The Danger Within: Key Takeaways From 3 Insider Threat Examples
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

The Danger Within: Key Takeaways From 3 Insider Threat Examples

From negligent employees to malicious nation-state actors, let’s explore 3 real-world insider threat examples and the lessons we can learn from them

Insider threats arise from the unauthorized use of access permissions by an employee or another network user. They can be unintentional or intentional cyber threats involving careless employees, legitimate employees with axes to grind, or other network users with egregious agendas. In any case, if left unaddressed, these threats can bring your organization to its knees.

As you’ll soon learn in the following insider threat examples, these insidious threats may not be as easy to identify as you may think. Explore a few examples of such threats and what you can do to identify and quickly deal with them.

Let’s hash it out.

A Look at 3 Recent Insider Threat Examples That Made Headlines

1. Verizon’s Employee Accesses Data They Shouldn’t

In February 2024, Verizon Communications Inc. informed the Office of the Maine Attorney General of a data breach involving the personally identifying information (PII) of more than 63,000 individuals (82 of whom were Maine residents). The incident, which took place in September 2023, wasn’t discovered until nearly three months later.

According to a sample letter provided to the AG (contributed by Vasileios Toulas at Bleeping Computer), “a Verizon employee obtained a file containing certain employee personal information without authorization and in violation of company policy.” Some types of employee information that may have been exposed include:

  • Names
  • Addresses
  • Social Security numbers (or other national identifiers)
  • Genders
  • Union affiliations
  • Dates of birth
  • Compensation information

Although admitting to any data breach is akin to eating a bite of humble pie (i.e., no company wants negative publicity but hopes it’ll be recognized for doing the right thing), this example is pretty mild as far as insider threat-related situations are concerned.

In a statement to Bleeping Computer, Verizon’s spokesperson Rich Young said the incident wasn’t thought to have been done with malicious intent, and that the company didn’t refer the incident to law enforcement. But it does make one wonder: what was the employee’s intent when accessing employee data “without authorization and in violation of company policy” as claimed in the sample letter?

Of course, we shouldn’t assume malicious intent (a la Hanlon’s Razor) when it could be something that’s simply explained through stupidity or incompetence. But what if your organization is facing an insider threat example that’s nefarious or malevolent in nature? Then things aren’t so simple.

2. KnowBe4 Hires Nation-State Actor Posing as Legitimate IT Worker

Insider threat examples article graphic: An illustration of a fake IT employee badge that provides information about North Korean nation-state actors remotely infiltrating U.S. companies
Data source: The U.S. Department of Justice’s May 16 press release “Charges and Seizures Brought in Fraud Scheme, Aimed at Denying Revenue for Workers Associated with North Korea.”

Even cybersecurity companies that specialize in identifying threats can fall prey to insider threats. KnowBe4, one of the world’s leading cyber awareness and training companies, recently shared some eye-opening lessons learned after discovering it hired a suspected nation-state actor.

The company thought it was hiring a U.S.-based worker for its Principal Software Engineer role. Instead, it hired an imposter from North Korea who used remote tools to mask his true location from his new employer.

According to the company’s previously mentioned blog post about the situation:

“On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST. When these alerts came in KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.

The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.  He used a raspberry pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20pm EST SOC contained XXXX’s device.”

This incident is an example of a larger trend by North Korean nation-state actors to infiltrate U.S. businesses using so-called “laptop farms.” (I’ll speak more about those later.)  

The good news for KnowBe4 and its clients is that “no illegal access was gained, and no data was lost, compromised or exfiltrated on any KnowBe4 systems.” That’s great news, and it provided a great “lessons learned” moment to share with the industry.

KnowBe4’s situation is a great example of being on top of your company’s security and acting quickly and decisively in the face of extreme threats. It took approximately 25 minutes from the time the SOC detected the threat to when the team shut down the device. (Check out the link at the beginning of this section to read more about the incident and how KnowBe4 expertly took steps to address it before muck hit the fan.)

