an insider threat program (ITP) should not be limited to company employees but also include any third parties with which a company is affiliated.

More sophisticated techniques such as steganography—the practice of concealing information within images and other types of files — have also been used by insiders as a means of disguising stolen assets. As organisations become more cognizant of the risk of insiders acting as agents of economic espionage, Flashpoint believes that steganography and other advanced methods of evading detection will become increasingly common.

Implications for defenders

Although numerous arrests have been made over the past year, China appears to have been relatively successful at leveraging insiders as part of its widespread economic espionage campaign directed against a variety of private- and public-sector industries.  The rise of insider threat as a vector for economic espionage underscores the importance of proactively combating insider threat as part of an organisation’s broader risk-management strategy. The most effective defence is a combination of insider-threat response policies, rapid identification and reporting of suspicious activities, and enterprise-wide investigative support. These defence requirements can only be met by a full-fledged ITP with access to up-to-date knowledge of the latest insider-threat tactics and relevant internal and external data.

Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”
Gartner: The five priorities of privacy executives
The priorities highlight the need for strategic approaches to engage with shifting regulatory, technology, customer and third-party risk trends.
Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.