Now that we’ve seen a situation turn out positively overall, let’s look at another recent insider threat situation that didn’t go as smoothly for the company involved…

3. Google Software Engineer Indicted for Stealing AI IP For Chinese Startups

The U.S. Attorney’s Office for the Northern District of California alleges that a former Google employee stole info regarding the company’s artificial intelligence (AI) platform on behalf of two Chinese startup companies. The press release states that Linwei Ding, also known as Leon Ding, has been charged with four counts of trade secrets theft after stealing “over 500 confidential files containing AI trade secrets[.]”

The March 2024 indictment states that Ding began working at Google in May 2019 and began “uploading Google Confidential Information from Google’s network into a personal Google Cloud account (‘DING Account 1’) on May 21, 2022, and continued periodic uploads until May 2, 2023.”  

According to the indictment, Google monitors and logs “certain data transfers to and from Google’s network,” including file transfers to Google Drive and Dropbox. However, because of the way that Ding exfiltrated and processed the data prior to uploading, he was able to avoid immediate detection.

During the period he was allegedly stealing data, Ding also participated in investor meetings in China for one of the companies, Beijing Rongshu Lianzhi Technology Co., Ltd. (“Rongshu” for short), where he was chief technology officer (CTO). He also pitched his second business at a Chinese startup incubation program for his second company, Shanghai Zhisuan Technology Co. Ltd. (“Zhisuan”), where he was acting chief executive officer (CEO).

Google caught wind that Ding was representing himself as the chief technology officer (CTO) of one of the Chinese startups, “Rongshu.” It conducted an internal investigation into Ding’s malicious and then handed over the information to the FBI.

‘Laptop Farms’ Enable Overseas Threat Actors to Appear as U.S. Workers

Data from Cybersecurity Insiders and Securonix shows that insider attacks increased from 66% in 2019 to 76% of surveyed organizations in 2024. Although it’s not the only way that insider threats infiltrate companies, one way that makes it easier for international insiders to carry out their “dirty deeds” is to infiltrate U.S. companies by posing as domestic IT workers using the laptop farms mentioned earlier.

Laptop farms are discrete operations set up in remote locations throughout the U.S. that take advantage of companies’ remote IT work opportunities. They’re dummy locations where domestic conspirators host many laptops sent by legitimate U.S. companies to the people posing as legitimate new hires. The cybercriminals working internationally access these U.S.-based proxy devices remotely, enabling these overseas actors to appear like they are working domestically.

Insider threat examples article graphic: An illustration of how nation-state actors use laptop farms to remotely access companies and pretend to be legitimate employees
Image caption: A simplified illustration of a laptop farm and how cybercriminals overseas use it to remotely wreak havoc on U.S. companies.

In May, the U.S. Department of Justice (DOJ) indicted five people thought to be involved in a massive fraud scheme involving North Korean-based insider threats. A woman in Arizona, Christina Marie Chapman, along with three unnamed foreign nationals, were charged in connection with helping North Korean IT workers pose as U.S. employees using stolen or “borrowed” identities. The fifth individual, Oleksandr Didenko from Poland, was charged with engaging in similar conduct.

The DOJ reports that more than 300 U.S. companies were defrauded in the scheme. According to the earlier-cited May 16 press release:

“The overseas IT workers […] were paid millions for their work, much of which has been falsely reported to the IRS and the Social Security Administration in the name of the actual U.S. persons whose identities were stolen or borrowed.”

Why Insider Threats Suck So Much for Companies and Their Customers

As you can see from these insider threat examples, these criminals’ activities don’t just mean bad headlines for your company. They also wreak havoc on businesses in a multitude of other ways:

  • Lost customer relationships
  • Reputational harm
  • Decreased sales and revenue
  • Non-compliance issues and penalties
  • Costly lawsuits, settlements, and other payouts

Last year, Ponemon Institute and DTEX reported that it took companies an average of 86 days to contain insider threat incidents once they were discovered. The average global cost? $701,500 per incident. But that’s not all. The report’s data shows that companies globally spent an average of $16.2 million over a 12-month period on “activities that deal with insider threats.” 

But insider threats aren’t necessarily in-and-out scenarios. Some are “long cons” that can last years or even decades.

What Your Company Can Do to Avoid or Mitigate Insider Threat Risks

Stu Sjouwerman, CEO of KnowBe4, provided some excellent tips and advice for businesses on how to thwart these types of threat actors in his blog post that I linked to earlier in section #2. It includes everything from IT prevention tips and insider threat indicators to look out for to recommended process improvements (including for HR). Be sure to read that article to read those specific tips.

Landon Winkelvoss, co-founder at Nisos Inc., responded to a LinkedIn post by investigative reporter Brian Krebs on KnowBe4’s situation. Winkelvoss (named “Landon W.” on LinkedIn) shared some additional recommendations for how companies can avoid similarly falling for AI-based insider threats. One such recommendation is to track the laptop’s physical location instead of the shipping address:

“We have detected patterns of “laptop farms” derived from anomalies between the alleged location of the IT worker (fraudulent US person identities), the shipping address of the laptop, and the address listed on the I9 form.” — Landon Winkelvoss, co-founder at Nisos Inc.

That’s definitely one useful approach. But what else can you do to avoid becoming the next insider threat example to make headlines?

  • Start an official insider threat program. The National Institute of Standards and Technology (NIST) describes an insider threat program as “A coordinated collection of capabilities authorized by the organization and used to deter, detect, and mitigate the unauthorized disclosure of information.” Gartner estimates that half of medium to large enterprises will adopt such formal programs by 2025. Let’s hope they’re right.
  • Include insider threats in your employee awareness training and exercises. Educate and train your employees to recognize and respond to potential insider threats. Sometimes, all it takes is one employee noticing something “off” to save your company thousands or even millions of dollars.
  • Cut off access by employees who have left your company. Once an employee leaves, have automated processes in place to immediately deactivate their login credentials. This mitigates the possibility of them coming back later and accessing things they should no longer have access to while also preventing those credentials, if leaked, stolen or sold, from being used by unauthorized third parties.
  • Wipe former employees’ data. Don’t forget to wipe their data once they’re gone! Since they’re no longer employed by your company, they no longer should have your business-critical data or resources at their disposal.
  • Implement robust access controls.  This was definitely something KnowBe4 did right. Rather than giving new employees the keys to their entire kingdom, the company starts its employees out with restrictive access.
  • Use strong user and device authentication measures. At this point, zero trust should be ubiquitous for businesses. With the growing threat of insider threats, it’s no longer about protecting your company against external threats. As we’ve learned, threats can exist within your network, too.  
  • Utilize tools to detect and identify suspicious activities and behaviors. Having the right tools can make a huge difference in these situations. In the case of KnowBe4, it seems like the SOC team had not only the right tools but also the right processes in place to deal with the situation quickly. Examples of some useful tools include endpoint management software, firewalls and other insider threat detection systems that look out for unusual activity entering and leaving your network.
  • Scan your remote employees’ devices regularly. Look for malware and any remote access tools or activities on those devices. KnowBe4 used that as an insider threat indicator, which helped its SOC team identify something suspicious about the company’s new IT remote worker.

Be sure to work on increasing your cyber resilience as well while you’re at it. Nowadays, cyber attacks are increasingly becoming a matter of when rather than if they’ll occur. Knowing this, it’s important to not only take steps to prevent attacks and malicious insiders but also to prepare yourself for when crap does hit the fan.

This helps to ensure that you’re still standing after a sock to the jaw instead of losing your bearings and struggling to cope with the situation.

Have other thoughts, tips, or recommendations for dealing with insider threats? Share your insights in the comments below.

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.